FSMO ROLES AND IMPACT
What are FMSO Roles? FSMO roles are server roles in a Forest. There are five types of FSMO roles 1-Schema master 2-Domain naming master 3-Rid master 4-PDC Emulator 5-Infrastructure master 1. Schema Master: * Controls all updates and modifications to the schema. Once the Schema update is complete, it replicated from the schema master to all other DCs in the directory. * To update the schema of a forest, you must have access to the schema master. * There can be only one schema master in the whole forest.
2. Domain naming master: Controls the addition or removal of domains in the forest. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
3. Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced.
The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log.
4. Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that Is unique for each security principal SID created in a domain.
The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
dcdiag /test: or Dcdiag.exe /test:ridmanager /v
RID pool exhaustion (Troubleshooting)
Total number of available RID is 2^30 – 1 which equals to nearly 1 billion. Although this number is huge but old enterprise can run out of available RID and in this case no new objects can be created. These condition which leads to RID pool exhaustion are as under:
- If RID is released for any new object, same RID can’t be used even if new object creation failed during process.
- If a deleted DC computer object was restored, the DC could repeatedly request a new RID pool block because of a missing rIDSetReference attribute and, by itself, could use up the RID pool in about 24 months.
- Note : You can increase size of RID pool by editing the registry on each domain controller and changing the REG_DWORD value of the RID Block Size value located in HKLM\System\CurrentControlSet\Services\NTDS\RID
- For Windows Server 2012, the maximum RID pool block size is 15,000. Previously, the maximum was 10,000.
Solution in Windows 2012
- RID Reuse pool – When object creation fails, the RID, instead of being leaked and lost, is placed in the Reuse pool.
Because a DC checks the Reuse pool prior for available RIDs before taking an RID from the primary pool, the RID can be assigned to the next object created on that domain controller. Rebooting a domain controller clears its RID Reuse pool. - Warning message – When 10 percent of the global address space is used, the RID master logs an informational event with an RID consumption warning. The RID master logs another RID consumption warning when 10 percent of the remainder is used, and so on so that the RID consumption warnings become more frequent as more and more of the global space is depleted.
- Soft ceiling – The soft ceiling is reached when 90 percent of the available address space is used. As a result, the RID master will not allocate any additional blocks of RIDs until the soft ceiling is removed. To remove ceiling you have to use ldp.exe or ADSIedit.
- Increasing RID pool size – If a domain’s RID master and all other DCs are running Windows Server 2012, you can double the size of the RID pool by enabling SID compatibility. Enabling SID compatibility unlocks the 31st bit of the RID pool, which effectively raises the total number of RIDs available for a domain to 2^31 – 1 or approximately 2 billion objects. This setting can be configured from ADSIedit.
5. PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source.
All PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the PDC.
Emulator’s SYSVOL share, unless configured not to do so by the administrator.
FSMO FAILURE AND IMPACT
PDC Emulator failure
The PDC Emulator is the operations master that will have the most immediate impact on normal operations and on users if it becomes unavailable.
The PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.
Infrastructure master failure
A failure of the infrastructure master will be noticeable to administrators but not to users.
Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected.
You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.
RID master failure
A failed RID master will eventually prevent domain controllers from creating new SIDs and, therefore, will prevent you from creating new accounts for users, groups, or computers.
However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired.
Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Schema master failure
The schema master role is necessary only when schema modifications are being made, either directly by an administrator or by installing an Active
At other times, the role is not necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the schema master role has been seized, the domain controller that had been performing the role cannot be brought back online.
Domain naming master failure
The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure,
The domain naming master role can remain offline for an indefinite period of time
Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back
online.