FSMO Roles - Flexible Single Master Operation

FSMO-Flexible single master operation

By Default while creating a new domain in the forest,the first domain holds these Five roles

  

SCHEMA MASTER and DOMAIN NAMING MASTER are forest wide roles

These two roles will be available in one DC in the Forest

SCHEMA MASTER

•   Admin cannot add modify or extend Schema
•    Some softwares such as Exchange server and SCCM will expand the Schema to fit more information
•  Changes made in the schema cannot be reversed
•  Schema master role failure can be identified only when we try to update or extend Schema

DOMAIN NAMING MASTER

•          This role supports to add or remove a domain in the forest
•          This role is responsible to ensure that  while creating a new domain ,it verifies if the name is already present in the forest

RID Relative Identifier  MASTER

•          The roles allocates RID pool
•          Every object in the active directiory has SID-Security Identifier
•          SID is a unique number which active directory uses to identify the object
•          When display name is changed for a user, this change will not affect SID ,windows display the name associated to the SID
•          The SID will be lost if the User or object is deleted
•          SID will not change if there are two users inthe same name
•          SID numbers have RID wich are alloted by RID master
•          Domain ask for more RID from RID master before brfore they run out
•          If RID MASTER is down it will not affect you organisation,No new objects will be created in the active directory

PDCEmulator-primary domain control emulator

Time Sync:-

•          This role is responsibe for keeping the time accurate in the domain
•          The other domain controllers will sync their time with the DC which holds PDC emulator

For this reason the clock in the PDC Emulator should be accurate

Password Changing:-

•          When a password is changed in the domain, the password is replicated to the PDC  using urjent replication
•          When incorrect password is given to a domain controller,the domain contacts the PDC,pdc has the final authority to say if the user is allowed or not

DFS Changes:-

•          If you are using distributed file system DFS,PDC allows to keep DFS updated and Consistent
•          When Changes are made to DFS these changes are made in PDC emulator

·                             This can be disabled ,for PDC not reqired for DFS changes

Group policy

•          When you modify Group Policy,the group policy editor  will automatically defaults to the pdc emulator and make the changes there

INFRASTRUCTURE MASTER

•          Its tracks object moves,renames and deletes
•          It also updates multi doamin reference in the active directory  when changes occur, When infrastucture master finds a change in the domain it will refer to global catalog which will be always up-to-date ,since the infrastructure manager  thinks the change has already been made it will not notify other domain controller the change occured.
•          To fix the problem ensure then  all DC’s are Global catlog server or the DC which holds Infrastructure master should not be a GC server