FSMO (Flexible Single Master Operations)

There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles. Either you could be facing a disaster recovery, where you have lost the first Windows 2003 Domain Controller, or you are organized and want to get the most out of your Active Directory Forest. Although you rarely need to deal with Microsoft's FSMO, there is the feeling that knowledge of these Operation Masters gives you power over your Windows 2003 Servers.

Topics for FSMO

Background of Operations Masters 5 FSMO Roles Checking which DC holds which FSMO role The 'Knack' of Changing Operations Master Advice and Troubleshooting FSMO

Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple master model. The benefit is you can add a computer, or change a user's password on any domain controller. For example, if you have three domain controllers, you can physically create a new computer account in the NTDS.dit database on any of the three. Within five minutes (15 seconds in Windows 2003), the new computer object will be replicated to the other two domain controllers. Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle. For example, you created an OU called Accounts last week, today at the same instant you create new users in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best to obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in the OU because it was deleted, the result is the users are added to the orphaned objects in the 'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers. From the View Menu in Active Directory Users and Computer, click: Advanced Features. It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is that a few operations are so critical that only one domain controller can carry out that process. Imagine what would happen if two administrators tried to make different changes to the same schema object - chaos. That is why administrators can only change the schema on one Domain Controller. Emulating a PDC is the most famous example of such a Single Master Operation; creating a new child domain would be another example.

The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles:

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0

BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 2. RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 9999. 3. Infrastructure Master - Responsible for checking objects in other domains. Universal group membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach. 4. Domain Naming Master - Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains. 5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

(There is a also an important Global Catalog Role, however its not a FSMO role as you can have more than one Global Catalog. See more on Global Catalog Server) How many FSMO Domain controllers in your Forest? Three of the FSMO roles (1. 2. and 3.) Are held in each domain, whilst two (4. 5.) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.

Checking which DC holds which FSMO role RID, PDC, Infrastructure (1. 2. and 3.)
You can discover which server holds the Operation Master by opening Active Directory Users and Computers, Right click your Domain and select Properties, Operations Masters. See the 'Knack' for changing Operation Master

Domain Naming Master (4.)

To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select Properties, Operations Masters.

Schema Master (5.)

The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by default. Perhaps is this is Microsoft saying - don't mess with the object definitions. However, you can reveal the Schema and its FSMO settings thus: 1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll 2) Run MMC, File menu, Add\Remove Snap-in, click the Add button and select, Active Directory Schema 3) Select Active Directory Schema, Right Click, Operations Master. See the 'Knack' for changing Operation Master

Footnote
I have to confess a hidden agenda with FSMO. If I want to instantly know how well someone knows Active Directory, I introduce FSMO into the conversation and watch their reaction. Professionals will know what FSMO means and its significance, amateurs just frown.