FSMO- Flexible Single Master Operations


 

FSMO- Flexible Single Master Operations.


What are Operation Masters ? 

When a change is made to a domain, the change is replicated among all domain controllers in the domain. Some changes, such as changes made to the schema, are replicated across all the domains in the forest. This replication is known as multi-master replication. During multi-master replication, a replication conflict can occur if concurrent originating updates are performed on the same data on two different domain controllers. To avoid replication conflicts for some of the most important changes in Active Directory, for example the addition of a new domain or a change to the forest-wide schema, some operations are performed in single master fashion so that they are not allowed to occur at different places in the network at the same time. With single master replication, you designate specific domain controllers as the only domain controller on which certain directory changes can be made. Operations that are performed in a single-master fashion are grouped together into specific roles within the forest or within a domain. These roles are called operations master roles. 
For each operations master role, only the domain controller that holds that role can make the associated directory changes. The domain controller responsible for a particular role is called an operations master for that role. Active Directory stores information about which domain controller holds a specific role.

Operations master roles :  The five operations master roles are: 
  1. Schema Master
  2.  Domain Naming master
  3.  PDC Emulator
  4.  RID Master
  5.  Infrastructure Master.

These Operations master roles are either forest-wide or domain-wide. 

Forest-Wide Roles: 
  • Forest-wide roles are unique for a forest. The schema master and the domain  naming master are forest-wide roles. This means that there is only one schema master and one domain naming master in the entire forest.
  1. Schema master  The schema master controls all updates to the schema. The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as computers, users, and printers.
  2. Domain naming master  The domain naming master controls the addition or removal of domains   in the forest. There is only one domain naming master for each forest. There is only the domain controller that holds  domain naming master role has the right to add the new domain to the forest.

Domain-Wide Roles :
  • Domain-wide roles are unique for each domain in a forest. The PDC emulator, the RID master, and the infrastructure master are domain-wide roles. This means that each domain in a forest has its own PDC emulator, RID master, and infrastructure master.
  1. Primary domain controller emulator  The primary domain controller (PDC) emulator acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Windows NT within a mixed-mode domain. A mixed-mode domain is a domain that has domain controllers that run Windows NT 4.0. The PDC emulator is the first domain controller that is created in a new domain.

  1. Relative identifier master When a new object, such as a user, group, or computer, is created the domain controller creates a new security principal that represents the object, and assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a relative identifier (RID), which is unique for each security principal created in the domain. The RID master allocates blocks of RIDs to each domain controller in the domain, and these are then assigned to objects that are created.

  1. Infrastructure master  Active Directory allows objects, such as users, to be moved from one domain to another. When objects are moved, the infrastructure master is used to update object references in its domain that point to the object in another domain. The object reference contains the object.s globally identifier (GUID), distinguished name, and a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within domains as well as the deletion of the object.


Operations Master Roles  by Individual

Active Directory defines five operations master roles: the schema master, domain naming master, primary domain controller (PDC) emulator, relative identifier (RID) master, and the infrastructure master. This lesson explains the purpose of each of these operations master roles.

Schema Master

Introduction
An Active Directory schema defines the kinds of objects.and the types of information about those objects.that you can store in Active Directory. The definitions are stored as objects so that Active Directory can manage the schema objects with the object management operations that its uses to manage other objects in the directory.

Roles performed by the schema master
The schema master performs the following roles:
  1. Controls all originating updates to the schema.
  2. Contains the master list of object classes and attributes that are used to create all Active Directory objects.
  3. Replicates updates to the Active Directory schema to all domain controllers in the forest by using standard replication of the schema partition.
  4. Allows only the members of the schema Admin group to make modifications to the schema. Having only one schema master per forest prevents any conflicts that would result if two or more domain controllers attempt to simultaneously update the schema.

The effect of the schema master being unavailable

Temporary loss of the schema master is not visible to network users or to network administrators unless they are trying to modify the schema or install an application that modifies the schema during installation. If the schema master is unavailable and you need to make a change to the schema, you can seize the role to a standby operations master.

Domain Naming Master

Introduction
When you add or remove a domain from a forest, the change is recorded in Active Directory.

Roles performed by the domain naming master
The domain naming master controls the addition or removal of domains in the  forest. There is only one domain naming master per forest. When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain. The domain naming master prevents multiple domains with the same domain name from joining the forest. When you use the Active Directory Installation wizard to create a child domain, it contacts the domain naming master and requests the addition or deletion.

The effect of the domain naming master being unavailable
Like the schema master, temporary loss of the domain naming master is not visible to network users or to network administrators unless the administrator is trying to add a domain to the forest or remove a  domain from the forest. If the domain naming master is unavailable, you cannot add or remove domains. If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role from the standby operations master. To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles.

PDC Emulator

Introduction
The PDC emulator acts as a Microsoft® Windows NT® Primary Domain Controller (PDC) to support any backup domain controllers (BDCs) running Windows NT in a mixed-mode domain. When you create a domain, the PDC emulator role is assigned to the first domain controller in the new domain.

Roles performed by the PDC emulator
The PDC emulator performs the following roles:

  1. Acts as the PDC for any existing BDCs. If a domain contains any BDCs or client computers that are running Windows NT 4.0 and earlier, the PDC emulator functions as a Windows NT PDC. The PDC emulator services  client computers and replicates directory changes to any BDCs running  Windows  NT.
  2. Manages password changes from computers running Windows NT, Microsoft Windows® 95 or Windows 98. You must write password changes directly to the PDC.
  3. Minimizes replication latency for password changes. Replication latency is the time needed for a change made on one domain controller to be received by another domain controller. When the password of a client computer running Windows 2000 or later is changed on a domain controller, that domain controller immediately forwards the change to the PDC emulator. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt.


RID Master
The relative identifier (RID) master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which is unique for each security principal created in the domain.

How the RID master supports creating and moving objects
The RID master supports creating and moving objects as follows:

1. Creating objects. To allow a multimaster operation to create objects on any domain, the RID master allocates a block of RIDs to a domain controller. When a domain controller needs an additional block of RIDs, it contacts the RID master, which allocates a new block of RIDs to the domain controller, which in turn assigns them to the new objects. If a domain controller.s RID pool is empty, and the RID master is
unavailable, you cannot create new security principals on that domain controller. You can view the RID pool allocation by using the Domain Controller Diagnostic (dcdiag) utility. You can install the dcdiag utility by installing the support tools, which are located in the \Support\Tools on the product CD.

2. Moving objects. When you move an object between domains, the move is initiated on the RID master that contains the object. This way, there is no duplication of objects. If an object were moved, but no single master kept this information, you could move the object to multiple domains without realizing that a previous move had already occurred. The RID master deletes the object from the domain when the object is moved from that domain to another domain.

Infrastructure Master

The infrastructure master is a domain controller that is responsible for updating object references in its domain that point to objects in another domain. The object reference contains the object.s globally unique identifier (GUID), distinguished name, and possibly a SID. Active Directory periodically updates the distinguished name and SID to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object. If SID or distinguished name modifications to user accounts and groups are made in other domains, the group membership for a group on your domain that references the changed user or group needs to be updated. The infrastructure master for the domain in which the group (or reference) resides is responsible for this update; it distributes the update through normal replication throughout its domain. The infrastructure master updates object identification according to the following rules:
  1. If the object moves at all, its distinguished name will change because the distinguished name represents its exact location in the directory.
  2. If the object is moved within the domain, its SID remains the same.
  3. If the object is moved to another domain, the SID changes to incorporate the new domain SID. 
  4. The GUID does not change regardless of location because the GUID is unique across domains.




Infrastructure master and the global catalog
The infrastructure master should not be the same domain controller that hosts the global catalog. If the infrastructure master and the global catalog are on the same computer, the infrastructure master does not function because it does not contain any references to objects that it does not hold. In addition, the domain replica data and the global catalog server data cannot exist on the same domain controller.
Periodically, the infrastructure master for a domain examines the references in its replica of the directory data to objects that are not held on that domain controller. It queries a global catalog server for current information about the distinguished name and SID of each referenced object. If this information has
changed, the infrastructure master makes the change in its local replica. These changes are replicated by using normal replication to the other domain controllers within the domain.

Transferring and Seizing Operations Master Roles

Introduction
When you create a Microsoft® Windows® Server 2003 domain, Windows Server 2003 automatically configures all of the operations master roles. However, you may need to reassign an operations master role to another domain controller in the forest or the domain. To reassign an operations master role, determine the holder of the operations master role and then either transfer or seize the operations master role.

Transfer of Operations Master Roles
The placement of operations master roles in a forest is done when the forest and domain structure is implemented, and requires change only when making a major change to the domain infrastructure. Such changes include decommissioning a domain controller that holds a role or adding a new domain controller that is better suited to hold a specific role. Transferring an operations master role means moving it from one functioning domain controller to another. To transfer roles, both domain controllers must be up and running and connected to the network. No data loss occurs when you transfer an operations master role. The process of role transfer involves replicating the current operations master directory to the new domain controller, which ensures that the new operations master has the most current information available. This transfer uses the normal directory replication mechanism.


Procedure for transferring  RID master, PDC emulator, and Infrastructure
master role

To transfer the operations master role for the RID master, PDC emulator, or
infrastructure master, perform the following steps:

1.  Open Active Directory Users and Computers.
2.  In the console tree, right-click Active Directory Users and Computers,
     and then click Connect to Domain Controller.
3.  In the Or select and available domain controller list, click the domain
     controller that will become the new operations master, and then click OK.
4.  In the console tree, right-click the domain that contains the server that will
     become the new operations master, and then click Operations Masters.
     On the Infrastructure, PDC, or RID tab, click Change.


Procedure for transferring the domain naming master role

To transfer the domain naming master role to another domain controller,
perform the following steps:

1.  Open Active Directory Domains and Trusts.
2.  In the console tree, right-click Active Directory Domains and Trusts, and
     then click Connect to Domain Controller.
3.  In the Or select and available domain controller list, click the domain
     controller that will become the new domain naming master, and then click
     OK.
4.  In the console tree, right-click Active Directory Domains and Trusts, and
     then click Operations Master.
5.  When the name of the domain controller that you selected appears, click
     Change, and then click  Yes.

Procedure for transferring the schema master role

To transfer the schema operations master role, perform the following steps:

1.  Open Active Directory Schema.
2.  In the console tree, right-click Active Directory Schema, and then click      
     Change Domain Controller.
3.  Click Specify Name, type the name of the domain controller that you want
     to transfer the schema master role to, and then click OK.
4.  In the console tree, right-click Active Directory Schema, and then click
     Operations Master.
5.  When the name of the domain controller that you selected appears, click
     Change, and then click Yes


When to Seize Operations Master Roles ?


Introduction
Seizing an operations master role means forcing an operations master role on another domain controller that cannot contact the failed domain controller and perform a transfer.

Implications of seizing a role
Seizing an operations master role is a drastic step. Do it only if the current operations master will never be available again and if a role cannot be transferred. Because the previous role holder is unavailable during a seizure, you cannot reconfigure or inform it that another domain controller now hosts
the operations master role. To reduce risk, perform a role seizure only if the missing operations master role unacceptably affects performance of the directory. Calculate the effect by comparing the impact of the missing service to the amount of work that is needed to bring the previous role holder safely back online after you perform the role seizure. Before you seize a role, you must permanently disconnect the
domain controller that holds the operations master role from the network. If the previous role holder comes back online after you seize an operations master role, it waits until after a full replication cycle before resuming the role of operations master. This way, it can see if another operations master exists
before it comes back online. If it detects one, it reconfigures itself to no longer host the roles in question.


Procedure for seizing a role by using Active Directory Users and Computers

To seize an operations master role for the PDC emulator or infrastructure master, perform the following steps:

  1. Open Active Directory Users and Computers.
  2. In the console tree, right-click the domain for which you want seize an operations master, and then click Operations Masters. It may take several seconds for the data to appear because Active Directory Users and Computers is waiting for a response from the current holder of the operations master role. Because the current role holder has failed and cannot respond, the last updated information appears.
  3. In the Operations Master dialog box, on the tab of the operations master role that you want to seize, click Change.
  4.  In the Active Directory dialog box, click Yes.
  5. When an Active Directory dialog box appears indicating that this computer is a non-replication partner, click Yes.
  6. When an Active Directory dialog box appears indicating a transfer is not  possible, click Yes.
  7. In the Active Directory dialog box, click OK, and then click Close.
  8. Close Active Directory Users and Computers.


Procedure for seizing a role by using Ntdsutil 

To use the ntdsutil command to seize an operations master role, perform the
following steps:

1.  In the Run box, type cmd and then click OK.
2.  At the command prompt, type ntdsutil
3.  At the ntdsutil prompt, type roles
4.  At the fsmo maintenance prompt, type connections
5.  At the server connections prompt, type connect to server followed by the  fully qualified domain name      
     (FQDN) of the domain controller that will be the new role holder, and then type quit
6.  At the fsmo maintenance prompt, type one of the following commands to seize the appropriate
     operations master, and then type quit
  Seize RID master
  Seize PDC
  Seize infrastructure master
  Seize domain naming master
  Seize schema master
7.  At the ntdsutil prompt, type quit
8.  Verify the new holder of the operations master role that you seized.


How to Determine the Holder of an Operations Master Role ?

Introduction
Before you consider moving an operations master role, determine which domain controller holds a particular operations master role. Authenticated users have the permission to determine where the operations master roles are located. Depending on the operations master role, use one of the following Active Directory consoles:
  1. Active Directory Users and Computers (PDC, RID, infrastructure)
  2. Active Directory Domains and Trusts (Domain Naming)
  3. Active Directory Schema (Schema)

1. Procedure to  determine  RID master,  PDC emulator, and infrastructure   master

To determine which domain controller holds the RID master, PDC emulator, or
infrastructure master roles, perform the following steps.

1.  Open Active Directory Users and Computers.
2.  In the console tree, right-click the domain for which you want to view
     operations masters, and then click Operations Masters.
3.  On the RID, PDC, or Infrastructure tabs, view the names of the current
     operations master under Operations master.


2. Procedure for determining the domain naming master

To determine which domain controller holds the domain naming master role,
perform the following steps:

1.  Open Active Directory Domains and Trusts.
2.  Right-click Active Directory Domains and Trusts, and then click      Operations Master.
3.  In the Change Operations Master dialog box, view the name of the current
     domain naming master.

3. Procedure for determining the schema master

To determine which domain controller holds the schema master role, perform
the following steps:

1.  Register the Active Directory Schema snap-in by running the following command:
     regsvr32.exe %systemroot%\system32\schmmgmt.dll 
2.  Click OK to close the message that indicates the registration succeeded.
3.  Create a custom Microsoft Management Console (MMC) console, and then
     add the Active Directory Schema snap-in to the console.
4.  In the console tree, expand and right-click Active Directory Schema, and
     then click Operations Master.
5.  In the Change Schema Master dialog box view the name of the current schema master.


Comments

Post a Comment

Popular Posts