Active Directory FSMO roles

To transfer the FSMO role the administrator must be a member of the following group:
FSMO RoleAdministrator must be a member of
SchemaSchema Admins
Domain NamingEnterprise Admins
RIDDomain Admins
PDC Emulator
Infrastructure

(reference: petri.co.il)


What happens when a FSMO Role Fails

PDC Emulator failure
The PDC Emulator is the operations master that will have the most immediate
impact on normal operations and on users if it becomes unavailable. Fortunately,
the PDC Emulator role can be seized to another domain controller and then
transferred back to the original role holder when the system comes back online.
Infrastructure master failure
A failure of the infrastructure master will be noticeable to administrators but not to
users. Because the master is responsible for updating the names of group members
from other domains, it can appear as if group membership is incorrect although, as
mentioned earlier in this lesson, membership is not actually affected. You can seize
the infrastructure master role to another domain controller and then transfer it
back to the previous role holder when that system comes online.
RID master failure
A failed RID master will eventually prevent domain controllers from creating new
SIDs and, therefore, will prevent you from creating new accounts for users, groups,
or computers. However, domain controllers receive a sizable pool of RIDs from the
RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing
this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role
cannot be brought back online.
Schema master failure
The schema master role is necessary only when schema modifications are being
made, either directly by an administrator or by installing an Active Directory
integrated application that changes the schema. At other times, the role is not
necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the
schema master role has been seized, the domain controller that had been
performing the role cannot be brought back online.
Domain naming master failure
The domain naming master role is necessary only when you add a domain to the
forest or remove a domain from a forest. Until such changes are required to your
domain infrastructure, the domain naming master role can remain offline for an
indefinite period of time. Seizing this role to another domain controller is a
significant action. After the domain naming master role has been seized, the
domain controller that had been performing the role cannot be brought back
online.
(Reference)


FSMO Role
Loss implications
Schema
The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming
Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID
Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.
PDC Emulator
Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.
Infrastructure
Group memberships may be incomplete. If you only have one domain, then there will be no impact.

(Reference)

Recommended Best Practice setup of FSMO roles.

Domain Controller #1

Place the two forest roles on this server. (one per forest)

  • Schema Master
    •  controls all updates and modifications to the schema
  • Domain Master
    • addition or removal of domains in the forest.

Domain Controller #2

Place the domain roles on this server. (one per domain)

  • RID Master
    • processing RID pool requests from all domain controllers
    • When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. 
    • It is recommended that the RID master FSMO role be assigned to whichever domain controller has the PDC emulator FSMO role. (reference)
  • Infrastructure Master
    • updating an object's SID and distinguished name in a cross-domain object reference.
    • should be held by a domain controller that is not a Global Catalog server (GC).
      • However, if you’re in a single domain forest, the infrastructure master has no work to do, since there is no translation of foreign principals.  In that case it’s acceptable to place the infrastructure master it on any domain controller (DC), even if it has the global catalog.  (reference)
    • If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. (reference)
  • PDC Emulator
    • synchronize time in an enterprise.
    • authoritative for the domain
    •  PDC emulator at the root of the forest becomes authoritative for the enterprise
      • should be configured to gather the time from an external source
    • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
    • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator
    • Account lockout is processed on the PDC emulator.
    • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share
    • needs to be online and accessible all the time. (reference)
    • to reduce administration and complexity, same DC – 
      • RID master to the PDC of each domain, and the 
      • schema master and 
      • domain naming master the PDC of the forest root.
(Reference 1)

Migrate AD roles from 2003 to 2008 R2 (Reference)


Comments

Popular Posts