Wednesday, August 21, 2013

FSMO Rules..

Today I will talk about FSMO (Flexible Single Master Operation), These 5 roles must be exist in any forest, a lot of unexpected problem may happen when any one these rules are missing.
Today I will talk about these rules and what each role do as the following:

1- Overview
On each Windows Domain Forest, There are 5 roles that control your domain functionality.
the present of these roles depend on your network disgn, they all maybe located on single server or separate across several domain controllers.
The role name are as the following:
- Schema Master
- Domain Naming Master
- Infrastructure Master
- RID (Relative ID)
- PDC (Primary Domain Controller)

1- Role Position

Schema Master:
Any schema modification is done by this role, like installing Exchange server, upgrading DC from Windows 2003 to Windows 2008. usually the first DC in forest is the schema master.
Its only one Schema Master in the forest.
The Schema master will replicate all the schema changes to all other DCs
Its advice to leave the Schema Master on the root DC.

Q:What May happen if Schema Master Failed?
A:it depend on the case, if there is no schema modification is required like installing Exchange or extending the schema, then nothing will happen, as all the other DC had a read-only copy of the schema, No data lost will happen, but its recommend to try to bring up the Schema Master Server or simply seize the role to another server, I will talk about seizing later on, but you must understand that once your seize the role the old schema master should never be up again.

Q:What Permission do I need to be able to modify the schema?
A:You must be in Schema Admin Group

Q:What happen if I seize the Schema Master and the old server go up again?
A:There is no detailed information tell what may happens or how to recover, but soon I will make a lab and test this issue and will post the result here.

Domain Naming Master:
Active Directory stores pointers to other domains in a CrossRef object located in a Partitions container in the Configuration naming context. This object contains attributes that describe the distinguished name, DNS name, the flat name and the name of the Domain naming context, along with the kind of trust relationship that binds the domain to the forest.

When you create a new domain in an existing forest, the new domain represents a separate naming context and a new CrossRef object must be created in a Partitions container. Only one domain controller in a forest, the Domain Naming Master, is allowed make changes to the Partitions container. This prevents two administrators from creating new domains with identical names during the same replication interval.

By default, the Domain Naming Master is the first domain controller in a forest, but the role can be transferred to any domain controller through the Active Directory Domains and Trusts snap-in. The Domain Naming Master should always reside in the root domain.

To modify the domain Master role you should be a member or Domain Admin or Enterprise Admin group

Q:What happens incase the Domain Naming Master Role Failed 
A:This failure is not visible for the user not even for administrators unless you try to modify the domain forest like adding/removing domain. and to fix it you have to fix the server.
You can seize the role using NTDSUTIL, but use this as a final solution.

Infrastructure Master
When you have user object from domain A placed in a group in domain B, it will be the Infrastructure Master role to translate the SID to Name.
Each domain have its own Infrastructure Master role, this role should not be placed on the same server that host Global Catalog (GC), why? read this
If its a single domain network, there will be no problem to have IM and GC in the same server.

Q:What happens incase the Infrastructure Master Role Failed
A:This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.

Repair the role can also be done by seizing the role to a non GC server (incase single domain forest then no problem to be in the same server)

PDC Emulator:
Several Tasks assign to this role:
1- Group Policy use this server as the default server, this prevent two administrators making conflicting modification on the same GPO.
2- Time Sync to all DCs.
3- Its the DC that responsible to update user and computer password, when a password is changed on a DC, this is immediately replicated to the DC holding the PDC Emulator role, and then according to the normal replication scheduling, on the other DCs. When a user fails to authenticate on a DC, this DC will immediately check with the PDC Emulator to know if this failure is due to a password change not yet replicated if it is the case, and the authentication matches the new one, then the authentication succeeds. This reduces the latency for a password change to take effect.
4- Several custom application use the PDC by default as the primary server to make any AD modification.
5- Account lockout is processed on the PDC emulator
Each domain can have only one PDC role.
6- Manage DFS Name Space

Q:What happens when PDC Fail?
1- With the PDCE offline, users who have recently changed their passwords are more likely to get logon or access errors. They will also be more likely to stay locked out if using Account Lockout policies.
2- Time can more easily get out of sync, leading to Kerberos authentication errors down the road.
The PDCE being offline will also prevent the creation of certain well-known security groups and users when you are upgrading forests and domains.
3- The AdminSDHolder process will not occur when the PDC-E is offline.
4- You will not be able to administer DFS Namespaces.
5- It is where group policies are edited (by default).

RID Master
For short :The relative ID master, or RID master, hands out batches of relative IDs to individual domain controllers.
Each domain have its own Domain ID, so Domain ID + RID = SID, This mean that SID can not be duplicated across the forest.

In Each Domain, there is only one RID Server, its also recommended to place the RID Master role on the PDC Server.
When adding new domain to the forest, the RID Master must be reachable so the new RID server take the RID Pack.
When domain controllers need more relative IDs in reserve, they request them from, and are assigned by, the domain controller with the RID master FSMO role.

Q:What happens incase of RID Failure?
A: The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.

Q: How do I seize the a role?
A:Open CMD and write NTDSUTIL
ntdsutil: roles
You will need to connect to server you want to work with, usually it will be the same server you want to seize the role to, to connect to the server we need to use the Connection command.
use this command.
Connect to server
Where is the new Schema server, once you are connected type quit or simply q
Now you use the command  Seize .

You can get a list of roles that you can seize using the HELP Command.
You will get a message stating that you will seize the role, press YES
When seizing the NTDSUTIL will attempt to safe transfer first, if failed it will seize the role.
Again: once you seize the role the old server should never be up again.

Also I wonld recommend to read this :
FSMO placement :
How SID Work:

No comments: