FSMO Short form Flexible Single
Master Operation Role.
There are five rules are there in
FSMO, they are
1) Schema
master (One per Forest)
2) Domain
naming master (one per forest)
3) PDC
emulator (one per domain)
4) Infrastructure
master (one per domain)
5) Relative
ID (RID) master (one per domain)
Short Notes for FSMO
Schema master (one per
forest):
This role is responsible for
maintaining and modifying the Active Directory schema.
Domain naming master (one per
forest):
This role is responsible for the
addition and deletion of domains in a forest.
PDC emulator (one per domain):
This role allows Windows Server
2003 to act as a Windows NT primary domain
Controller (PDC) and it provides
replication support for Windows NT-based backup domain controllers (BDCs). In
addition, this role assists with time and group policy synchronization, bad
password etc…
Infrastructure master (one per
domain):
This role is responsible for
updating the group-to-user references whenever the members of groups change or
receive new names.
Relative ID (RID) master (one
per domain):
This role ensures that every object
created has a unique identification number.
Rules
for FSMO Role Placement
Rule
1:
The PDC
Emulator and RID Master roles should be on the same machine because
the PDC Emulator is a large consumer of RIDs.
Note:
Since the PDC
Emulator is the role that does the most work by far of any FSMO role, if the
machine holding the PDC Emulator role is heavily utilized then move this role
and the RID Master role to a different DC, preferable not a global catalog
server (GC) since those are often heavily used also.
Rule
2:
The
Infrastructure Master should not be placed on a GC.
Tip:
Make sure the
Infrastructure Master has a GC in the same site as a direct replication
partner.
Exception
1:
It's OK to put
the Infrastructure Master on a GC if your forest has only one domain.
Exception
2:
It's OK to put
the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule
3:
For simpler
management, the Schema Master and Domain Naming Master can be on the same
machine, which should also be a GC.
Exception:
If you've raised
your forest functional level to Windows Server 2003, The Domain Naming Master
doesn't need to be on a GC, but it should at least be a direct replication
partner with a GC in the same site.
How RID works
When there are two or more domain
controllers in a domain. The RID
master assigns a block of 500 identifiers to each domain controller.
When an object is created the domain controller where the object is created
assigns RID to it from the pool. When a domain controller has used 50 percent
of the supply of RIDs that it originally received from the RID master, it must
contact RID master and request a new supply.
When an object needs to be moved
from one domain to another, you must be logged on to the RID master in the
source domain, and the move operation must be performed against the RID master
in the destination domain to move an object to different domain, the
Movetree.exe command is required. The Movetree.exe command allows an object
such as Organization Unit (OU) or User object to be moved to another domain within
the same forest.
The
movetree operation copies the source objects to the Last and Found Container on the source domain. And then they are
moved to the destination domain. The lost and found container is a built-in
container for orphaned objects whose parent container has been deleted.
A globally unique identifier (GUID), The GUID is a 128-bit hexadecimal number
that is assigned to every object in the active directory forest upon its
creation. This number does not change even when the object itself is renamed.
How to seize the roles?
Seizing the Role
The NTDSUTIL tool allows you to
transfer and seize operations master roles. When you use the NTDSUTIL
command-line tool to seize an operations master role, the tool attempts a
transfer from the current role owner first.
Then, if the existing operations
master is unavailable, it performs the seizure.
To seize the operations master role
assignments, complete the following steps:
1. Click Start, and then click Command
Prompt.
2. At the command prompt, type ntdsutil
and press Enter.
3. At the ntdsutil prompt, type roles and press Enter.
4. At the fsmo maintenance prompt,
type connections and press Enter.
5. At the server connections
prompt, type connect to server,
Followed by the fully qualified
domain name (FQDN), and press Enter.
6. At the server connections prompt,
type quit and press Enter.
7. At the fsmo maintenance prompt,
type one of the following:
* seize schema master and press Enter
* seize domain naming master and press Enter
* seize RID master and press Enter
* seize PDC and press Enter
* seize infrastructure master and press Enter
8. At the fsmo maintenance prompt,
type quit and press Enter.
9. At the ntdsutil prompt, type quit and press Enter.
Managing Operations master
Roles:
There are two ways to manage
operations master roles
Transfer and Seizure
Transferring operations master
roles
To transfer an operations master
role is to move it with the cooperation of its current owner. You transfer and
operations master role when you want to move a role from one server to another.
Seizing Operations master roles:
To seizing an operations master
role is to move it without the cooperation of its current owner. You seize an
operations master role assignment when a server that is holding a role fails
and you do not intend to restore it.
The Infrastructure master Role:
An object’s SID a DN can changes
when the object is moved to another domain. However, the object is moved to
another domain. However, the Globally Unique Identifier (GUID) does not change.
The GUID is a 128 bit hexadecimal number given at the time of creation in the
forest. This number is a combination of date and time the object was created a
unique identifier and sequence number. This number never changed even if the
account is moved from one domain to another domain in the forest.
PDC Emulator Role:
By default there is only a 5
minutes clock skew allowed by Kerberos as part of the default maximum tolerance
for the computer clock synchronization policy? If the clocks between a client
and server are off by more than 5 minutes, you might not be able to logon
server.
Domain naming master role:
If your forest functional level is
set to windows 2000, the domain naming master role should reside on a global
catalog server, when the forest functional level is set to windows server 2003
this is not necessary.
No comments:
Post a Comment