The necessity of FSMO roles.<\/p>\n
So far in this article series, I have explained that the Active Directory consists of a forest filled with domain trees, and that the names of each domain indicate its position within the forest.\u00a0Given the hierarchical nature of the Active Directory, it might be easy to assume that domains near the top of the hierarchy (or rather the domain controllers within those domains) are the most important.\u00a0This isn’t necessarily the case though.\u00a0In this article, I will discuss the rules that individual domain controllers play within the Active Directory forest.<\/p>\n
Earlier in this series, I talked about how domains in Windows NT were all encompassing.\u00a0Like Active Directory domains, Windows NT domains supported the use of multiple domain controllers.\u00a0Remember that domain controllers are responsible for authenticating user logons.\u00a0Therefore, if a domain controller is not available then no one will be able to log on to the network. Microsoft realized this early on and designed Windows to allow multiple domain controllers so that if a domain controller failed, another domain controller would be available to authenticate logons.\u00a0Having multiple domain controllers also allows the domain related work load to be shared by multiple computers rather than the full burden falling on a single server.<\/p>\n
Although Windows NT supported multiple domain controllers within a domain, one of these domain controllers was considered to be more important than the others.\u00a0This was known as the Primary Domain Controller or PDC.\u00a0As you may recall, a domain controller contains a database of all of the user accounts within the domain (among other things). This database was called the Security Accounts Manager, or SAM database.<\/p>\n
In Windows NT, the PDC stored the master copy of the database.\u00a0Other domain controllers within a Windows NT domain were known as Backup Domain Controllers or BDCs. Any time that a change needed to be made to the domain controller\u2019s database, the change would be written to the PDC.\u00a0The PDC would then replicate the change out to all of the BDCs in the domain.\u00a0Under normal circumstances, the PDC was the only domain controller in a Windows NT domain to which domain related updates could be applied.\u00a0If the PDC were to fail, there was a way to promote a BDC to PDC, thus enabling that domain controller to act as the domain\u2019s one and only PDC.<\/p>\n
Active Directory domains do things a little bit differently. The Active Directory uses a Multi master replication model.\u00a0What this means is that every domain controller within a domain is writable.\u00a0There is no longer the concept of PDCs and BDCs.\u00a0If an administrator needs to make a change to the Active Directory database, the change can be applied to any domain controller in the domain, and then replicated to the remaining domain controllers.<\/p>\n
Although the multimaster replication model probably sounds like a good idea, it opens the door for contradictory changes.\u00a0For example, what happens if two different administrators apply contradictory changes to two different domain controllers at the same time?<\/p>\n
In most cases, the Active Directory assumes that the most recent change takes precedence. In some situations, the consequences of a conflict are too serious to rely on this type of conflict resolution.\u00a0In these cases, Microsoft takes a stand point that it is better to prevent a conflict from occurring in the first place than to try to resolve the conflict after it happens.<\/p>\n
To handle these types of situations, Windows is designed to designate certain domain controllers to perform Flexible Single Master Operation (FSMO) roles.\u00a0Essentially this means that Active Directory domains fully support multimaster replication except in certain circumstances in which the domain reverts to using a single master replication model.\u00a0There are three different FSMO roles that are assigned at the domain level, and two additional roles that are assigned the forest level.<\/p>\n
For the most part, the FSMO roles pretty much take care of themselves.\u00a0It is important however for you to know which domain controllers host these roles.\u00a0By default, the first domain controller in the forest hosts all five roles.\u00a0As additional domains are created, the first domain controller brought online in each domain holds all three of the domain level FSMO roles.<\/p>\n
The reason why it is so important to know which domain controllers hold these roles is because hardware eventually gets old and is decommissioned.\u00a0I once saw a situation in which a network administrator was preparing to deploy an Active Directory network for his company.\u00a0While waiting for the newly ordered servers to arrive, the administrator installed Windows onto a junk PC so that he could begin playing around with the various Active Directory management tools.<\/p>\n
When the new servers finally arrived, the administrator configured them as domain controllers in the already created domain rather than creating a new forest.\u00a0Of course this meant that the junk PC was holding the FSMO roles for the domain in the forest. Everything worked fine until the administrator decided to remove the \u201cjunk\u201d PC from the network.\u00a0Had he properly decommissioned\u00a0this server, there would not have been a problem. Being inexperienced though, he simply reformatted the machine\u2019s hard drive.\u00a0All of a sudden the Active Directory began to experience numerous problems.\u00a0If this\u00a0administrator had\u00a0realized that the machine that he had\u00a0removed from the domain was hosting the domain and forest\u2019s FSMO roles, the problems could have been avoided.\u00a0Incidentally, in a situation like this there is a way of seizing the FSMO roles from the deceased server so that your network can resume normal operations.<\/p>\n
I will talk more about the specific functions of the FSMO roles in the next article in this series.\u00a0I do however want to quickly mention what these roles are.\u00a0As you may recall, I mentioned that there are three domain specific roles, and two forest specific roles.<\/p>\n
The domain specific roles include the Relative identifier, the Primary Domain Controller Emulator, and the Infrastructure Master.\u00a0Forest level roles include the Schema Master and the Domain Naming master.\u00a0Below is a brief description of what these roles do:<\/p>\n
Schema Master:<\/strong> maintains the authoritative copy of the Active Directory database schema.<\/p>\n Domain Naming Master:<\/strong> maintains the list of domains within the forest.<\/p>\n Relative Identifier Master:<\/strong> responsible for ensuring that every Active Directory object at a domain receives a unique security identifier.<\/p>\n Primary Domain Controller Emulator:<\/strong> acts as the Primary Domain Controller in domains containing domain controllers running Windows NT.<\/p>\n Infrastructure Master:<\/strong> the Infrastructure Master is responsible for updating an object\u2019s security identifier and distinguished name in a cross domain object reference.<\/p>\n Hopefully by now, you understand the importance of the FSMO roles even if you don\u2019t understand what the rules themselves actually do. In the next article in this series, I will discuss the FSMO roles in much greater detail and help you to understand what it is that they actually do. I will also show you how to definitively determine which server is hosting the various roles.<\/p>\n","protected":false},"excerpt":{"rendered":" The necessity of FSMO roles. So far in this article series, I have explained that the Active Directory consists of a forest filled with domain trees, and that the names of each domain indicate its position within the forest.\u00a0Given the hierarchical nature of the Active Directory, it might be easy to assume that domains near […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-452","post","type-post","status-publish","format-standard","hentry","category-networking-stuff"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=452"}],"version-history":[{"count":3,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/452\/revisions"}],"predecessor-version":[{"id":2655,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/452\/revisions\/2655"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}