Friday, August 9, 2013

Directory Services - FSMO rules

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

The Forest level Fsmo:

         Schema Master Role - The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. As you already know from my other articles, when this update finish the schema will replicate to all other DC in our directory.
       We have only ONE schema master per directory!

      Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.

The Domain level Fsmo:
          RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).
The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

     PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Autantication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.

The PDC role is the role that provides us the most services and from this we can said that this role is the busy one on our environment, here are few Examples:

 - This role helps us to replicate the Sysvol folder in our environment.
 -  Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

       Infrastructure Master Role – This role provide us the ability to update all objects SID’S and  distinguished name in cross domains , this happens when object from one domain referenced with  object from another DC.

FSMO levels:
 Schema master                                    : One per forest.
 Domain Naming Master                      : One per forest.
 PDC Emulator                                     : One per domain.
 RID Master                                          : One per domain.
 Infrastructure Master                           : One per domain.

Worst Case Scenario – What Happens’ if Fsmo fails…?
      Schema Master - If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.

      Domain Naming Master - Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest. 

      PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.

      Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).

      Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).

Microsoft Recommendations for placing FSMO roles
First we need to know that the first Domain-Controller installed in a forest holds all five FSMO.
When we add more DC’S we can transfer the FSMO from the firs DC installed on the forest (It’s not happened automatically so we need to manage the transfers manually).

As you already understand it’s nice to have more then on Domain-Controller in a forest so we can enjoy more redundancy and more flexibility to manage FSMO roles, here are MICROSOFT recommendations to manage FSMO roles in a FOREST environment:

1. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server.  

2. The Infrastructure Master should not be on the same server that acts as a Global Catalog server.

Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in its domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contently updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain.

In a single domain environment this is not an issue.

To be able to transfer FSMO you need the appropriate Permissions, every FSMO needs is own Permissions:

          Schema Master                       : Schema Admins group.
·                 Domain Naming Master          : Enterprise Admins group.
·                 PDC Emulator                        : Domain Admins group.
·                 RID Master                             : Domain Admins group.
·                 Infrastructure Master              : Domain Admins group.

So where can we found the FSMO holders…?
The Easiest way is to work with NETDOM Utility; we can find it in Microsoft “Support Tools”
or in Win 2003 “Resource kit”.Now all we need to do is go to the command line and type the following command  “Netdom query fsmo”,After the command finishes we will see a list of Domain-Controllers and the role that they hosts.

     The second way is to use Administrative Tools Snap-In :

Open Users and Computers press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO’S.
The FSMO’S that we can see here will be:
1.      Rid Master.
2.      Pdc Emulator.
3.      Infrastructure Master.

Open Domains and Trusts press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO.
Here we can see only the Domain naming FSMO

To see the Schema Holder we need to add a blank MMC and add the “Active Directory Schema”.

No comments:

Post a Comment

My Presentations