Flexible single master operation

Last updated November 17, 2023

Flexible Single Master Operations (FSMO, F is sometimes "floating"; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD).^[1] As of 2005, the term FSMO has been deprecated in favour of operations masters.^{[ citation needed ]}^[2]

FSMO is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication and are viable only with a single-master database are the FSMOs.^[3]

FSMO roles

Per-domain roles

These roles are applicable at the domain level (i.e., there is one of each for every domain in a forest):

The PDC Emulator (Primary Domain Controller) - This role is the most used of all FSMO roles and has the widest range of functions. The domain controller that holds the PDC Emulator role is crucial in a mixed environment where Windows NT 4.0 BDCs are still present. This is because the PDC Emulator role emulates the functions of a Windows NT 4.0 PDC. Even if all Windows NT 4.0 domain controllers have been migrated to Windows 2000 or later, the domain controller that holds the PDC Emulator role still does a lot. The PDC Emulator is the domain source for time synchronization for all other domain controllers; in a multi-domain forest, the PDC Emulator in each domain synchronizes to the forest root PDC Emulator. All other domain member computers synchronize to their respective domain controllers.^[4] It is critically important that computer clocks are synchronized across the forest because excessive clock skew causes Kerberos authentication to fail. In addition, all password changes occur on the PDC Emulator and receive priority replication.^[5]
The RID Master - (Relative ID) This FSMO role owner is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for moving an object from one domain to another during an interdomain object move. When a DC creates a security principal object such as a user or group, it attaches a unique SID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain) and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID Master FSMO role owner, the RID Master FSMO role owner responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.
The Infrastructure Master - The purpose of this role is to ensure that cross-domain object references are correctly handled. For example, if a user from one domain is added to a security group from a different domain, the Infrastructure Master makes sure this is done properly. However, if the Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed. This applies to the domain partition (default naming context) only. netdom query fsmo and ntdsutil will only query the domain partition. However, every application partition, including Forest and Domain-level DNS domain zones has its own Infrastructure Master. The holder of this role is stored in the fSMORoleOwner attribute of the Infrastructure object in the root of the partition, it can be modified with ADSIEdit, for example one can modify the fSMORoleOwner attribute of the CN=Infrastructure,DC=DomainDnsZones,DC=yourdomain,DC=tld object to CN=NTDSSettings,CN=Name_of_DC,CN=Servers,CN=DRSite,CN=Sites,CN=Configuration,DC=Yourdomain,DC=TLD.^[6]

Per-forest roles

These roles are unique at the forest level (both are located in the forest root domain):

The Schema Master - The purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema of Active Directory is rarely changed, however, the Schema Master role will rarely do any work. This role is typically involved in the deployment of Exchange Server and Skype for Business Server, as well as domain controllers from one version to another version, as all of these situations involve making changes to the Active Directory schema.
The Domain Naming Master - The other forest-specific FSMO role is the Domain Naming Master, and this role also resides in the forest root domain. The Domain Naming Master role processes all changes to the namespace, for example adding the child domain vancouver.mycompany.com to the forest root domain mycompany.com requires that this role be available. Failure of this role to function correctly can prevent the addition of a new child domain or new domain tree.

Moving FSMO roles between domain controllers

By default AD assigns all operations master roles to the first DC created in a forest. To provide fault tolerance, there should be multiple domain controllers available within each domain of the Forest. If new domains are created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not a satisfactory position if the domain has a large number of domain controllers. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Naming Master should also be on the same DC.

When a FSMO role is transferred to a different DC, the original FSMO holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the original FSMO holder experienced an unrecoverable failure, another DC can be made to "seize" the lost roles; however, there is a risk of data loss because of the lack of communications. Seizing roles from a domain controller instead of transferring it prevents that domain controller from hosting that FSMO role again, except for the PDC Emulator and Infrastructure Master Operation roles. Corruption can occur within Active Directory. FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil , which is a command line-based tool.^[7]

FSMO Roles and Global Catalog

Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon.

Often all domain controllers are also global catalog servers. If this is not the case, the Infrastructure Master role must not be housed on a domain controller which also houses a copy of the global catalog in a multi-domain forest, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment.^[8]^[9] However, The Domain Naming Master role should be housed on a DC which is also a GC.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

Distributed File System (DFS) is a set of client and server services that allow an organization using Microsoft Windows servers to organize many distributed SMB file shares into a distributed file system. DFS has two components to its service: Location transparency and Redundancy. Together, these components enable data availability in the case of failure or heavy load by allowing shares in multiple different locations to be logically grouped under one folder, the "DFS root".

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing Lightweight Directory Access Protocol (LDAP) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object. It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

Inter-domain routing is data flow control and interaction between Primary Domain Controller (PDC) computers. This type of computer uses various computer protocols and services to operate. It is most commonly used to multicast between internet domains.

In the context of the Microsoft Windows NT line of computer operating systems, the relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain. The Relative ID Master allocates security RIDs to Domain Controllers to assign to new Active Directory security principals. It also manages objects moving between domains.

Browser service or Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master". All other computers contact this computer for information and display in the Network Neighborhood window.

Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including synchronization scheduling and authentication methods. Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect.

Active Directory naming context (NC) or directory partition, is a logical portion of the Microsoft's Active Directory (AD).

A domain controller (DC) is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments, where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.

References

↑ "Understanding FSMO Roles in Active Directory - Petri". petri.co.il. 8 January 2009. Archived from the original on 20 August 2011. Retrieved 22 July 2016.
↑ "Transfer or seize Operation Master roles in Active Directory Domain Services". 2023-06-15.
↑ "Windows 2000 Active Directory FSMO roles". Microsoft Corporation. 2007-02-23. To prevent conflicting updates in Windows 2000, the Active Directory performs updates to certain objects in a single-master fashion. [...] Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.
↑ "Time Service Configuration on DC with PDC Emulator FSMO Role - TechNet Articles - United States (English) - TechNet Wiki". microsoft.com. Retrieved 22 July 2016.
↑ "[MS-ADTS]: PDC Emulator FSMO Role". microsoft.com. Retrieved 22 July 2016.
↑ "TechNet: ForestDNSZones and DomainDNSZones have wrong infrastructure role record". Archived from the original on 2018-01-12. Retrieved 2018-01-12.
↑ "Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller". support.microsoft.com. Retrieved 2017-01-18.
↑ "Phantoms, tombstones and the infrastructure master". support.microsoft.com. Retrieved 2017-01-18.
↑ "FSMO placement and optimization on Active Directory domain controllers". support.microsoft.com. Retrieved 2017-01-18.

External links

"6.1.5.3 RID Master FSMO Role". [MS-ADTS]: Active Directory Technical Specification. Microsoft. 30 March 2020.
"How to view and transfer FSMO roles in Windows Server 2003". Support. Microsoft. 11 September 2011.
Tulloch, Mitch (15 March 2005). "How to view and transfer FSMO roles in Windows Server 2003". WindowsNetworking.com. TechGenix.
"Transferring FSMO Roles in Windows Server 2008". TechNetWiki. Microsoft.
Arik, Ertugrul (23 December 2014). "How to determine the fsmo role holder (fsmoRoleOwner attribute)". Active Directory Coding.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Understanding FSMO Roles in Active Directory - Petri". petri.co.il. 8 January 2009. Archived from the original on 20 August 2011. Retrieved 22 July 2016.

[2] "Transfer or seize Operation Master roles in Active Directory Domain Services". 2023-06-15.

[3] "Windows 2000 Active Directory FSMO roles". Microsoft Corporation. 2007-02-23. To prevent conflicting updates in Windows 2000, the Active Directory performs updates to certain objects in a single-master fashion. [...] Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.

[4] "Time Service Configuration on DC with PDC Emulator FSMO Role - TechNet Articles - United States (English) - TechNet Wiki". microsoft.com. Retrieved 22 July 2016.

[5] "[MS-ADTS]: PDC Emulator FSMO Role". microsoft.com. Retrieved 22 July 2016.

[6] "TechNet: ForestDNSZones and DomainDNSZones have wrong infrastructure role record". Archived from the original on 2018-01-12. Retrieved 2018-01-12.

[7] "Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller". support.microsoft.com. Retrieved 2017-01-18.

[8] "Phantoms, tombstones and the infrastructure master". support.microsoft.com. Retrieved 2017-01-18.

[9] "FSMO placement and optimization on Active Directory domain controllers". support.microsoft.com. Retrieved 2017-01-18.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]