Active Directory - FSMOs
James Michael Stewart
Supporting and deploying Active Directory requires more than just domain controllers. You must also include Flexible Single Master Operations (FSMOs) in your planning and deployment. An FSMO is a domain controller that hosts one or more of the operations masters required by Active Directory.
The five operations masters are: schema master, domain-naming master, PDC emulator, RID master and infrastructure master.
The schema master maintains the only read/write copy of the AD schema for the entire forest. There is only one schema master per forest.
The domain-naming master manages the addition and removal of domains to a forest. It also prevents the re-use of FQDN and NetBIOS names of those domains within the forest. The domain naming master maintains the only read/write copy of the domain membership database in the forest.
The PDC emulator performs several functions. In mixed-mode domains, the PDC emulator provides support for Windows NT 4.0 Server BDCs. In both native mode and mixed mode, the PDC emulator is the first domain controller to receive password changes, it is required when editing Group Policy Objects (GPOs), it is required to distribute GPOs, and it is critical to the propagation of account changes within AD (such as account disable, delete, etc.).
The RID master or relative ID master maintains the database which associates specific objects with the domain. Each domain controller must contact its local domain RID master to obtain blocks of object IDs for the creation of new objects.
The infrastructure master manages group memberships across domains and thus enables trusts to function.
The first domain controller installed in the root of a forest initially assumes all five roles. However, this is a very poor condition in which to leave your FSMOs, from both a performance perspective and a fault-tolerance perspective. Ideally you should have a separate domain controller for each of the schema master and domain naming master roles in the root domain of the forest. In addition, you should have a separate domain controller for each of the PDC emulator, RID master and infrastructure master roles in each domain (including the root domain of the forest).
Changing the host domain controller for FSMOs is an easy process but should be undertaken only after careful planning. The roles of PDC emulator, RID master and infrastructure master are all changed through Active Directory Users and Computers using the Operations Masters command from the Action menu while the domain controller is selected. The domain-naming master is changed through Active Directory Domains and Trusts using the Operations Master command from the Action menu while the AD Domains and Trusts top node is selected. The schema master is changed through the Schema snap-in to the MMC console.
In addition to the FSMOs, there are several other domain controller services you should appraise when planning out your sites, forests, trees and domains: global catalog server, DNS, WINS and DHCP. The first domain controller in a forest root becomes the global catalog server (GC). The global catalog server maintains an index of all objects in the forest. Without the GC, it would not be possible to locate and access objects in other domains, log onto a domain or use universal groups (in native mode). To define a domain controller as a GC server, use Active Directory Sites and Services, open the Properties of the NTFS Settings node under a domain controller, then mark the Global Catalog checkbox.
Here are a few rules to keep in mind:
- You should have two servers of each type per domain for fault tolerance: domain controller, DNS, WINS and DHCP
- You should have at least one of each server in each site for slow link fault tolerance and performance: domain controller, DNS, WINS and DHCP
- You should have at least 2 GCs per forest and one GC per site.
- Whenever possible keep the GC and the infrastructure master on separate domain controllers.
If a system hosting an FSMO role is failing or needs to be taken offline, transfer the role to another domain controller using the appropriate tool. A graceful transfer of an FSMO role is always preferred. When the system is repaired and returned to the network, the FSMO role can be returned to it.
If a system hosting an FSMO role goes offline and cannot be brought back online, you can choose to seize the role onto another domain controller. The NTDSUTIL tool is used to seize FSMO roles. Use this tool with caution and read the Resource Kit for complete details and step-by-steps. If you seize the role of the PDC emulator or infrastructure master, you can return the previous host back to the network and even return the role to them if desired. If you seize the role of the domain naming master or the RID master, you can return the system to the network if you perform any type of repair that retains the original SID of the system, such as performing an upgrade install. You will want to remove AD from the system, then re-install it as a domain controller if desired. If you seize the role of the schema master, you must completely destroy and rebuild the OS on that system before returning it to the forest.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.