Flexible Single Master Operation Roles (FSMO)

advertisement
Date: 20/10/2014
Source: LINK
Permalink: LINK
Document Version: 1.0
Total Chars: 6388
Total Words: 1325
Created by: HeelpBook
Page: 1
ACTIVE DIRECTORY – FLEXIBLE
SINGLE MASTER OPERATION ROLES
(FSMO)
Active Directory has five special roles which are vital for the smooth
running of AD as a multimaster system.
Some functions of AD require there is an authoritative master to which
all Domain Controllers can refer to. These roles are installed
automatically and there is normally very little reason to move them,
however if you de-commission a DC and DCPROMO fails to run
correctly or have a catastrophic failure of a DC you will need to know
about these roles to recover or transfer them to another DC.
The forest wide roles must appear once per forest, the domain wide roles
must appear once per domain.
THE ROLES
There are five FSMO roles, two per forest, three in every Domain. A
brief summary of the role is below.
Forest Wide Roles
Schema Master: the schema is shared between every Tree and Domain
in a forest and must be consistent between all objects. The schema master
controls all updates and modifications to the schema.
Domain Naming: when a new Domain is added to a forest the name must
be unique within the forest. The Domain naming master must be available
when adding or removing a Domain in a forest.
Domain Wide Roles
Relative ID (RID) Master: allocates RIDs to DCs within a Domain.
When an object such as a user, group or computer is created in AD it is
given a SID. The SID consists of a Domain SID (which is the same for
all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the
DC which is the RID master of the domain that currently holds the object.
PDC Emulator: the PDC emulator acts as a Windows NT PDC for
backwards compatibility, it can process updates to a BDC.
It is also responsible for time synchronising within a domain.
Visit Us: http://www.heelpbook.net
Follow Us:
https://twitter.com/HeelpBook
It is also the password master (for want of a better term) for a domain.
Any password change is replicated to the PDC emulator as soon as is
practical. If a logon request fails due to a bad password the logon request
is passed to the PDC emulator to check the password before rejecting the
login request.
Infrastructure Master: the infrastructure master is responsible for
updating references from objects in its domain to objects in other
domains. The global catalog is used to compare data as it receives
regular updates for all objects in all domains.
Date: 20/10/2014
Source: LINK
Permalink: LINK
Document Version: 1.0
Total Chars: 6388
Total Words: 1325
Created by: HeelpBook
Page: 2
Any change to user-group references are updated by the infrastructure
master. For example if you rename or move a group member and the
member is in a different domain from the group the group will
temporarily appear not to contain that member.
Important Note: unless there is only one DC in a domain the
Infrastructure role should not be on the DC that is hosting the global
catalog. If they are on the same server the infrastructure master will not
function, it will never find data that is out of date and so will never
replicate changes to other DCs in a domain.
If all DCs in a domain also host a global catalog then it does not matter
which DC has the infrastructure master role as all DCs will be up to date
due to the global catalog.
VIEWING AND TRANSFERRING ROLES
The roles can be viewed and transferred in the GUI or from the command
line.
SCHEMA MASTER
To view the schema you must first register the schema master dll with
Windows. To do this, enter the following in the RUN dialog of the start
menu.
regsvr32 schmmgmt.dll
Once you have done this the schema master mmc snap-in will be
available.
ACTIVE DIRECTORY DOMAINS AND
TRUSTS
The Domain naming master can be viewed and transferred from this
MMC snap-in (mmc.exe).
ACTIVE DIRECTORY USER AND
COMPUTERS
The RID, PDC emulator and Infrastructure master roles can be
viewed and transferred from here.
Visit Us: http://www.heelpbook.net
Follow Us:
https://twitter.com/HeelpBook
NTDSUTIL
NTDSUTIL provides FSMO maintenance and the option to seize a role
(covered in the FSMO Role Failure section below).
To transfer a role using ntdsutil use the example below as a template for
all the roles.
Date: 20/10/2014
Source: LINK
Permalink: LINK
Document Version: 1.0
Total Chars: 6388
Total Words: 1325
Created by: HeelpBook
Page: 3








Open a command prompt.
Enter in ntdsutil.
At the ntdsutil command prompt enter in roles.
At the fsmo maintenance prompt enter in connection.
At the server connections prompt enter in connect to
domancontrollername.
At the server connections prompt enter in quit.
At the fsmo maintenance prompt enter in transfer schema master.
Quit from the console.
FSMO ROLE FAILURE
Some of the operations master roles are essential for AD functionality,
others can be unavailable for a while before their absence will be noticed.
Normally it is not the failure of the role, but rather the failure of the DC
on which the role is running.
If a DC fails which is a role holder you can seize the role on another DC,
but you should always try and transfer the role first.
Before seizing a role you need to asses the duration of the outage of
the DC which is holding the role. If it is likely to be a short outage due to
a temporary power or network issue then you would probably want to
wait rather than seize the role.
SCHEMA MASTER FAILURE
In most cases the loss of the schema master will not affect network users
and only affect Admins if modifications to the schema are required. You
should however only seize this role when the failure of the existing holder
is considered permanent.
Note: A DC whose schema master role has been seized should never be
brought back online.
DOMAIN NAMING MASTER FAILURE
Temporary loss of this role holder will not be noticeable to network users.
Domain Admins will only notice the loss if they try and add or remove a
domain in the forest. You should however only seize this role when the
failure of the existing holder is considered permanent.
Visit Us: http://www.heelpbook.net
Follow Us:
https://twitter.com/HeelpBook
Note: A DC whose schema master role has been seized should never be
brought back online.
RID MASTER FAILURE
Date: 20/10/2014
Source: LINK
Permalink: LINK
Document Version: 1.0
Total Chars: 6388
Total Words: 1325
Created by: HeelpBook
Page: 4
Temporary loss of this role holder will not be noticeable to network users.
Domain Admins will only notice the loss if a domain they are creating
objects in runs out of relative IDS (RIDs). You should however only seize
this role when the failure of the existing holder is considered permanent.
Note: A DC whose schema master role has been seized should never be
brought back online.
PDC EMULATOR MASTER FAILURE
Network users will notice the loss of the PDC emulator. If the DC with
this role fails you may need to immediately seize this role. Only pre
Windows 2000 clients and NT4 BDCs will be affected.
If you seize the role and return the original DC to the network you can
transfer the role back.
INFRASTRUCTURE MASTER FAILURE
Temporary loss of this role holder will not be noticeable to network users.
Administrators will not notice the role loss unless they are or have
recently moved or renamed large numbers of accounts.
If you are required to seize the role do not seize it to a DC which is a
global catalog server unless all DCs are global catalog servers.
If you seize the role and return the original DC to the network you can
transfer the role back.
Visit Us: http://www.heelpbook.net
Follow Us:
https://twitter.com/HeelpBook
Download