Thursday, April 26, 2007

Why do we need FSMO ROLES?

Active directory is multi master replication model. Meaning clients can register their records to any available Active directory domain controller and have access to resources within active directory NTDS.DIT database.

In old days where we had single master replication, Primary DNS server had the write copy of DNS data, meaning Client MUST locate the Primary DNS servers, and register their resources so that they can locate all the other resources within active directory infrastructure. The problem with single master model was the single point of failure, if the primary DNS server was not reachable for any reason client could not get register its records to any other domain controller/DNS servers. We have now MultiMate replication model meaning client can register its records to any available Authentication server / DNS servers and can get to the NTDS.DIT database. This is one of the great improvements in Active directory integrated DSN and multi master replication DNS data is being kept in what we call is ZONE. The primary zone is Forward lookup zone in AD.

Reverse lookup zone is highly recommended in almost any size of network

The purpose of having FSMO roles is being cause by Multi master replication model. In this model there has to be a way of preventing the conflict being happened, such as firing up adsiedit.msc and adding to the same object from different locations, which one would win? The NTDS.DIT DataBase would get confuse, Therefore we needed to have schema master so that regardless where you make the changes within the Domain changes gets okay from Schema Master first than, schema master replicates these changes to all other Domain controllers. This is the primary purpose why Microsoft comes up with FSMO roles (Operations Masters)

Knowing these ROLEs and understanding them is Curtail for any Exchange or AD Administrators.

FSMO Roles

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master

The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.

Infrastructure Master:

The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator

The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest


 

How can we see FSMO ROLES?

There are several ways to see FSMO roles the easiest way to see download support tools

Downloads

Go to CMD

:\>netdom query fsmo

Schema owner DC1.smtp25.org

 

Domain role owner VSDC1.smtp25.org

 

PDC role VSDC2.smtp25.org

 

RID pool manager DC1.smtp25.org

 

Infrastructure owner DC1.smtp25.org

 

The command completed successfully.

Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly

Symptom

Possible Role Involved

Reason

Users can't log on.

PDC Emulator

If system clocks become unsynchronized, Kerberos may fail.

Can't change passwords.

PDC Emulator

Password changes need this role holder.

Account lockout not working.

PDC Emulator

Account lockout enforcement needs this role holder.

Can't raise the functional level for a domain.

PDC Emulator

This role holder must be available when the raising the domain functional level.

Can't create new users or groups.

RID Master

RID pool has been depleted.

Problems with universal group memberships.

Infrastructure Master

Cross-domain object references need this role holder.

Can't add or remove a domain.

Domain Naming Master

Changes to the namespace need this role holder.

Can't promote or demote a DC.

Domain Naming Master

Changes to the namespace need this role holder.

Can't modify the schema.

Schema Master

Changes to the schema need this role holder.

Can't raise the functional level for the forest.

Sc

 


 

Some Considerations

The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

The Infrastructure Master should not be placed on a GC

Make sure the Infrastructure Master has a GC in the same site as a direct replication partner

It's OK to put the Infrastructure Master on a GC if your forest has only one domain if

It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC

For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC

Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is do

http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html


 

Best Regards

Oz Ozugurlu

3 comments:

Anonymous said...

Splendid

Oz Casey Dedeal said...

Splendid,take a look
Why do we need FSMO ROLES?
http://smtp25.blogspot.com/2007/04/why-do-we-need-fsmo-roles.html

best
oz

Anonymous said...

ultimate....very supporting document...thanks a ton