FSMO (Flexible Single Master Operations)
Two good reasons for investigating FSMO
a) Curiosity to know how this Single master operation works
b) To know what to do if you lose one of the 5 vital roles.
Background information
For most Active Directory operations, Windows 2003 uses the multiple master model. The benefit is you can add a computer, or change a user’s password on any domain controller. For example, if you have three domain controllers, you can physically create a new computer in the NTDS.dit database on any of the three. Five minutes later, the new computer object will be replicated to the other two domain controllers.
Technically, the multiple master model uses a change notification mechanism. Occasionally problems arise with duplicate operations, and as a result orphaned objects appear in the ‘LostAndFound’ folder. The point of FSMO is that a few operations are deemed so critical that only one domain controller can carry out that process. Emulating a PDC is the most famous example of such a Single Master Operation; creating a new child domain would be another example.
In FSMO, the Flexible word simply means that you can move the role to a more suitable domain controller.
The five FSMO roles are:
- PDC Emulator – For NT 4.0 BDC’s. But also for synchronizing time and creating group policies.
- RID Master – Each object must have a globally unique number. The RID master makes sure each domain controller issues unique numbers when you create objects like users.
- Infrastructure Master – Responsible for checking Universal group membership in multiple domain forests.
- Domain Naming Master – Ensures that each child domain has a unique name.
- Schema Master – Operations that involve expanding user properties e.g. Exchange 2000 adds the mailbox property to users.
Three of the FSMO roles (1-3) are held in each domain, whilst two (4-5) are unique to the entire forest.
Changing the FSMO roles
RID, PDC, Infrastructure (1. 2. and 3.)
You can plan a switch of Operation Master by using the Change button in the diagram right, taken from Active Directory Users and Computers, Right Click Domain, Properties, Operations Masters.
Domain Naming Master (4.)
To see the Domain Naming Master (4), check out Active Directory Domains and Trusts, Operations Master..
Schema Master (5.)
The Schema Master (5) is the most difficult FSMO to find.
1) Register the Schema Snap with this command: RUN regsvr32 schmmgmt.dll;
2) Run MMC, Add Remove Snap-in, Add Active Directory Schema
3) Select Active Directory Schema, Right Click, Operations Master.
If you ever run DCPROMO to demote a domain controller, watch out for a check box that says ‘This is the last domain controller in the domain’. If that box is UNchecked the wizard will automatically move any FSMO roles to another domain controller.
Troubleshooting
If you find problems with domain controller connections timing out then:
a) Check DNS settings on the TCP/IP properties.
b) Check that all the FSMO servers are up and running.
c) Try this need command using NetDom:
netdom query fsmo.
d) If you need a copy of netdom, check here.