Flexible single master operation

Last updated

Flexible Single Master Operations (FSMO, F is sometimes "floating"; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). [1] As of 2005, the term FSMO has been deprecated in favour of operations masters.[ citation needed ] [2]

Contents

FSMO is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication and are viable only with a single-master database are the FSMOs. [3]

FSMO roles

Per-domain roles

These roles are applicable at the domain level (i.e., there is one of each for every domain in a forest):

Per-forest roles

These roles are unique at the forest level (both are located in the forest root domain):

Moving FSMO roles between domain controllers

By default AD assigns all operations master roles to the first DC created in a forest. To provide fault tolerance, there should be multiple domain controllers available within each domain of the Forest. If new domains are created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not a satisfactory position if the domain has a large number of domain controllers. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Naming Master should also be on the same DC.

When a FSMO role is transferred to a different DC, the original FSMO holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the original FSMO holder experienced an unrecoverable failure, another DC can be made to "seize" the lost roles; however, there is a risk of data loss because of the lack of communications. Seizing roles from a domain controller instead of transferring it prevents that domain controller from hosting that FSMO role again, except for the PDC Emulator and Infrastructure Master Operation roles. Corruption can occur within Active Directory. FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil , which is a command line-based tool. [7]

FSMO Roles and Global Catalog

Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon.

Often all domain controllers are also global catalog servers. If this is not the case, the Infrastructure Master role must not be housed on a domain controller which also houses a copy of the global catalog in a multi-domain forest, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment. [8] [9] However, The Domain Naming Master role should be housed on a DC which is also a GC.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

<span class="mw-page-title-main">Windows 2000</span> Fifth major release of Windows NT, released in 2000

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

Distributed File System (DFS) is a set of client and server services that allow an organization using Microsoft Windows servers to organize many distributed SMB file shares into a distributed file system. DFS has two components to its service: Location transparency and Redundancy. Together, these components enable data availability in the case of failure or heavy load by allowing shares in multiple different locations to be logically grouped under one folder, the "DFS root".

<span class="mw-page-title-main">Architecture of Windows NT</span> Overview of the architecture of the Microsoft Windows NT line of operating systems

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing Lightweight Directory Access Protocol (LDAP) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object. It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

<span class="mw-page-title-main">Windows Server 2008</span> Fourth version of Windows Server, released in 2008

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

Inter-domain routing is data flow control and interaction between Primary Domain Controller (PDC) computers. This type of computer uses various computer protocols and services to operate. It is most commonly used to multicast between internet domains.

In the context of the Microsoft Windows NT line of computer operating systems, the relative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain. The Relative ID Master allocates security RIDs to Domain Controllers to assign to new Active Directory security principals. It also manages objects moving between domains.

Browser service or Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master". All other computers contact this computer for information and display in the Network Neighborhood window.

Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including synchronization scheduling and authentication methods. Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. These tools are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect.

Active Directory naming context (NC) or directory partition, is a logical portion of the Microsoft's Active Directory (AD).

A domain controller (DC) is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments, where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.

References

  1. "Understanding FSMO Roles in Active Directory - Petri". petri.co.il. 8 January 2009. Archived from the original on 20 August 2011. Retrieved 22 July 2016.
  2. "Transfer or seize Operation Master roles in Active Directory Domain Services". 2023-06-15.
  3. "Windows 2000 Active Directory FSMO roles". Microsoft Corporation. 2007-02-23. To prevent conflicting updates in Windows 2000, the Active Directory performs updates to certain objects in a single-master fashion. [...] Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.
  4. "Time Service Configuration on DC with PDC Emulator FSMO Role - TechNet Articles - United States (English) - TechNet Wiki". microsoft.com. Retrieved 22 July 2016.
  5. "[MS-ADTS]: PDC Emulator FSMO Role". microsoft.com. Retrieved 22 July 2016.
  6. "TechNet: ForestDNSZones and DomainDNSZones have wrong infrastructure role record". Archived from the original on 2018-01-12. Retrieved 2018-01-12.
  7. "Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller". support.microsoft.com. Retrieved 2017-01-18.
  8. "Phantoms, tombstones and the infrastructure master". support.microsoft.com. Retrieved 2017-01-18.
  9. "FSMO placement and optimization on Active Directory domain controllers". support.microsoft.com. Retrieved 2017-01-18.