FSMO Roles
What are FSMO roles? According to Micorosft:
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, “the last writer wins”), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the “last writer wins” approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows incorporates methods to prevent conflicting Active Directory updates from occurring.
To prevent conflicting updates in Windows, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 3.51 and 4.0), in which the PDC is responsible for processing all updates in a given domain.
Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.
In essence, FSMO roles are vital functions of an Active Directory domain, overseen by a single domain controller. The term “Flexible” in Flexible Single Master Operation (FSMO) indicates that in the event of a failure, the lost FSMO roles could easily be transferred to another domain controller without any major impacts.
Their are five FSMO roles in an Active Directory domain:
- Schema master
- Domain naming master
- RID master
- PDC emulator
- Infrastructure master
Determining Role Masters
To view which Domain Controller actively controls which FSMO role run the following command.
PS C:\Windows\system32> netdom query fsmo
Schema master DC1.ad.twobyte.blog
Domain naming master DC1.ad.twobyte.blog
PDC DC1.ad.twobyte.blog
RID pool manager DC1.ad.twobyte.blog
Infrastructure master DC1.ad.twobyte.blog
The command completed successfully.Typically for a small Active Directory environment, you’ll see one Domain Controller have all of the FSMO roles. In many cases this is usually the DC running on the most reliable hardware or situated in the safest location.
Moving FSMO Role(s)
To move an FSMO role, you can use the Move-ADDirectoryServerOperationMasterRole command. Below is an example of moving each role from one server to another.
Typically this is performed after-hours incase of issues, but can be done during hours as its not user impacting (unless a problem occurs).
# Move the RID Master:
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole RIDMaster
# Move the PDC Emulator:
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole PDCEmulator
# Move the Infrastructure Master:
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole InfrastructureMaster
# Move the Scheme Master:
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole SchemaMaster
# Move the Domain Naming Master:
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole DomainNamingMasterAlternatively all or a subset of the roles can be moved at once if thats preferred.
Move-ADDirectoryServerOperationMasterRole -Identity “[SERVER NETBIOS NAME]” -OperationMasterRole RIDMaster,PDCEmulator, InfrastructureMaster, SchemaMaster, DomainNamingMaster