Maximizing Flexible Single Master Operation (FSMO) Roles

In Windows Server 2003, as with Windows 2000, domain controllers support multimaster replication. In essence, all domain controllers in these environments are peers distributing Active Directory access throughout an organization. This distribution also provides redundancy by eliminating the single point of failure present in the single master domain model of Windows NT.

Although domain controllers distribute most of the functionality available in managing an Active Directory forest, there are five unique functions that require the use of a single server to support because these particular functions are impractical to distribute. For each of these functions, there is only one domain controller that is the operation master.

There are two forestwide Flexible Single Master Operation (FSMO) roles that must appear in any forest. Also, there are three domainwide roles that must appear in any domain. The FSMO roles are outlined as follows :

• Schema Master The server that contains this forestwide role contains the only writable copy of the schema in the forest.

• Domain Naming Master This forestwide role is responsible for the addition or removal of domains within the forest.

• PDC Emulator This domain FSMO role is responsible for authenticating pre-Windows 2000 client computers within the domain. It is also responsible for synchronizing the time on all domain controllers in the domain.

• RID Master The server supporting this domain wide role allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. Whenever a domain controller creates a user , group , or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. The RID Master is also responsible for moving Active Directory objects between domains.

• Infrastructure Master The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. It then requests updates from the global catalog and replicates that information to other domain controllers in its domain.

Proper Placement of Operation Master Roles

Because each Operation Master role can only reside on a single domain controller, it is important to understand the ramifications of each role in order to determine its proper placement with a forest or domain. Changes in Windows Server 2003 also affect some placement restrictions present in Windows 2000 forests. This section provides some best practices for FSMO role assignments.

Firstly, the Infrastructure Master role should be assigned to a domain controller that is not a global catalog server. This is true even in single domain models because there is always the possibility that new domains will be added to the forest. In a multidomain model, if the Infrastructure Master has a local copy of the global catalog, it will never find data that is out of date, and therefore never replicate new information about other domains to the other domain controllers in its own domain.

Placement of the PDC Emulator domain controller might affect logon times in some organizations. Even for companies that no longer support pre-Windows 2000 clients on the network, the PDC Emulator gets preferential treatment with regards to password change replication. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt.

Also, the PDC Emulator should get special consideration when setting up time synchronization. This FSMO role is responsible for the synchronization of time for all domain controllers in its domain. The PDC Emulator in the parent domain in a forest should be synchronized with an external time source.

Finally, there is a limitation of Windows 2000 functional level forests that requires the Domain Naming master role resides on a domain controller that is also a global catalog server. In a Windows Server 2003 functional level, this limitation is removed, so this forestwide role can exist on a DC that is not a GC.

Moving Operation Master Roles

There might be occasion to move particular FSMO roles between servers after Active Directory is installed and distributed across several domain controllers. Also, in cases of disaster recovery or demotion of domain controllers serving these roles, it might become necessary to move FSMO roles. This section explains how to transfer the roles.

In cases where the FSMO role merely needs to be transferred between two functioning domain controllers, a GUI interface or the NTDSUtil command-line tool can be used. In disaster recovery situations where the operation master is lost, the FSMO roles must be seized using the NTDSUtil command line tool.

Transfer of the Schema Master role is performed by using the Active Directory Schema snap-in. This snap-in must be installed and executed by a member of the Schema Admins group in the forest. See the section "Using the Active Directory Schema Snap-in" for instructions on how to install the snap-in. To transfer the Schema Master role, perform the following steps:

1. Open the Active Directory Schema snap-in.

2. In the console tree, right-click Active Directory Schema and then click Change Domain Controller.

3. Click Specify Name and type the name of the domain controller that you want to hold the schema master role.

4. In the console tree, right-click Active Directory Schema, and then click Operations Master.

5. Click Change.

Transferring the Domain Naming master role is a similar procedure performed using Active Directory Domains and Trusts. Transferring the PDC Emulator, RID Master, or Infrastructure Master roles can all be performed using Active Directory Users and Computers.

In cases where the operation master is lost and cannot be recovered, the NTDSUtil command line tool can be used to seize the role from a functioning domain controller.

To seize the RID master role, for example, follow these steps:

1. Open a command prompt.

2. Type ntdsutil and press Enter.

3. At the ntdsutil command prompt, type roles and press Enter.

4. At the fsmo maintenance command prompt, type connections and press Enter.

5. At the server connections command prompt, type connect to server servername and press Enter.

6. At the server connections prompt, type quit and press Enter.

7. At the fsmo maintenance command prompt, type seize RID master , and after seizing the role, type quit (or just q ) and press Enter until you've exited the ntdsutil tool.

8. Type exit to close the command prompt window.