Tuesday, May 12, 2009

Why Do We Need FSMO Roles ?

You read about AD 2003 or 2008 and start getting confused about FSMO roles? and asking yourself why do we need them anyways?

Before we start listing the reasons why FSMO roles needed, let’s refresh our knowledge

image

  • Single master replication model ( NT 4.0) this means .DIT database read only, and only primary domain controller can write and read from .Dit database. BDC (backup domain controller) can only read the .DIT database
  • .DIT database ( Active directory database)
  • Now imagine in AD environment you can not create users, because you cannot write to .DIT database, I am sure you will easily see big problems if this happens to you when you are the person who is responsible from creating users, groups
  • Microsoft saw this as problem and they fix it by implementing AD 2000 and up what is called “multi-master replication model”, meaning all domain controller can read and write to .DIT database and they all are equal , except FSMO roles.

Obvious multi-master replication model brought huge redundancy to Active directory picture and now clients can locate and register their own records to any available DC/DNS server and thus less likely total stoppage of Active directory services.

Now, there is a problem with Multi-master replication problem , if two similar task needed to be done in two different places which one would be the winner?

If I am introducing domain controller called DC1 and at the same time you are sitting on different location ad you are DCPromoing another server with same name, which one would run without problems?

Think similar scenarios in AD, thus certain jobs in AD “Must be controlled” by specific domain controllers.

For instance The domain naming master domain controller controls the addition or removal of domains in the forest.When I want to add a new domain the request goes to “DNS master” I get an okay from DNS master and I move on. When you do the same thing in a split second, DNS master knows already he gave me an okay , even though I have just started and will tell you “Sorry you cannot do this, because I already gave okay to someone else”

I hope it makes sense now and you will see and understand the need for FSMO roles.

There are two main task involved in FSMO

  • Seize FSMO roles ( FSMO holder can not longer be contacted and therefore, use ntdsutil to go into .DIT database and find the registry settings for FSMO roles, and modify them from failed DC to one of the alive DC, save and replicated the changed
  • Never turn back on failed DC who was FSMO role owner if you ever seize the FSMO role from it.
  • run DCPromo /ForceRemoval to install the .DIT database
  • run metadata Cleanup for your domain/Forest
  • now you can bring the old DC as new DC into your forest
  • Move FSMO roles ( FSMO role owner is alive and willingly to give up from assigned FSMO role. Same changes are being done on the .DIT database and via AD replication

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Https://telnet25.spaces.live.com (Blog)

Https://telnet25.worldpress.com (Blog)

Posted by at

1 comment:

Anonymous said...

Very clear explainiation :-) I like it..

August 19, 2010 at 6:03 AM

Post a Comment

Subscribe to: Post Comments (Atom)