Sie sind auf Seite 1von 2

What is FSMO Roles?

(Flexible Single Master Operations)

There are times when you may need to change the Domain Controller which holds
one of the 5 FSMO roles. Either you could be facing a disaster recovery, where you
have lost the first Windows 2003 Domain Controller, or you are organized and want
to get the most out of your Active Directory Forest. Although you rarely need to deal
with Microsoft's FSMO, there is the feeling that knowledge of these Operation
Masters gives you power over your Windows 2003 Servers.

Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple master model.
The benefit is you can add a computer, or change a user's password on any domain
controller. For example, if you have three domain controllers, you can physically
create a new computer account in the NTDS.dit database on any of the three. Within
five minutes (15 seconds in Windows 2003), the new computer object will be
replicated to the other two domain controllers.

Technically, the Microsoft multiple master model uses a change notification


mechanism. Occasionally problems arise if two administrators perform duplicate
operations before the next replication cycle. For example, you created an OU called
Accounts last week, today at the same instant you create new users in that OU,
another administrator on another DC, deletes that OU. Active Directory does it's best
to obey both administrators. It deletes the OU and creates the Users, but as it
cannot create the Users in the OU because it was deleted, the result is the users are
added to the orphaned objects in the 'LostAndFound' folder. You can troubleshoot
what has happed by locating the 'LostAndFound' folder in Active Directory Users and
Computers.

From the View Menu in Active Directory Users and Computer,


click: Advanced Features.

It was worth investigating how Active Directory handles orphaned objects because
the point of FSMO is that a few operations are so critical that only one domain
controller can carry out that process. Imagine what would happen if two
administrators tried to make different changes to the same schema object - chaos.
That is why administrators can only change the schema on one Domain Controller.
Emulating a PDC is the most famous example of such a Single Master Operation;
creating a new child domain would be another example.

The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down,
and the Active Directory task must only be carried out on one Domain Controller.
FSMO roles:
1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's.
However, there are two other FSMO roles which operate even in Windows 2003
Native Domains, synchronizing the W32Time service and creating group policies. I
admit that it is confusing that these two jobs have little to do with PDCs and BDCs.

2. RID Master - Each object must have a globally unique number (GUID). The RID
master makes sure each domain controller issues unique numbers when you create
objects such as users or computers. For example DC one is given RIDs 1-4999 and
DC two is given RIDs 5000 - 9999.

3. Infrastructure Master - Responsible for checking objects in other other


domains. Universal group membership is the most important example. To me, it
seems as though the operating system is paranoid that, a) You are a member of a
Universal Group in another domain and b) that group has been assigned Deny
permissions. So if the Infrastructure master could not check your Universal Groups
there could be a security breach.

4. Domain Naming Master - Ensures that each child domain has a unique name.
How often do child domains get added to the forest? Not very often I suggest, so the
fact that this is a FSMO does not impact on normal domain activity. My point is it's
worth the price to confine joining and leaving the domain operations to one machine,
and save the tiny risk of getting duplicate names or orphaned domains.

5. Schema Master - Operations that involve expanding user properties e.g.


Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the
Domain naming master, changing the schema is a rare event. However if you have a
team of Schema Administrators all experimenting with object properties, you would
not want there to be a mistake which crippled your forest. So its a case of Microsoft
know best, the Schema Master should be a Single Master Operation and thus a FSMO
role.

How many FSMO Domain controllers in your Forest?

Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.)
are unique to the entire forest. Thus, if you have three domains there will be 3 PDC
emulators, but only 1 Schema Master.