Docstoc

FSMO roles

Document Sample
FSMO roles Powered By Docstoc
					Managing Active Directory FSMO Roles



      Launched: Mar 15, 2005
      Updated: Mar 15, 2005
      Section: Articles & Tutorials :: Windows 2003
      Author: Mitch Tulloch
      Printable Version

      Adjust font size:
      Rating: 4.1/5 - 165 Votes




      1
      2
      3
      4
      5




This article explains the function of Flexible Single Master Operations (FSMO) roles in
Active Directory and outlines best practices for implementing and managing these roles
on a Windows Server 2003-based network.




While Active Directory in general uses a multimaster replication scheme for replicating
the directory database between domain controllers, there are certain directory functions
that require they be performed on some specific domain controller. These functions are
defined by flexible single master operations (FSMO) roles (pronounced "fiz-moe roles")
and at any time these roles are uniquely assigned to specific domain controllers in
different Active Directory domains. Let's begin by describing what these different FSMO
roles are and why they are important, after which we'll outline some best practices for
how you should assign these roles in your Active Directory environment.

Overview of FSMO Roles
There are five different FSMO roles and they each play a different function in making
Active Directory work:

      PDC Emulator - This role is the most heavily used of all FSMO roles and has the
       widest range of functions. The domain controller that holds the PDC Emulator
       role is crucial in a mixed environment where Windows NT 4.0 BDCs are still
       present. This is because the PDC Emulator role emulates the functions of a
       Windows NT 4.0 PDC. But even if you've migrated all your Windows NT 4.0
       domain controllers to Windows 2000 or Windows Server 2003, the domain
       controller that holds the PDC Emulator role still has a lot to do. For example, the
       PDC Emulator is the root time server for synchronizing the clocks of all Windows
       computers in your forest. It's critically important that computer clocks are
       synchronized across your forest because if they're out by too much then Kerberos
       authentication can fail and users won't be able to log on to the network. Another
       function of the PDC Emulator is that it is the domain controller to which all
       changes to Group Policy are initially made. For example, if you create a new
       Group Policy Object (GPO) then this is first created in the directory database and
       within the SYSVOL share on the PDC Emulator, and from there the GPO is
       replicated to all other domain controllers in the domain. Finally, all password
       changes and account lockout issues are handled by the PDC Emulator to ensure
       that password changes are replicated properly and account lockout policy is
       effective. So even though the PDC Emulator emulates an NT PDC (which is why
       this role is called PDC Emulator), it also does a whole lot of other stuff. In fact,
       the PDC Emulator role is the most heavily utilized FSMO role so you should
       make sure that the domain controller that holds this role has sufficiently beefy
       hardware to handle the load. Similarly, if the PDC Emulator role fails then it can
       potentially cause the most problems, so the hardware it runs on should be fault
       tolerant and reliable. Finally, every domain has its own PDC Emulator role, so if
       you have N domains in your forest then you will have N domain controllers with
       the PDC Emulator role as well.
      RID Master - This is another domain-specific FSMO role, that is, every domain
       in your forest has exactly one domain controller holding the RID Master role. The
       purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the
       domain and prevent this pool from becoming exhausted. RIDs are used up
       whenever you create a new security principle (user or computer account) because
       the SID for the new security principle is constructed by combining the domain
       SID with a unique RID taken from the pool. So if you run out of RIDS, you won't
       be able to create any new user or computer accounts, and to prevent this from
       happening the RID Master monitors the RID pool and generates new RIDs to
       replenish it when it falls beneath a certain level.
      Infrastructure Master - This is another domain-specific role and its purpose is to
       ensure that cross-domain object references are correctly handled. For example, if
       you add a user from one domain to a security group from a different domain, the
       Infrastructure Master makes sure this is done properly. As you can guess
       however, if your Active Directory deployment has only a single domain, then the
       Infrastructure Master role does no work at all, and even in a multi-domain
       environment it is rarely used except when complex user administration tasks are
       performed, so the machine holding this role doesn't need to have much
       horsepower at all.
      Schema Master - While the first three FSMO roles described above are domain-
       specific, the Schema Master role and the one following are forest-specific and are
       found only in the forest root domain (the first domain you create when you create
       a new forest). This means there is one and only one Schema Master in a forest,
       and the purpose of this role is to replicate schema changes to all other domain
       controllers in the forest. Since the schema of Active Directory is rarely changed
       however, the Schema Master role will rarely do any work. Typical scenarios
       where this role is used would be when you deploy Exchange Server onto your
       network, or when you upgrade domain controllers from Windows 2000 to
       Windows Server 2003, as these situations both involve making changes to the
       Active Directory schema.
      Domain Naming Master - The other forest-specific FSMO role is the Domain
       Naming Master, and this role resides too in the forest root domain. The Domain
       Naming Master role processes all changes to the namespace, for example adding
       the child domain vancouver.mycompany.com to the forest root domain
       mycompany.com requires that this role be available, so you can't add a new child
       domain or new domain tree, check to make sure this role is running properly.

To summarize then, the Schema Master and Domain Naming Master roles are found only
in the forest root domain, while the remaining roles are found in each domain of your
forest. Now let's look at best practices for assigning these roles to different domain
controllers in your forest or domain.

FSMO Roles Best Practices
Proper placement of FSMO Roles boils down to three simple rules:

      Rule One: In your forest root domain, keep your Schema Master and Domain
       Naming Master on the same domain controller to simplify administration of these
       roles, and make sure this domain controller contains a copy of the Global Catalog.
       This is not a hard-and-fast rule as you can move these roles to different domain
       controllers if you prefer, but there's no real gain in doing so and it only
       complicates FSMO role management to do so. If for reasons of security policy
       however your company decides that the Schema Master role must be fully
       segregated from all other roles, then go ahead and move the Domain Naming
       Master to a different domain controller that hosts the Global Catalog. Note though
       that if you've raised your forest functional level to Windows Server 2003, your
       Domain Naming Master role can be on a domain controller that doesn't have the
       Global Catalog, but in this case be sure at least to make sure this domain
       controller is a direct replication partner with the Schema Master machine.
      Rule Two: In each domain, place the PDC Emulator and RID Master roles on the
       same domain controller and make sure the hardware for this machine can handle
       the load of these roles and any other duties it has to perform. This domain
       controller doesn't have to have the Global Catalog on it, and in general it's best to
       move these two roles to a machine that doesn't host the Global Catalog because
       this will help balance the load (the Global Catalog is usually heavily used).
      Rule Three: In each domain, make sure that the Infrastructure Master role is not
       held by a domain controller that also hosts the Global Catalog, but do make sure
       that the Infrastructure Master is a direct replication partner of a domain controller
       hosting the Global Catalog that resides in the same site as the Infrastructure
       Master. Note however that this rule does have some exceptions, namely that the
       Infrastructure Master role can be held by a domain controller hosting the Global
       Catalog in two circumstances: when there is only one domain in your forest or
       when every single domain controller in your forest also hosts the Global Catalog.

To summarize these three rules then and make them easy to remember:

      Forest root domain - Schema Master and Domain Naming Master on the same
       machine, which should also host the Global Catalog.
      Every domain - PDC Emulator and RID Master on the same machine, which
       should have beefy hardware to handle the load.
      Every domain - Never place the Infrastructure Master on a machine that hosts the
       Global Catalog, unless your forest has only one domain or unless every domain
       controller in your forest hosts the Global Catalog.

W2K AD domain controllers split up the master operations roles. This is usually
transparent to most administrators. Active Directory will manage which domain
controller ( DC ) has which master operations role. The key is normally. There are five
master controller roles. By default, they are on the first domain controller in the domain.
For performance issues, you probably want to split the roles apart. Microsoft gives its
recommendations in kb article Q223346 and my own study confirms:

      Place the RID and PDC FSMO emulator roles on the same DC.
      Place the infrastructure FSMO master on a non-global catalog server.
      Place the domain naming FSMO master on a Global Catalog Server.

Microsoft recommends placing the schema master and domain naming master on
the same server. From a performance perspective it makes some sense but not from a
security perspective. I would place the schema master role on a dedicated DC and I
would keep it shutdown except when schema changes need to be made. [Its difficult to
attack a server that is offline.]
Microsoft releases sample utilities from the Windows 2000 Resource kits.
Dumpfsmos.cmd: Dump FSMO Roles is available for free download. This command-line
tool dumps the Flexible Single Master Operation (FSMO) roles for a domain. Using
DumpFsmos, you can find the names of the domain controllers that are performing
forest-wide operations master roles, including schema master and domain naming master,
and domain-wide operations master roles, including RID master, primary domain
controller emulator, and infrastucture master.

Probably the easiest method is to use the W2K version of netdom:

netdom query fsmo

You will get a list like:


Schema owner                dc2.mycompany.com
Domain role owner           dc1.mycompany.com
PDC role                    dc4.mycompany.com
RID pool manager            dc1.mycompany.com
Infrastructure owner        dc3.mycompany.com
The command completed successfully.
You can also find which DCs hold which FSMO role holders using the ntdsutil
C:\> ntdsutil
ntdsutil: domain management
domain management: connections
server connections: connect to server oneofyourDCs
Binding to oneofyourDCs ...
Connected to oneofyourDCs using credentials of locally logged on user
server connections: quit
domain management: select operation target
select operation target: list roles for connected server
....
info for your domain listing the fsmo role holders
.....
select operation target: quit
domain management: quit
ntdsutil: quit
Disconnecting from oneofyourDCs ...

Another alternative is to use the dcdiag utility:

dcdiag /test:Knowsofroleholders /v

Another alternative to find the RID, PDC, and Infrastructure FSMO Holders is to
use dsa.msc:

       Click Start, click Run, type dsa.msc, and then click OK.
       Right-click the selected Domain Object in the top left pane, and then click Operations
        Masters.
       Click the PDC tab to find out which DC is holding the PDC master role.
      Click the Infrastructure tab to find out which DC is holding the Infrastructure master role.
      Click the RID Pool tab to find out which DC is holding the RID master role.

The FSMO roles:

      Domain Naming Master
       The Domain Naming Master is created on the first DC in the domain. This
       box could be down for a long time before you discover its loss. If the DC
       running as Domain Naming Master is going out of service as part of a
       network change, you can transfer the role:
          o Choose Active Directory Domains and Trust from the Administrative
             Tools menu.
          o Choose Connect to Domain Controller in the shortcut menu.
          o Select the domain controller you want to take over as domain naming
             master.
          o Press OK
          o Right-click Active Directory Domains and Trust and choose
             Operations Masters.
          o A dialog box opens and shows the current and tobe domain naming
             master.
          o If its the DC you designated, click Change and then OK

       If the Domain Naming Master DC crashes, you will have to seize the domain
       naming master role and force it to another DC. Choose Run from the Start
       menu or open a commandline shell, and run the program ntdsutil . Within
       ntdsutil you will issue a series of commands:

           o   Type roles
           o   At fsmo maintenance:, type connections
           o   At server connenctions:, type connect to server
               serverX@yourdomain.com, that is, the FQDN of the DC you want to
               take over the role.
           o   At server connenctions:, type quit
           o   At fsmo maintenance:, type seize domain naming master
           o   At ntdsutil, type quit

       Setting the Domain Naming Master is radical. Don't attempt to bring the
       crashed Domain Naming Master back online. When a role master dies, kill
       the partition and start over.

      Infrastructure Master
       The Infrastructure Master is the controller that keeps up with changes in
       group membership and handles replication of these changes to other
       domains. The infrastructure master is responsible for updating references
       from objects in its domain to objects in other domains. The infrastructure
       master compares its data with that of a global catalog. Global catalogs
       receive regular updates for objects in all domains through replication, so the
global catalog's data will always be up-to-date. If the infrastructure master
finds data that is out-of-date, it requests the updated data from a global
catalog. The infrastructure master then replicates that updated data to the
other domain controllers in the domain. If the DC running as Infrastructure
Master is going out of service as part of a network change, you can transfer
the role:
    o Choose Active Directory Users and Computers from the
       Administrative Tools menu.
    o Right-click the domain node and choose Connect to Domain
       Controller.
    o Select the domain controller you want to take over as infrastructure
       master.
    o Press OK
    o Right-click the domain node and choose Operations Masters.
    o Click the Infrastructure tab to see which DC the Operations Master
       will make Infrastructure master.
    o If its the DC you designated, click Change and then OK

If the Infrastructure Master DC crashes, you will have to seize the
Infrastructure Master role and force it to another DC. Choose Run from the
Start menu or open a command line shell, and run the program ntdsutil .
Within ntdsutil you will issue a series of commands:

   o   Type roles
   o   At fsmo maintenance:, type connections
   o   At server connenctions:, type connect to server
       serverX@yourdomain.com, that is, the FQDN of the DC you want to
       take over the role.
   o   At server connenctions:, type quit
   o   At fsmo maintenance:, type seize infrastructure master
   o   At ntdsutil, type quit

As you can imagine, this is a dangerous task. Don't attempt to bring the
crashed infrastructure master back online. When a role master dies, kill the
partition and start over.

There is a Gotcha!!!! about the placement of the Infrastructure master. To
find out if changes need to be distributed to other domains, the
infrastructure master queries the Global Catalog which manages
authenication. If the Global Catalog and the Infrastructure master are on the
same controller, the infrastructure master will never find any outdated data.
Don't worry about why. Just remember that the GC and the Infrastructure
master must be on different DCs unless there is only one. AD manages this
automatically but the gotcha arises when you manually transfer or sieze the
role and move it to the same DC which has the Global Catalog. Caution.
Additionally if all of the domain controllers in a domain are also hosting the
    global catalog, all of the domain controllers will have the current data and it
    does not matter which domain controller holds the infrastructure master
    role.

   PDC emulator
    In a mixed mode environment with W2K and NT4 DCs, one of the W2K DCs
    emulates an NT4 PDC. Although W2K AD is multi-master, the NT4 PDC is
    the only DC with a writeable SAM. There must be a PDC emulator as long as
    there are any downlevel clients (NT4, Win9x) or there are any NT4 BDCs. If
    the PDC emulator goes offline, the functions a real NT4 PDC performs will
    be unavailable. Some of the masters can go offline and you will not notice. If
    the PDC emulator goes offline, you will know it.

    If the PDC emulator box is going out of service as part of a network change,
    you can transfer the PDC emulator role:

       o   Choose Active Directory Users and Computers from the
           Administrative Tools menu.
       o   Right-click the domain node and choose Connect to Domain
           Controller.
       o   Select the domain controller you want to take over as PDC emulator.
       o   Press OK
       o   Right-click the domain node and choose Operations Masters.
       o   Click the PDC tab to see which DC the Operations Master will make
           PDC emulator.
       o   If its the DC you designated, click Change and then OK

    If the PDC emulator box crashes, you will have to seize the PDC emulator
    role and force it to another DC. Choose Run from the Start menu or open a
    commandline shell, and run the program ntdsutil . Within ntdsutil you will
    issue a series of commands:

       o   Type roles
       o   At fsmo maintenance:, type connections
       o   At server connenctions:, type connect to server
           serverX@yourdomain.com, that is, the FQDN of the DC you want to
           take over the role.
       o   At server connenctions:, type quit
       o   At fsmo maintenance:, type seize PDC
       o   At ntdsutil, type quit

    Get the idea that Microsoft does not want you to use the Seizing
    functionality? It is not in a GUI. I suspect its something they would rather
    walk you through on a support call. Don't restore the original PDC emulator.
    If you want it back as PDC emulator, do a fresh install and move the role
    using the transfer function.
   Relative Identifier Master
    The Relative Identifier Master is the controller that allocates and tracks the
    sequence numbers of the relative ID portion of SIDs. If the DC running as
    Relative Identifier is going out of service as part of a network change, you
    can transfer the role:
       o Choose Active Directory Users and Computers from the
           Administrative Tools menu.
       o Right-click the domain node and choose Connect to Domain
           Controller.
       o Select the domain controller you want to take over as RID master.
       o Press OK
       o Right-click the domain node and choose Operations Masters.
       o Click the RID tab to see which DC the Operations Master will make
           RID master.
       o If its the DC you designated, click Change and then OK

    If the Relative Identifier Master DC crashes, you will have to seize the RID
    Master role and force it to another DC. Choose Run from the Start menu or
    open a commandline shell, and run the program ntdsutil . Within ntdsutil
    you will issue a series of commands:

       o   Type roles
       o   At fsmo maintenance:, type connections
       o   At server connenctions:, type connect to server
           serverX@yourdomain.com, that is, the FQDN of the DC you want to
           take over the role.
       o   At server connenctions:, type quit
       o   At fsmo maintenance:, type seize RID master
       o   At ntdsutil, type quit

    As you can imagine, this is a dangerous task. Don't attempt to bring the
    crashed RID master back online. When a role master dies, kill the partition
    and start over.

   Schema Master
    The Schema is the dna for Active Directory. The schema master is created on
    the first DC in the domain. If the DC running as schema master is going out
    of service as part of a network change, you can transfer the role using the
    Active Directory Schema MMC snap-in:
        o Right-click Active Directory Schema in the console windows
        o Choose Change Domain Controller in the console windows
        o Change the focus to the controller which you want to take over the
            Schema Master role
        o Right-click Active Directory Schema in the console windows
        o Choose Operations Master from the shortcut menu
        o Click the Change button
   o   Click OK

If the Schema Master DC crashes, you will have to seize the schema master
role and force it to another DC. Choose Run from the Start menu or open a
commandline shell, and run the program ntdsutil . Within ntdsutil you will
issue a series of commands:

   o   Type roles
   o   At fsmo maintenance:, type connections
   o   At server connenctions:, type connect to server
       serverX@yourdomain.com, that is, the FQDN of the DC you want to
       take over the role.
   o   At server connenctions:, type quit
   o   At fsmo maintenance:, type seize schema master
   o   At ntdsutil, type quit

Setting the schema master is radical. Don't attempt to bring the crashed
Schema Master back online. It could corrupt your domain and you are dead.
When a role master dies, kill the partition and start over.