Flexible single master operation (FSMO)

Flexible single master operation or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). Recently, as of 2005, the term FSMO has being depreciated in favour of operations masters.

 

FSMOs are specialised domain controller (DC) tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronised by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database.

 

Forest-wide FSMO Roles:

 

  1. Schema Master that manages modifications to the AD schema and its replication to other DCs.
  2. Domain Naming Master that manages adding, removing, and some modification operations for domains.

 

Domain-wide FSMO Roles:

 

  1. Relative ID Master that allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains.
  2. Infrastructure Master that maintains security identifiers, GUIDs, and DNs for objects referenced across domains. Most commonly it updates user and group links.
  3. PDC Emulator that emulates a Windows NT Primary Domain Controller(PDC). It is also the favored DC for other DCs in replicating and confirming password information, and is the authoritative source of time in the domain.

 

FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool.

 

Some may include domain controllers holding a global catalog (GC) in this group as well. Certain FSMO roles depend on the GC. For example, an infrastructure master role must not be housed on a domain controller which also houses a copy of the global catalog (a GC) in a multi-domain forest (unless all domain controllers in the domain are also global catalog servers), while the domain naming master role should be housed on a DC which is also a GC. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon.

 

By default AD assigns all operations master roles to the first DC created. This is not a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. In the event of an unrecoverable failure other DCs can seize the lost roles. You can 'seize' or forcibly re-create the lost roles if a domain controller fails, but the roles should be 'transferred' to a surviving domain controller first if possible.

 

The PDC emulator and the RID master should be on the same DC, if possible. The schema master and domain naming master should also be on the same DC. There should be at least 2 domain controllers available within each domain of the Forest. Further to this, the Infrastructure Master role holder should not also be a Global Catalog Server, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment. (see "Phantoms, Tombstones and the Infrastructure Master", Q248047)

 

Transferring or Seizing FSMO Roles

 

Creating a New AD Forest

 

There are a number of initialization operations that are performed when creating a new Active Directory forest and domain.

 

The first domain in the forest is the root domain

 

 

The first DC in a forest
  • Creates the schema and configuration name contexts
  • Is a Global Catalog server
  • Becomes the schema master and the domain naming master
  • Create the Default-First-Site-Name site
  • Create the DEFAULTIPSITELINK inter-site link

 

 

The first DC in a domain
  • Creates the domain naming context
  • Becomes the PDC Emulator, Infrastructure, and RID masters
  • Creates trust relationship
  • Creates domain group policy object
  • Registers the domain in the configuration name context

 

 

 

AD Architecture

 

The Active Directory is accessible through different formats.

 

  • LDAP is a network protocol
  • ADSI is an application programming interface
  • Domain controllers replicate information to other domain controllers
  • SAM provides compatible access to NT domain controllers
  • MAPI Messaging Application Programming Interface provides e-mail client access

 

 

AD Fragmentation

 

Database activity with the Active Directory causes fragmentation. Defragmentation is automatically scheduled. Although the automatic defragmentation is probably sufficient, it can be manually started with NTDSUTIL. As the Active Directory grows, more disk space will be automatically added to NTDS.DIT. If you delete information from the Active Directory, the NTDS.DIT stays the same size. System logic assumes that the space will be needed for the Active Directory in the future.  The automatic defragmentation does not recover disk space within NTDS.DIT.

 

If a large amount of information with the Active Directory is deleted, you can recover the unused disk space by performing an offline defragmentation. This requires that the server be restarted in Directory Service Restore mode and then NTDSUTIL can be used to initiate a defragmentation. In this mode unused disk space will re recovered and the NTDS.DIT file will be smaller.