FSMO
Flexible Single Master Operations (FSMO) or operations masters (master operation) are special tasks that domain controller within the Active Directory of the company Microsoft take over. The tasks can be distributed to different servers , but none of these roles can be assumed by several servers at the same time.
roll
Flexible Single Master Operations includes the 'roles' listed below.
By default, all five FSMO roles are assigned to the first domain controller in a forest . A domain controller in a sub-domain receives the 3 domain-wide functions by default. The forest-wide roles can only be assigned to domain controllers in the first root domain of the forest.
Domain naming master
- Forest -wide role.
- There can only be one domain controller in the overall structure that has the ability to assign domain names and manage them.
- If an administrator tries to create a new domain or subdomain, he will get an error message because no domain or subdomain can be created in the network if the domain naming master does not confirm that this name is not yet used. The same applies to integrating a new domain controller. With the domain naming master there is only one domain controller that can accept the release of a new name.
Scheme -Master
- Forest-wide role.
- The schema defines the class templates for the Active Directory objects such as users, computers or resources, as well as the attributes that can be assigned to the individual objects.
- The schema master is responsible if the Active Directory schema is to be changed; H. further object classes and attributes are to be added to the schema. This is e.g. This is the case, for example, with the first installation of an Exchange server , which adds Exchange-specific attributes such as the home server and the mailbox name for each user. The schema master must be available for the changes to take place.
RID (Relative ID) master
- Domain-wide role.
- SIDs in the Active Directory are identifiers that are assigned to a user, for example, if they belong to a certain group when they log in.
- They have (simplified) the following scheme: Local-ID - Relative-ID (RID), whereby this RID is a sequential number, starting with 1000. It must now be ensured that the sequential numbers of the RID are unique in order to ensure the uniqueness of the Security ID (SID) to ensure. However, since different domain controllers can create different groups and objects, a central domain controller must take on the task of providing certain "RID pools" for each domain controller.
PDC (Primary Domain Controller) emulator
- Domain-wide role
- The replication of changes in the Active Directory database can take up to 20 minutes, as there can be up to 3 replication hops, each of which can take 5 minutes. To speed up resetting user passwords, these changes are replicated directly to the domain's PDC emulator. If a domain controller now detects an incorrect login attempt, it does not reject the client directly, but checks the password against the PDC. This ensures that a password change is valid after 5 minutes at the latest.
- In addition, the PDC emulator is the timer for all servers and clients in the domain for which no other time server has been set.
- In Windows NT 4 there was a distinction between the domain controllers in PDCs and BDCs (backup domain controllers). The PDC was the only domain controller with write access to the database. In order to ensure compatibility with NT 4 clients and servers in a mixed environment with Windows NT and Windows 2000 or later versions, the owner of the PDC role poses as the primary domain controller for all pre-Windows 2000 PCs.
Domain Infrastructure Master
- Domain-wide role
- The Infrastructure Master (ISM) is responsible for ensuring referential integrity between linked Active Directory objects.
- Linked objects are objects that are in some way related to each other (an example would be the attributes “Members” and “MemberOf” of a group).
- The task of the domain infrastructure master is to ensure that if one of these objects changes, the change is also transferred to the other object, across domains.
- This role should never be executed together with the "global catalog" on a domain controller (unless all domain controllers of the respective domain hold the global catalog), otherwise the service is deactivated and serious replication errors occur. This malfunction can be recognized by error messages 1419 in the event log.
Transfer of a role to another domain controller
FSMO roles can be transferred from domain controller (DC) to domain controller as required (hence “flexible” in the name). However, a distinction must be made as to whether the role is to be transferred or accepted . If the role is transferred, both participating domain controllers are online and receive this transfer. The role is deactivated on the source DC and activated on the destination DC. Both domain controllers can remain in the network. In an emergency, however, it is not always the case that both domain controllers are online. In this case, the role can only be assumed. The takeover is a forced transfer of the master, which means that not both domain controllers are involved in the role transfer. This may only be carried out as the last action when it is ensured that the old server, which does not know anything about the forced takeover, never comes online again. For these reasons, Microsoft does not allow this transfer via GUI tools, but deliberately only via command line tools, and even there only with many express warnings so that the administrator is aware of the step. However, the installation can be used as an add-on server if a DCPROMO / forceremoval (of course without a network) has been made beforehand . However, nobody really wants such an add-on server and only makes sense if other data is also stored on the server and these are to be transferred to the network. The best solution, however, is to rebuild the server. Then the device can also become a domain controller again.