maandag 5 oktober 2009

Active Directory: FSMO Roles in Windows Server 2008 R2

I've been getting alot of questions and debate about FSMO roles in an Active Directory domain environment. Where should you place what role? What does a specific role do? Should I seize it if it's not available?

I'll start by summing up the available roles and their task. The function of each role is defined for Windows Server 2008 R2.

Schema Master

There can only be one Schema Master defined per forest. The Schema Master contains the only writable copy of the schema and additions to it can only be done by a member of the Schema Admins and the Enterprise Admins security group.

When this role is unavailable additions or changes to the schema  cannot be made.

Domain Naming Master

The Domain Naming Master is responsible for the addition or removal of domains in the forest. The Domain Naming Master is a forest-wide role, which means only one can be defined per forest.

When this role is unavailable no domains can be added, removed or renamed.

Infrastructure Master

The Infrastructure Master is a domain-wide role, which means it is defined per domain. Logically, if you have 3 domains within your forest, you have 3 domain controllers that contain the Infrastructure Master role. The Infrastructure Master is responsible for updating links to objects in the domain to objects in other domains. There can only be one defined per domain.

When the infrastructure master is unavailable changes in objects do not get replicated. However, when all domain controllers are also a Global Catalog, the Infrastructure Master does not have a function.

RID Master

The RID (or Relative-ID) Master is responsible for RID-requests from all domain controllers within that domain. When the RID pool of a domain controller depletes, it requests a new pool from the RID Master. The RID Master can only be defined once per domain.

When the RID Master is unavailable and a domain controller runs out of available RID's no new objects (as users, groups, computers and such) cannot be created.

PDC Emulator

The PDC (or Primary Domain Controller) Emulator role is used to act as PDC when Windows NT BDC's are used. The PDC Emulator also acts as Master Browser for the domain and handles password updates for the domain. The PDC Emulator can only be defined once per domain.

When the PDC Emulator is unavailable password-changes get updated with the regular replication traffic instead of right away through the PDC emulator. Also, the time (net time) will not get synced during this time, which can be an issue in a domain environment.

Now, what if a domain controller is unavailable for a while and you need to seize the role? In a pre-windows 2008 R2 environment, thus: in an environment without the use of AD Powershell this can be quite the hassle. When you need to move the Schema Master you first have to load the dll for the mmc, after which you can move it. It just costs needless time.

Move-ADDirectoryServerOperationMasterRole -Identity ADDirectoryServer -OperationMasterRole ADOperationMasterRole []

For example, when you want to move the Infrastructure Master to domain controller "DC001" you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster

Now, if the server that contains the role is unavailable you can ofcourse Seize it. This can also be done in Powershell, by adding the -Force parameter to the CMDLet. In case of seizing the Infrastructure Master to domain controller DC001 you'll use:

Move-ADDirectoryServerOperationMasterRole -Identity DC001 -OperationMasterRole InfrastructureMaster -Force

Finally, one shell to manage your complete AD in!


Stefan Hazenbroek

Geen opmerkingen:

Een reactie plaatsen