Friday, May 16, 2008

WHICH FSMO ROLE IS THE MOST IMPORTANT

I am reading MS Tec-net discussing group and following up some post, in regards to a problem, and second person who is trying to help is writing back

"The PDCEmulator role is the more or less old PDC from NT4, but only used for backwards compatibility"

This statement above made me write this article. The question is, What FSMO role is the most important or less important always been asked to me in each MCSE class

Beside the function of emulating the PDC (Primary Domain Controller) for NT4 clients in the domain, below is the list what PDC Emulator does.

PDC Emulator

  • Synchronizes time over the domain, ensuring all clients have the same time - which is required for kerberos authentication (logons) to work properly.
  • Manages password changes made in the domain
  • Incorrect logons are forwarded to the PDC before the error is shown to the user - to check the password is in fact incorrect
  • Account lockouts are processed on the PDC emulator
  • Group policy management is always made on the PDC emulator, unless specified by the administrator
  • People will notice its downtime rather quickly ( missing PDC will generate tons of call to your help desk, trust me on this)
  • Usually the first one to be noticed if missing will be the PDC Emulator (due to its role as Domain Master Browser really in a multi-subnet network.)

In a single domain environment, the others might not be as important as PDC or I would say so quick or noticeable as an negative impact to your environment

Missing DNS master

If you were adding Domains the absence of Domain Naming Master , will be the problem, since the operation will fail.

Missing Schema master

If an application needs to make changes to the Schema and cannot contact to schema master you will have problems. For instance installing exchange will extend the schema, so you won't be able to install exchange, and this is end of the world to me (-:, hey when it comes to Exchange I should not be needing to list any other reason here why you and me would need Schema master to be here, when we want to install exchange server. (-:

Missing RID master

The RID master is the one most people would notice either first or right after the PDC Emulator since after adding about 500 users (security principals really) to a single DC you would run out of RIDs. If you are not adding 500 users per day (-: you don't have to worry about this role for today.

Missing Infrastructure master

This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled.

Conclusion:

Despite the name of PDC, and not having any NT 4.0 in the environment does not make the PDC emulator the less important role? In fact this is the most heavily used FSMO role and it is also the most important FSMO role (quick side effects). All FSMO roles are important, but the Missing PDC is going to give you the quickest headache you would ever wanted on monday early morning. Who is your PDC (-:


Regards,

Oz Ozugurlu

Systems Engineer

MCITP (EMA), MCITP (SA),

MCSE 2003 M+ S+ MCDST

Security Project+ Server+

oz@SMTp25.org

http://smtp25.blogspot.com

1 comment:

Anonymous said...

I like this article... puts the purpose of each FSMO into simple terms.