In active directory , FSMO roles plays a pivotal part. The analogy behind this concept is very interesting and also gives you the whole picture of whats happens when new object is created and how it is replicated to all parts.
In windows NT, we have the concept of single master operation.PDC(primary domain controller) will have the write copy of the SAM(Security accounts database manager) database and other DC(called BDC-Backup Domain Controllers) will have the read copy alone. Active Directory overcomes this by allowing the write copy for all domain controllers in windows 2000/2003 server environment. Any change in one DC is automatically replicated to all DCs, referred as multi-master replication. Why we need FSMO roles? , the answer is what happen when we make same changes in different DC at the same time, will result in conflicting data in the AD database. To avoid this conflict, they derived out concept called Flexible Single Master Operation roles, shortly called as FSMO roles. There are five distinct roles available each have its own functions. They call first two roles as forest level roles and the other three roles as the domain level roles.
Schema Master :
1.Controls all updates and modifications to the AD schema.
2.Schema update completed, schema master replicate all data to other DCs.
3. There can be only one schema master in the whole forest.
Domian Naming Master :
1.Controls the addition or removal of domains in the forest.
2.add or remove domain can be possible only by domain naming master.
3.There can be only one domain naming master in the whole forest.
Infrastructure Master :
1.Responsible for updating an object's security identifier and distinguished name in a cross domain object references.
2.At any one time, there can be only one infrastructure master in each domain.
3.DC with infrastructure master should not be a global catalog server. This is because GC holds a partial replica of every object in the forest and updating the object in the cross domain object reference in that domain will not be updated and threw error in the event log.This is not the case when all DCs in the domain are global catalog.
RID Master :
1.Responsible for processing RID(Relative Identifier) pool requests from all DCs in a particular domain.
2.unique RID = RID pool range + SID(security identifier)
where
RID pool range = allocated number range for all DC in the domain
SID = unique identifier each and every object created in any DC within a particular domain.
3.There can be only one RID master for that particular domain.
PDC Emulator :
1.Responsible for synchronizing time with in an enterprise.
2.PDC(Primary Domain Controller) emulator of a domain is authoritative for that domain and the forest root domain becomes authoritative for the enterprise.
3.Password changes in any DCs are replicated to PDC emulator.
4.Authentication failure and account lockout are all processed by PDC emulator.
5.Support the Windows NT 4.0 based PDC environment and earlier clients also.
6.There can be only one PDC emulator for that particular domain.
Commands for checking the FSMO roles :
The following are the commands through which you will be able to get the information of the different roles and their respective domain controllers.
1. dumpfsmos {servername}
2. dsquery server –hasfsmo {schema|rid|pdc|infrastructure}
3. dcdiag /test:knowsofroleholders /v
4. netdom query fsmo
To find the global catalog servers in your domain
dsquery server –isgc
dsquery server -domain damacholding.home –isgc
repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
Finally the functions of this roles been illustrated. Transferring and seizing of roles is the next step for the readers.
Please do post me if you have any questions.
Thanks
Logu
logu_microsoft@hotmail.com | 91-98414-99143
