- FSMO
Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:
Schema Master (one for the forest)
Domain Naming Master (one for the forest)
PDC Emulator (one for each domain)
RID Master (one for each domain)
Infrastructure Master (one for each domain)
Schema Master
The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Infrastructure Master
The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator (FSMO) roles.
RID Master
The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Security Principal
An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).
RID
Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain
PDC Emulator
The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role. One of the five Flexible Single Master Operator roles (FSMO).
Domain Naming Master
The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. One of the five Flexible Single Master Operator (FSMO) roles. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.
http://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#FSMO
- How to find out who has your FSMO Roles?
1-The easy way:
NetDOM /query FSMO
2-The Common way:
How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
1. Click Start, click Run, type dsa.msc, and then click OK.
2. Right-click the selected Domain Object in the top left pane, and then click Operations Masters.
3. Click the PDC tab to view the server holding the PDC master role.
4. Click the Infrastructure tab to view the server holding the Infrastructure master role.
5. Click the RID Pool tab to view the server holding the RID master role.
How to Determine the Schema FSMO Holder in a Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK.
3. Right-click Active Directory Schema in the top left pane, and then click Operations Masters to view the server holding the schema master role.
NOTE: For the Active Directory Schema snap-in to be available, you may have to register the Schmmgmt.dll file. To do this, click Start, click Run, type regsvr32 schmmgmt.dll in the Open box, and then click OK. A message is displayed that states the registration was successful.
How to Determine the Domain Naming FSMO Holder in a Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK.
3. In the left pane, click Active Directory Domains and Trusts.
4. Right-click Active Directory Domains and Trust, and then click Operations Master to view the server holding the domain naming master role in the Forest.
https://blogs.technet.microsoft.com/mempson/2007/11/08/how-to-find-out-who-has-your-fsmo-roles
- How To Find Servers That Hold Flexible Single Master Operations Roles
How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
How to Determine the Schema FSMO Holder in a Forest
How to Determine the Domain Naming FSMO Holder in a Forest
Using the Windows 2000 Server Resource Kit
Using the NTDSUTIL Tool
Using DCDIAG
https://support.microsoft.com/en-us/kb/234790
- the domain controller that actually performs a single master operation is the
domain controller that currently holds the operation’s token, or the “role holder.”
An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.
AD DS contains five operations master roles. Two roles are performed for the
entire forest, and two roles are performed by three roles for each domain.
Forest Roles (two roles):
Domain naming
Schema
Domain Roles (three roles):
Relative identifier (RID)
Infrastructure
PDC Emulator
RID Master Role
Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs
by assigning a unique RID to the domain SID. The RID master for the domain
allocates pools of unique RIDs to each domain controller in the domain. Thus,
each domain controller can be confident that the SIDs it generates are unique.
Note:
The RID master role is like DHCP for SIDs. If you are familiar with the concept that
you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs
Infrastructure Master Role
In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain
You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.
This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose
PDC Emulator Role
Emulates a Primary Domain Controller (PDC) for backward compatibility
Participates in special password update handling for the domain
If a user attempts to log on immediately after
changing passwords, the domain controller responding to the user’s logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request
Manages Group Policy updates within a domain
When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.
Provides a master time source for the domain
Active Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.
http://blogs.msmvps.com/acefekay/2011/01/16/active-directory-fsmo-roles-explained
- Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:
Active Directory Schema snap-in
Active Directory Domains and Trusts snap-in
Active Directory Users and Computers snap-in
https://support.microsoft.com/en-us/kb/324801
No comments:
Post a Comment