FizzMo What now?

An overview of the Flexible Single Masters of Operation Roles in Active Directory. When they are required and where to place.

Back in the days of Windows NT, a domain consisted of a Primary Domain Controller (PDC) and 1 or more Backup Domain Controllers (BDC). The PDC contained the writable copy of the domain database, the BDC contained a read only version. Any changes (Users, Computers etc) to the domain had to be made from the PDC only.

With the launch of Active Directory on Windows 2000, this model changed. Now, the database is multi-master. The concept of PDC/BDC was gone. Changes can be made on any Domain Controller and then these would replicate to the other domain controllers.

As always, there are exceptions to the rule though. There are certain functions within Active Directory where there should be one authoritative server. Introducing Flexible Single Master Operations Roles aka FSMO Roles (see what I did with the title?). In total, there are 5 of these roles. 2 operate at the forest level and 3 operate at the domain level. We will take a look at each role in a little more detail below.

Forest Level

We will start with the forest level roles first. Given that the forest is the highest level of the environment (forests can contain multiple domains, domains can only be part of a single forest).

Schema Master

Active Directory is a collection of objects. These objects can be users, computers, contacts, organization units etc. Each object is a collection of classes, a class might be personal information or password information. Each class is made up of attributes, a password class might contain the attributes WhenSet, PasswordHash, CanBeChanged.

The definition of these attributes along with data types, length etc, classes and objects is defined within the Schema. As you can imagine, given the importance of the schema you wouldn’t want conflicts to occur by having multiple edits occurring at the same time.

Changes to the AD Schema occur generally when introducing the latest version of the Windows Operating System, Microsoft Exchange or Microsoft Skype for Business. It is possible to create your own custom attributes and classes if you really need to.

This server must be available when you perform a schema update.

Domain Naming Master

This role is used for adding and removing domains within the forest.  It’s responsible for ensuring domains are unique across the forest. You cannot have 2 domains named child.domain.com within the same forest.

It must be available when adding/removing a domain.

Domain Level

The following three FSMO roles are held at the domain level. There will be one master per domain. So, if you have the forest company.com and within the forest you have domains country1.company.com and country2.company.com, you will have these roles present with country 1 and country 2.

RID Master

Objects within Active Directory have a Security Identifier (SID) attribute. This is a specially crafted value. It is a combination of the SID and a Relative Identifier. As these numbers have to be unique across the estate, the RID master is responsible for handing out pools of numbers for Domain Controllers to issue.

Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.

PDCe

Back in the days of Windows NT, domains had a primary domain controller (PDC and there was only one per domain) and one or more backup domain controllers (BDC). The PDC was the sole domain controller responsible for writing changes to the domain (create/delete users, computers, changing passwords etc). Whilst Active Directory is now a multi master environment, the PDCe is still used for functions such as the source of authority for Time, processing account lockouts and authoritative password verification.

Must be online and accessible 24 hours a day, seven days a week.

Infrastructure Master

The Infrastructure Master is responsible for updating cross-domain object references when they are moved, renamed or deleted. In the event that not every domain controller is a Global Catalog, then to ensure there are not issues with Phantom Objects (objects that have been deleted elsewhere) the Infrastructure Master should not be held on a Global Catalog server. If all domain controllers are Global Catalogs, or this is the only forest then the Infrastructure Master can reside on a Global Catalog. In the event of the function levels being 2008 R2 or above, and Recycle Bin is enabled, then the Infrastructure Master can live on a Global Catalog.

The Infrastructure Master server is also required when running adprep command.

So, this is an overview of the Flexible Single Masters of Operation roles (FSMO for short). You can move them around should you need to. In the event of a major issue you can seize them however moving is always preferable.

So bearing all of the above in mind, you ideally want to have one hub site where the PDCe FSMO role in particular lives with all sites being able to reach the hub. To make life easier for yourself, host all the FSMO roles in the hub site. You can split the FSMO roles between multiple servers if you wish, how you split them is entirely up to you.

Source : https://support.microsoft.com/en-gb/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers

Leave a Reply

Your email address will not be published. Required fields are marked *