Flexible single master operation

From Wikipedia, the free encyclopedia

Flexible single master operation (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). Recently, as of 2005, the term FSMO has being deprecated in favour of operations masters.

FSMOs are specialised domain controller (DC) tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronised by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database, are the FSMOs.



Contents

[edit] Forest-wide FSMO Roles:

  • Schema Master that manages modifications to the AD schema and its replication to other Domain controlers.
  • Domain Naming Master that manages adding, and some modification operations for domains.

[edit] Domain-wide FSMO Roles:

  • Relative ID Master that allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains.
  • Infrastructure Master that maintains security identifiers, GUIDs, and DNs for objects referenced across domains. Most commonly it updates user and group links.
  • PDC Emulator that emulates a Windows NT Primary Domain Controller(PDC). It is also the favored DC for other DCs in replicating and confirming password information, and is the authoritative source of time in the domain.

FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool.

Some may include domain controllers holding a global catalog (GC) in this group as well. Certain FSMO roles depend on the GC. For example, an infrastructure master role must not be housed on a domain controller which also houses a copy of the global catalog (a GC) in a multi-domain forest (unless all domain controllers in the domain are also global catalog servers), while the domain naming master role should be housed on a DC which is also a GC. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon.

By default AD assigns all operations master roles to the first DC created. This is not a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. In the event of an unrecoverable failure other DCs can seize the lost roles. You can 'seize' or forcibly re-create the lost roles if a domain controller fails, but the roles should be 'transferred' to a surviving domain controller first if possible.


The PDC emulator and the RID master should be on the same DC, if possible. The schema master and domain naming master should also be on the same DC. There should be at least 2 domain controllers available within each domain of the Forest. Further to this, the Infrastructure Master role holder should not also be a Global Catalog Server, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment.(see "Phantoms, Tombstones and the Infrastructure Master", 248047)

[edit] Transferring or Seizing FSMO Roles

Here is the Knowledge Base article from Microsoft on transferring or seizing the FSMO Roles:

http://support.microsoft.com/kb/255504/en

[edit] Active Directory Support Tools

There are support tools that can test Active Directory to make sure the components are functioning correctly within the Forest. These tools can tell you the health of your Active Directory as they verify the various system components. The tools can be downloaded from the Microsoft web site or obtained from the Windows Server CD.

In other languages