Tips and Concepts

Concept

 
 Flexible Single Master Operation (FSMO)         Tips and Concepts

In Microsoft Active Directory, having multiple domain controllers provides redundancy as well as improving performance.  However; it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the domain or forest.

One way Windows deals with conflicting updates is by having a conflict resolution algorithm by resolving to the DC to which changes were written last "the last writer wins", while discarding the changes in other DCs. Although this resolution method may be acceptable in some cases, but there are times when conflicts are just too difficult to resolve.

Microsoft Active Directory introduce Flexible Single Master Operation (FSMO) roles to prevent the introduction of conflicts or latency that could be created by multi-master updates. In a way, it is best to prevent the conflict from occurring rather than to resolve it.

The term Flexible in FSMO is the ability to transfer any role to any domain controller. There are currently five FSMO roles and they are explain in the following table.

 
   
Optimize OSPF /30 network  
Layer-2 Resolving  
Data Encapsulation  
"Fish-Mo" of AD  
Layer-2 Redundancy  
Using /31 Subnet  
FSMO: Inf Master and GC  
   
   
   
   

FSMO Role

Scope

Function and Online Requrements

Domain Naming Master Forest
    * Responsible for add and remove domains and application partitions to and from the AD Forest
    * LDAP://CN=Partitions, CN=Configuration, DC=<domain>
    * Must be Online when domains and application are add or remove from the AD Forest
Schema Master Forest
    * Responsible for performing updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory.
    * LDAP://CN=Schema, CN=Configuration, DC=<domain>
    * Must be online when schema updates are performed.
Infrastructure Master Domain
    * The infrastructure master responsibility is updating the group-to-user references from another domain whenever the members of groups are renamed or changed within its domain. Another world, an infrastructure master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain.
    * Online availability pending on the network topology. See Infrastructure Master and Global Catalog for further details.
RID Domain
    * Responsible for processing RID Pool requests from all DCs within a given domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
    * Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.
PDC Domain
    * Resposible for synchronize time in the domain. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol.
    * Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
    * Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
    * Default target domain controller for Group Policy updates.
    * Must be online and accessible 24 hours a day, seven days a week.

Placement of FSMO:
Ideally, you put the PDC emulator on the domain controller with the best hardware available, and ensure that it’s in a reliable hub site. It should have other domain controllers in the same active directory domain and site to replicate with.
Place the RID master on the domain PDC in the same domain.
If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.

Summary:
When updating a part of Active Directory is too critical of an operation to risk a conflict, Windows Active Directory Domains utilize a single-server model to provide updates to those services.
The availability requirements of the domain controller with an FSMO role are dependent on the role.  For example, the schema master may be offline without causing any concern until an update to the schema is attempted.  FSMO roles can be transferred to another domain controller to improve performance or to allow for continued access during a scheduled outage.  In the event of an unscheduled outage, FSMO roles may be seized as a last resort.