Active Directory Notes – Flexible Single Master Operations

Here are some of my notes on Flexible Single Master Operations (FSMO).

FSMO Simplified Definition:
Specialized functions that are provided by a single domain controller at a time.

The Five FSMO Roles:

  • Schema Master
  • Domain Naming Master
  • Infrastructure Master
  • Relative Identifier Master (RID)
  • Primary Domain Controller Emulator (PDC)

Schema Master Role:
Controls how a object is initialized.

A schema partition(aka “schema naming content”) is located in every domain controller within the forest but can only be modified at the Schema Master. The Schema Master is the first domain controller promoted within a forest and is required to be online when the forest functional level is raised.

The Schema Master role is rarely used and normally only needs to be online after the initial installation of ActiveDirectory DomainServices is when an administrator is altering the schema or promoting the forest functionality level.

The Schema Master should be placed within the same LAN as the administrator configuring the schema.

Domain Naming Master Role:
The Domain Naming Master enforces unquiness among domain names and availability. Also, there can only be a single Domain Naming Master within a forest.

The Domain Naming Master can be located on the same domain controller as the Schema Master. As mentioned above, this should role should be located on the same LAN as the administrator.

Infrastructure Master Role:
The Infrastructure Master role checks other domains in the forest for alterations to it’s objects and replicates the other domain controllers.

To enforce that queries and updates are performed on the local network infrastructure, the Infrastructure Master should be placed within a site that contains the majority of domain controllers in the forest.

Relative Identifier Master Role:
Enforces uniqueness among security principals within a domain.

Object have a security identifier (SID) of the domain for identification and the relative identifier (RID) uniquely identifies the security principal within the domain.

The RID Master is not contacted for each RID that is handed out when an account is created. Domain controllers contract the RID Master when they are promoted and the RID Master allocates a large block of RIDs to the domain controller. When the domain controller is close to depleting the allocated RIDs, the domain controller contracts the RID Master again to replenish its RID pool.

Domain controllers responsible for creating accounts need to obtain their allocation of RIDs from the RID Master as their RID pool becomes depleted. When the RID Master is unavailable, the domain controllers will be unable to generate new RIDs.

The RID Master should be designated as a standby server. Standby servers should be a direct replication partner to the original RID Master so that any updates to the RID Master are known to the standby server.

Primary Domain Controller Emulator Role:
The PDC Emulator has a few responsibilities, like time synchronization and password chanes. Whenever a domain controller is in mixed mode and Windows NT 4 Backup Domain Controllers (BDCs) exists within the domain, the PDC Emulator handles the updates for BDCs and all other Windows domain controllers. The PDC Emulator is also responsible for accepting password change requests from pre-ActiveDirectory clients.

The PDC Emulator is also handles updates to group policies and is the master replication point when changes are made.

Group Policy Objects (GPOs) consist of two parts:
The Group Policy Container – An object that exists within ActiveDirectory DomainServices
Group Policy Template – An object which is the configuration data for the GPO that resides within the Sysvol directory.

As changes are effected on the PDC Emulator, and then they are replicated to the PDC Emulator’s replication partners. Additional, this role uses timestamps to authenticate clients.

The PDC Emulator should be placed close to the majority of the user accounts within the domain or an administrator could move each FSMO role to its own domain controller.

Additional Reading
Mastering Active Directory for Windows Server 2008
By: John A. Price, Brad Price, Scott Fenstermacher


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s