FSMO Roles in detail (Second of three blog series)

This is second of three blog series. In first blog we had discussed what is FSMO. If you have not checked my first post you can check it here:

https://vinitpandey.wordpress.com/2015/10/21/fsmo-role-first-of-three-blog-series/

In this post we will discuss FSMO roles in detail. So lets start.

Schema Master

The schema master is the only DC in the forest which can make changes to the schema. This role is hold by first DC in forest and can be transferred to other DC as per requirement. But there will be only one DC per forest. You make changes to the schema using the Active Directory Schema snap-in which is not visible in mmc by default. At first you need to run this command in “run” and press ok:

regsvr32 schmmgmt.dll

Untitled1 Untitled2

Once you have registered dll file you can open mmc. In mmc you can add  Active Directory Schema snap-in, it makes a direct connection to the schema master, allowing you to view the schema for the directory.

Untitled3

Note: To modify schema you need Schema Admin credential.

Domain Naming Master

The domain naming master is responsible for adding or removing domains from the forest. Whenever you create a domain, a remote procedure call (RPC) connection is made to the domain naming master, which assigns the domain a globally unique identifier (GUID). When you remove a domain, an RPC connection is made to the domain naming master and
the previously assigned GUID reference is removed. If domain naming master could not be contacted in event of adding or removing a domain, you will not be able to create or remove the domain.
To locate the domain naming master via GUI, start Active Directory Domains And Trusts. Press and hold or right-click the Active Directory Domains And Trusts node, and then select Operations Master.

Untitled3

RID Master

SID of every object security principal object such as a user or group must be unique. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Every DC in a domain is issued a block of relative IDs by the RID master. Whenever new security principals are created on DC, it will allocated it RID from the pool it obtained from RID master. The block of relative IDs issued to a DC is called a RID pool which are issued in lots of 500.

Note : You can increase size the RID pool by editing the registry on each domain controller and changing the REG_DWORD value of the RID Block Size value located in HKLM\System\CurrentControlSet\Services\NTDS\RID Values.

For Windows Server 2012, the maximum RID pool block size is 15,000. Previously, the maximum was 10,000.

Apart from this RID master is also responsible for moving any object from one domain to another.

RID pool exhaustion (Troubleshooting)

Total number of available RID is 2^30 – 1 which equals to nearly 1 billion. Although this number is huge but old enterprise can run out of available RID and in this case no new objects can be created. These condition which leads to RID pool exhaustion are as under:

  1. If RID is released for any new object, same RID can’t be used even if new object creation failed during process.
  2. If a deleted DC computer object was restored, the DC could repeatedly request a new RID pool block because of a missing rIDSetReference attribute and, by itself, could use up the RID pool in about 24 months.

Solution in Windows 2012

  1. RID Reuse pool – When object creation fails, the RID, instead of being leaked and lost, is placed in the Reuse pool.
    Because a DC checks the Reuse pool prior for available RIDs before taking an RID from the primary pool, the RID can be assigned to the next object created on that domain controller. Rebooting a domain controller clears its RID Reuse pool.
  2. Warning message –  When 10 percent of the global address space is used, the RID master logs an informational event with an RID consumption warning. The RID master logs another RID consumption warning when 10 percent of the remainder is used, and so on so that the RID consumption warnings become more frequent as more and more of the global space is depleted.
  3. Soft ceiling – The soft ceiling is reached when 90 percent of the available address space is used. As a result, the RID master will not allocate any additional blocks of RIDs until the soft ceiling is removed. To remove ceiling you have to use ldp.exe or ADSIedit.
  4. Increasing RID pool size – If a domain’s RID master and all other DCs are running Windows Server 2012, you can double the size of the RID pool by enabling SID compatibility. Enabling SID compatibility unlocks the 31st bit of the RID pool, which effectively raises the total number of RIDs available for a domain to 2^31 – 1 or approximately 2 billion objects. This setting can be configured from ADSIedit.

Infrastructure master

The infrastructure master is responsible for updating cross-domain, group-to-user references. So if you change name of any user, infrastructure master is responsible for ensuring that changes of a user account are correctly reflected in the group membership information for groups in other domains in the forest. The infrastructure master does this by comparing its directory data to that of a global catalog. If the data is outdated, it updates the data and replicates the changes to other domain controllers in the domain. If for some reason the infrastructure master is unavailable, group-to-user name references will not be updated, and cross-domain group membership might not accurately reflect the actual names of user objects.

PDC Emulator Master

PDC emulator performs several tasks as listed below:

  1. Password management and replication: When a user changes a password, the change is first sent to the PDC emulator, which in turn replicates the change to all the other domain controllers in the domain. If a user tries to log on to the network but provides an incorrect password, the DC checks the PDC emulator to see if it has recent password change for this account. If so, the domain controller retries the logon authentication on the PDC emulator. This approach is designed to ensure that if a user has recently changed a password, he is not denied logon with the new password.
  2. PDC Emulator – Emulates as PDC (Parent DC) which was concept of Windows NT servers for legacy applications.
  3. Master time browser: The PDC Emulator is the domain source for time synchronization for all other domain controllers. In a multi-domain forest, the PDC Emulator in each domain synchronizes to the forest root PDC emulator. To ensure that time synchronization is accurate in the Active Directory forest, you should configure the PDC emulator to synchronize time with a reliable external time source, a reliable internal time source, NTP server or a hardware clock.

Domain computers on the network don’t necessarily get their time directly from the PDC emulator. Generally, domain computers follow the directory hierarchy and synchronize time with a domain controller in their local domains. Domain controllers synchronize their time using a series of queries that help them determine the best time source. A domain controller will make up to six queries:
1. The domain controller queries for parent domain controllers in the same site.
2. The domain controller queries for other domain controllers in the same site.
3. The domain controller queries for a same-site PDC emulator.
4. The domain controller queries for parent domain controllers in other sites.
5. The domain controller queries for other domain controllers in other sites.
6. The domain controller queries for a PDC emulator in other sites.

Each query returns a list of domain controllers that can be used as a time source and a relative weighting for each based on reliability and location. A score of 8 is assigned to a domain controller in the same site. A score of 4 is assigned to a domain controller configured as a reliable time source. A score for 2 is assigned to a domain controller in a parent domain. A score of 1 is used for a domain controller that is the PDC emulator. Because the weighting scores are cumulative, a same-site PDC emulator would have a score of 9 (8 + 1).

Note: When you transfer PDC emulator role,time server role is not transferred and you need to configure it manually on new PDC server.

To locate the RID, Infrastructure and PDC Emulator master via GUI, start Active Directory Users and Computers. Press and hold or right-click the domain name, and then select Operations Master.

Untitled

So, that’s all in this post. In final post I will be discussing transfer, seize and placement of FSMO roles. Till then take good care of yourself. Bye.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s