Skip to main content

Understanding FSMO Roles in Active Directory

Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.  Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.


At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

Comments

Post a Comment

Popular posts from this blog

Bridging Ethernet Connections - Ubuntu/Fedora

Installing bridge-utils Adept Search for bridge-utils and choose the drop-down arrow on the left. Choose "request install". Konsole: Enter this into Konsole: sudo apt-get update sudo apt-get install bridge-utils If you use sudo -i and enter your password, then you will not have to use sudo before each command. It may also save you some typing in the future. Setting up the Bridge Ensure that both (or all) of your interfaces are installed and enabled. If they are then you may proceed at this point. For a few moments, if your computer is connected to the internet then it will be disconnected until a certain point is reached. Open Konsole and use the following commands. Note that when interfaces are referenced, they refer to device names assigned by linux such as "eth0" and "eth1". Also note that myBridge is the name of the bridge that you wish to have. This can be anything, but a simple name like bridge0 or bridge1 is s...
Post a Comment
Read more

What are the few major differences between 2003,2008 & 2012

2003-IIS 6.0 2008- IIS 7.0 2008R2- IIS-7.5 2012-IIS 8 ---------------------- 2003-32 AND 64 BIT AVAILABLE 2008-32AND 64BIT AVAILABLE 2008R2- ONLY 64BIT AVAILABLE 2012 - ONLY 64 BIT AVAILABLE ------------------------------------------ 2003 KERNAL VER. -5.2 2008 KERNEL-6.0 2008 R2-6.1 2012-6.2 ------------------------------------------ 2003- IE VERSION 6.0 2008- IE VERSION 7.0 2008 R2 IE VERSION 8.0 2012 IE VERSION 10.0 2012 R2 IE VERSION 11.0 ----------------------- 2003- AD ADMINISTRATIVE CENTER NOT AVAILABLE 2008- NOT AVAILABLE 2008 R2- AVAILABLE 2012- AVAILABLE -------------------------------------
Post a Comment
Read more

Microsoft Active Directory

> What Intrasite and Intersite Replication? Intrasite is the replication within the same site & intersite the replication between sites. > What is lost & found folder in ADS? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder. > What is Garbage collection? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder >What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS ser...
Post a Comment
Read more