Wednesday, March 23, 2011

FSMO - flexible single master operation - explained

Forest-wide roles
1) Schema Master
2) Domain naming master
Domain-Wide Roles
1) Relative Identifier master
2) PDC Emulator
3) Infrastructure Master

Schema master:

                Schema master is a forest-wide operation master role because it contains the master list of objects classes and attributes that are used to create all active directory objects, for example users, computers and printers. Domain controller that holds the schema master role is the only domain controller that can perform write operation to the directory schema. The objects updates are replicated from the schema operation master to all other domain controller in the forest.
Domain Naming Master
                Domain naming master is a forest-wide operation master role. It manages the addition or remove of all directory partition regardless of domain in the forest hierarchy. The domain naming master can perform the below operation.


"Add or remove-reference objects"
"Add or remove domains"
"Add or remove application directory partitions"
"Validate domain rename instructions"

Add or remove-reference objects
                If we install Active directory, the first domain controller in a new forest, the schema, configuration and directory partition will create on the domain controller. At this time, a cross-reference object (class crossRef) will be created for each directory partition. A cross-reference object identifies the name and server location of each directory partition in the forest domain. If the domain naming master is not working, then we cannot add or remove cross-reference objects. Cross-reference object looks like (CN=partitions,CN=configuration,DC=forestrootdomain).
Add or Remove domains
                Domain naming master has the authority to add a new domain. It manages this process preventing the multiple domains from joining the forest with the same domain name. During active directory installation to create or delete a child domain, it will contacts the domain naming master and request the add or remove process. It only responsible to ensure that domain names are unique.
Add or remove application directory partitions

                Application directory partitions that can be created on domain controllers running windows server 2003 or later to provide LDAP storage for dynamic data. DNS creates and uses application directory partitions by default when it is installed in a forest with the domain controller that runs windows 2003 or later. DNS automatically created two default DNS application directory partition (ForestDnsZone & DomainDnsZones).

Validate domain rename instructions.
                When we use the domain rename tool, random.exe, to rename domain. It should be able to access the domain naming master.
Relative Identifier master
                RID master is a domain-wide operations master role. It only responsible for allocating the sequence of unique RIDs to each domain controller in its domain and all objects. It maintains a pool of RIDs to be used by domain controllers in its domain and providing group of RIDs to each domain controller when necessary. When we create a new domain controller is added to domain, the RID master allocates batch of approximately 500 RIDS from the domain RID pool to that domain controller. Whenever create a new security principal is created on the domain controller, the domain controller draws from its local pool of RIDs and assign to new object.


PDC Emulator
                It acts as a Windows NT PDC in domains that contains client computers operating without AD client software or Windows NT backup domain controllers (BDC). In addition, the PDC emulator processes password changes from clients and replicates that updates to the Windows NT BDC. If logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
Infrastructure Master
                Infrastructure master responsible for updating object reference in its domain that point to the object in another domain. It updates object reference locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the objects globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object.

1 comment:

shalini said...

Very happy to see your blogs, I really gets motivate to read your blogs and agree with your point of view. Thank you for sharing. Welcome to look at my website and blog articles.