Back docs > win2000 > fsmo server roles
     
   
   



Introduction
FSMO Roles
Failure of FSMO servers
Placing FSMO roles
FSMO tools
Useful Links



Introduction      Top

In a Windows 2000 domain environment, all of the domain controllers are piers.  There are no PDCs and BDCs that you find in a Windows NT domain.  All Windows 2000 domain controllers contain a writable replica (or copy) of the Active Directory Database, and unlike the hierarchical server structure in a Windows NT domain (the PDC with subordinate BDCs), all domain controllers are equal.
The ability of all domain controllers in a Windows 2000 domain to update Active Directory, and then replicate it out to the other DCs, is referred to as Multimaster Replication.  Compare that to a Windows NT domain which uses Single Master replication - the PDC has the only writable copy of the SAM and all updates can only happen at the PDC.
(The SAM, Security Accounts Database, is replaced by the Active Directory Database in Windows 2000.)

So why are there FSMO server roles?  Since each DC in a Windows 2000 domain can update the Active Directory, which then gets replicated to all othe DCs, what happens if more than one person is making the same change to Active Directory at the same time?  There are certain rules that are followed to prevent conflicts in updating the AD database, but some changes are to important to the domain to be left to these rules.  Because of this, Microsoft came up with the idea of the Flexible Single Master Operations server roles.  The servers that hold these FSMO roles are responsible for updating certain aspects of Active Directory.  By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates. 

In a Windows 2000 Domain environment, there are 5 server roles that are necessary for the proper functioning of the forest/domain (or Active Directory).  These 5 server roles are collectively known as the Flexible Single Master Operations Roles or FSMO roles.  All FSMO server roles exist on Domain Controllers. They do not exist on member servers.  Two of the server roles exist at the Forest level and 3 server roles exist at the Domain level.

For example:
 If your Active Directory contains one forest and 1 domain, you would have 5 FSMO role holders.  If your AD contained one forest and 2 domains, you would have 8 FSMO role holders - two at the forest level and 3 for each domain.  Likewise, for an AD with one forest and 3 domains, you would have 11 server roles - two at the forest level and 3 for each domain.


FSMO Roles    Top

The 5 FSMO server roles:

Schema Master Forest Level One per forest
Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain


1.  Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema.  It contains the only writable copy of the AD schema.  This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.
2.  Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory.  This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose.  It can also add or remove cross references to domains in external directories.  There is only one domain naming master in the active directory or forest.
3.  PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true.  Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.
4.  RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.

There is one RID master per domain in a directory.

5.  Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups.  When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved.  Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.
 


What if a FSMO server fails?    Top

Schema Master No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed.  It is also needed when promoting or demoting a server to/from a Domain Controller.  Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most problems if it is unavailable.  This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant.  Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.


Placing FSMO Server Roles    Top

So where are these FSMO server roles found?  Is there a one to one relationship between the server roles and the number of servers that house them?

The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO server roles.  Then, as more domain controllers are added to the domain, the FSMO roles can be moved to other domain controllers.  Moving a FSMO server role is a manual process, it does not happen automatically.  But what if you only have one domain controller in your domain?  That is fine. If you have only one domain controller in your organization then you have one forest, one domain, and of course the one domain controller.  All 5 FSMO server roles will exist on that DC.  There is no rule that says you have to have one server for each FSMO server role.

However, it is always a good idea to have more than one domain controller in a domain for a number of reasons.  Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for placing FSMO server roles.

The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server.   Since all three are, by default, on the first domain controller installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server.  If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers.

The Infratructure Master should not be on the same server that acts as a Global Catalog server.
The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.

Microsoft also recommeds that the PDC Emulator and RID Master be on the same server.  This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load.

It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server.


FSMO Tools    Top

How do find out what servers in your domain/forest hold what server roles?  How do you move a server role from one server to another?  There are several tools that can be used to find out this information.

Permissions

Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer:

Schema Master member of the Schema Admins group
Domain Naming Master member of the Enterprise Admins group
PDC Emulator member of the Domain Admins group and/or the Enterprise Admins group
RID Master member of the Domain Admins group and/or the Enterprise Admins group
Infrastructure Master member of the Domain Admins group and/or the Enterprise Admins group



Active Directory Users and Computers - use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the location of one or more of these 3 FSMO roles.

Open Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and click "Operations Masters".  A dialog box (below) will open with three tabs, one for each FSMO role.  Click each tab to see what server that role resides on.  To change the server roles, you must first connect to the domain controller you want to move it to.  Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller".  Once connected to the DC, go back into the Operations Masters dialog box, choose a role to move and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the field below the Change button (not in this graphic).






Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location.

The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers, except you use the Active Directory Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose "Operations Master".  When you do, you will see the dialog box below. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller, then click the Change button.  You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".






Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role. However... the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation.  You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit.  Once you install the support tools you can open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console.  Once the snap-in is open, right click "Active Directory Schema" at the top of the tree and choose "Operations Masters".  You will see the dialog box below. Changing the server the Schema Master resides on requires you first connect to another domain controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller".






More Tools

In addition to the tools mentioned above, there are other tools that can be used to view the FSMO server roles.  Perhaps the easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility.  Like the Active Directory Schema snap-in, the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.

To use Netdom to view the FSMO role holders, open a command prompt window and type:
netdom query fsmo and press enter.  You will see a list of the FSMO role servers:







Another tool that comes with the Support Tools is the Active Directory Relication Monitor.  Open this utility from Start, Programs, Windows 2000 Support Tools.  Once open, click Edit, Add Monitored Server and add the name of a Domain Controller.  Once added, right click the Server name and choose properties.  Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles using Replication Monitor, but this tool has many other useful purposes in regard to Active Directory information.  It is something you should check out if you haven't already.







Finally, you can use the Ntdsutil.exe utility to gather information about and change servers for FSMO roles.  Ntdsutil.exe, a command line utility that is installed with Windows 2000 server, is rather complicated and beyond the scope of this document.



Links      Top

Transferring and Seizing a FSMO Role
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504

Placement of FSMO role holders
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223346

Download Adcheck (470k).  A simple utility to view information about AD and FSMO roles.

Active Directory Design and Deployment by Gary L. Olsen.  Excellent book about Active Directory.

   
Top


b/johnson:02