- Active Directory Administration Cookbook
- Sander Berkouwer
- 497字
- 2021-06-24 14:42:18
About FSMO roles
Active Directory uses the multi-master model, where domain controllers are all able to respond to client requests. When comparing to the old Windows NT 4 server-style Primary Domain Controller (PDC) and Backup Domain Controller (BDC) models, where BDCs were read-only until switched to become the only PDC, this model offers many benefits.
However, some tasks within Active Directory don't work well with the multi-master model. When designing Active Directory, Microsoft created five roles outside of the model, labeled FSMO roles, to prevent conflicting updates.
These roles can be flexibly assigned to domain controllers and seized when a domain controller holding the role fails. These roles offer single master operations within the scope of the roles. Hence the name FSMO role.
In every Active Directory environment there are five roles with two different scopes:
In an environment with multiple domains in a forest, the FSMO roles with the domain scope will be present for each domain, where the two FSMO roles for the forest would only be represented once.
The roles for each of these FSMO roles can best be described as the following:
- Domain Naming Master: The domain controller holding the Domain Naming Master FSMO role is responsible for changes to the forest-wide domain namespaces. The domain controller with this FSMO role is the only domain controller that can add and remove domains to and from the forest.
- Schema Master: The domain controller holding the Schema Master FSMO role is responsible for changes to the schema partition. The domain controller with this FSMO role is the only domain controller that can make changes to the Active Directory schema. It is the source of authority for replicating schema changes.
- PDCe: The domain controller acting as the PDCe has many responsibilities in the Active Directory domain. It is the authority for time synchronization, replicating password changes, and resolving authentication errors due to recently changed passwords through PDC chaining.
- RID Master: The domain controller holding the RID Master FSMO role is responsible for handing out pools of RIDs to all the other domain controllers in the domain (and itself). These identifiers are used to create SIDs by appending to the domain SID namespace. Because SIDs are used to authorize access to resources, it is important to not hand out the same RID to multiple accounts. Before a domain controller reaches the end of its RID Pool, it asks the domain controller holding the RID Master FSMO role for a new RID Pool. By default, RID Pools contain 500 RIDs.
- Infrastructure Master: The domain controller holding the Infrastructure Master FSMO role is responsible for updating objects in cross-domain object references.
When the Active Directory Recycle Bin optional feature is enabled, every domain controller becomes responsible for updating cross-domain object references. In this case, the Infrastructure Master FSMO role can be neglected, including all the advice for placement considerations for global catalog servers.