THURSDAY, APRIL 26, 2007

Why do we need FSMO ROLES?

Active directory is multi master replication model. Meaning clients can register their records to any available Active directory domain controller and have access to resources within active directory NTDS.DIT database. In old days where we had single master replication, Primary DNS server had the write copy of DNS data, meaning Client MUST locate the Primary DNS servers, and register their resources so that they can locate all the other resources within active directory infrastructure. The problem with single master model was the single point of failure, if the primary DNS server was not reachable for any reason client could not get register its records to any other domain controller/DNS servers. We have now MultiMate replication model meaning client can register its records to any available Authentication server / DNS servers and can get to the NTDS.DIT database. This is one of the great improvements in Active directory integrated DSN and multi master replication DNS data is being kept in what we call is ZONE. The primary zone is Forward lookup zone in AD. Reverse lookup zone is highly recommended in almost any size of network The purpose of having FSMO roles is being cause by Multi master replication model. In this model there has to be a way of preventing the conflict being happened, such as firing up adsiedit.msc and adding to the same object from different locations, which one would win? The NTDS.DIT DataBase would get confuse, Therefore we needed to have schema master so that regardless where you make the changes within the Domain changes gets okay from Schema Master first than, schema master replicates these changes to all other Domain controllers. This is the primary purpose why Microsoft comes up with FSMO roles (Operations Masters) Knowing these ROLEs and understanding them is Curtail for any Exchange or AD Administrators.

FSMO Roles In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest

How can we see FSMO ROLES? There are several ways to see FSMO roles the easiest way to see download support tools Downloads Go to CMD

:\>netdom query fsmo Schema owner DC1.smtp25.org Domain role owner VSDC1.smtp25.org PDC role VSDC2.smtp25.org RID pool manager DC1.smtp25.org Infrastructure owner DC1.smtp25.org The command completed successfully.
Symptoms of FSMO Problems
If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly Symptom Users can't log on. Possible Role Involved PDC Emulator Reason If system clocks become unsynchronized, Kerberos may fail.

Can't change passwords. Account lockout not working. Can't raise the functional level for a domain. Can't create new users or groups. Problems with universal group memberships. Can't add or remove a domain. Can't promote or demote a DC. Can't modify the schema. Can't raise the functional level for the forest.

PDC Emulator PDC Emulator PDC Emulator RID Master Infrastructure Master Domain Naming Master Domain Naming Master Schema Master Sc

Password changes need this role holder. Account lockout enforcement needs this role holder. This role holder must be available when the raising the domain functional level. RID pool has been depleted. Cross-domain object references need this role holder. Changes to the namespace need this role holder. Changes to the namespace need this role holder. Changes to the schema need this role holder.

Some Considerations The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs. Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also. The Infrastructure Master should not be placed on a GC Make sure the Infrastructure Master has a GC in the same site as a direct replication partner It's OK to put the Infrastructure Master on a GC if your forest has only one domain if It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site. Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically. If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is do http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html

Best Regards

Oz Ozugurlu
Posted by Oz Casey, Dedeal at Thursday, April 26, 2007 Labels: Active Directory

2 comments:
Anonymous said... Splendid May 12, 2009 at 8:29 AM

Oz Casey Dedeal said... Splendid,take a look Why do we need FSMO ROLES? http://smtp25.blogspot.com/2007/04/why-do-we-need-fsmo-roles.html best oz May 12, 2009 at 8:33 AM Post a Comment Newer PostOlder PostHome Subscribe to: Post Comments (Atom)
SUBSCRIBE TO SMTP25

Posts Comments
VISITORS MAP

GOO-KUNG-FU
Search

SITE METER TELNET25 CATEGORIES

.DIT DataBase (5) Active Directory (32) AD 2008 (18) ADfind (2) Clustering (6) DataBase (8) Design (7)

DNS (9) E14 (9) Exchange 2007 (64) Exchange 2010 (24) Exchange 2013 (8) Free Tools (2) FSMO Roles (6) General (52) Interview Questions (9) Migration (2) Outlook (8) OWA (4) Performance (3) Power Shell (5) PowerGUI (17) PS Scripts (6) Replication (1) Resources (1) RIM (20) Scripts (5) Security (5) Server 2012 (3) TroubleShooting (33) Windows 2008 (2) Windows 2012 (1)

TROUBLESHOOTING LINKS

Exchange 2013 IT Pro Links ExRCA (Connectivity Analyzer) MXToolBox Test your SMTP Mail Server DNSgoodies PTR Lookup AOL PTR Check AOL Post Master Arin Who is MX Lookup DNS Report (test mail) Black List Mail Relay Testing Tool

AD RESOURCES

Ask the AD &Team

RANDOM BLOG ROLL

Scott Schnoll Mike Lagase Dimitry PowerBlog (MVP) Jorge ( Active Directory) exchangeninjas Glen Scales (MVP) James Chong (MVP) Elan Shudnow (MVP) AskPerfTeam Michael B. Smith (MVP) Amit Tank (MVP)

(Andy Grogan MVP Robert Sparnaaij ( outlook MVP) Exchange Team Blog Dean T Uemura (MVP) Ask AD Team Harold Wong's Blog Site Michael J. Murphy's WebLog Jim McBee's Mostly Exchange Henrik Walther Blog (MVP) Vinay Pal Singh Exchange Blog

OZ & STUDENTS CORNER

oz Training Videos Oz Students Album WEB Cast Videos Zip Sysinternals Suite

BLOG ARCHIVE

2013 (12) 2012 (32) 2011 (51) 2010 (76) 2009 (116) 2008 (88) o o o o o o o o o
2007 (176) December (11) November (13) October (19) September (13) August (20) July (19) June (18) May (36) April (25)

What exactly happens when Repair is clicked on Loc... Baseline Counters Monitoring Exchange Server Why do we need FSMO ROLES? About how long does it take to run ISInteg or ESEu... Using RUNAS and Securing Exchange Daily Task Common NDR Codes, Possible Cause, and Troubleshoot... ESEutil and ISinteg in SMTP25@Nutshell Discovering DHCP Discovery in SMTP25 Shell Changing the IP address of your Production Exchang... Need full access for all users mailboxes in Your ... Saved Queries Learning LDAP Custom Search for AD a... Having Trouble to Uninstall Exchange Active Directory Concept in a SMTP25Shell Did you say DIT database? There is only one MAPI public folder hierarchy tha... LCR versus CCR in Exchange 2007 XCON: Attributes Required to Route Messages throug...

The format of the e-mail address is incorrect #5.1... What Causes Exchange Disk I/O Collection of Some Random useful Outlook Switches Exchange Questions Part two 500 Non RFC-Compliant responses received; there wa... Some Questions about AD & Exchange Telnet25.org Links 500 Non RFC-Compliant responses received; there wa... March (2)

RESOURCE BLOG ROLL

ScriptFanatic (Shay Levy) PSCommunity AD Team Exchange 2010 Forum MSExchange.org TechNet-Clustering Pushpendu Biswas ( TMG & SP )

ABOUT OZ

Oz Casey, Dedeal Virginia, VA, United States I work for CSC as IT Consultant, focusing mostly Microsoft Technologies (Messaging & Active Directory platforms) solutions for public and Government sector at Washington DC area. Please Visit my Blog: http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com/ E-mail: NOSpam Telnet25@gmail.com . View my complete profile
EXCHANGE FORUMS

MSExchange.org Technet Forums

EXCHANGE RESOURCES

EMS Tips Script Repository Tolls Exc 07 Cmdlet List

SCRIPTS & TOOLS

Tips & Tricks EMC Tips of the Day Shell Quick Reference Remote Connectivity Analyzer Videos

SBS LINKS

Oz Business Card SBS home

LEGAL

The posts on SMTP25.BlogSpot.com are provided as is with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of any employeer or anyone else for that matter. All trademarks acknowledged. 2007 oz Casey Dedeal

AMUNG.US EXPERTS-EXCHANGE

Powered by Blogger.