1/8/2017 (20110711)TheImpactOfFSMORolesNotBeingAvailableJorge'sQuestForKnowledge!

Jorge'sQuestForKnowledge!

AllYouNeedToKnowAboutIdentityAndSecurityOn
PremisesAndInTheCloud.It'sJustLikeAnAddiction,
TheMoreYouHave,TheMoreYouWantToHave!

(20110711)TheImpactOfFSMORolesNot
BeingAvailable

PostedbyJorgeon20110711

i
3Votes

ADusesamultimasterreplicationmechanism,meaningthatupdatescanoriginateonanyRWDC.
ForallkindsofservicesADishighlyredundantassumingyouhavemorethanoneRWDC.Within
ADsomeoperationscannotoperateusingthemultimasterprinciple,butratherusethesinglemaster
principletoensureconsistency.TherolesforthoseoperationsarethesocalledFlexibleSingleMasters
ofOperations(FSMO).FromaforestperspectivetwoforestwideFSMOrolesexistandfromadomain
perspectivethreedomainwideFSMOrolesexist.Belowyouwillndwhichoneiswhich.

WhenFSMOsbecomeunavailable,dependingonthescenarioyoumayneedtotransferorseizethe
correspondingFSMOrole(s).WithregardstoFSMOroletransferorseizure,pleaseseeMovingFSMO
RolesFromOneDCToAnotherDC.AfteraseizuretheoldFSMOroleownershouldneverbe
broughtonlineagain.Itshouldatleastbeforcedemotedwhilenotconnectedtothenetworkandits
metadataintheADshouldbecleaned.

Forlotsofwaystotransfer/seizeFSMOrolescheckout:TransferringAndSeizingFSMORoles
https://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeingavailable/ 1/5
1/8/2017 (20110711)TheImpactOfFSMORolesNotBeingAvailableJorge'sQuestForKnowledge!

Forlotsofwaystotransfer/seizeFSMOrolescheckout:TransferringAndSeizingFSMORoles
ThroughGUI,CommandLineOrPowerShell

FormoreinformationaboutFSMOrolesseeOperationsmasterrolesandFSMORoles.

Inadditiontothat,letsdiscusswhathappenswhenaspecicFSMOisnotonline/available:

SchemaMaster/FSMOunavailable:thisisnotvisibletousersdirectlyasusersdonotneedit.Only
adminsneedthisFSMOtoextendtheADschema.WhennotavailableyoucannotextendtheAD
schematosupportyourcustomextensionsorotherextensionstosupportother(Microsoft)
products(e.g.Exchange,OCS/Lync,etc).Theseactivitiesarenotdoneonadaytodaybasis,so
relativelyspeakingitisnotcriticalwhennotavailable.

DomainNamingMaster/FSMOunavailable:thisnotvisibletousersdirectlyasusersdonotneedit.
OnlyadminsneedthisFSMOtoaddnewpartitions/namingcontexts(e.g.ADdomains,
applicationpartitions)andcrossreferencestootherpartitionsoutsidetheADforest.Whennot
availableyoucannotdowhatImentionedearlier.Theseactivitiesarenotdoneonadaytoday
basis,sorelativelyspeakingitisnotcriticalwhennotavailable.

InfrastructureMaster/FSMOunavailable:thismaynotbevisibletousersdirectlyasusersoradmins.
OnlyadminsmayneedtoexecuteADPREP(duringADupgrades)ormigrateobjectsbetweenAD
domains(intraforestmigrationsonly).Theinfrastructuremaster(IM)keepsplaceholderobjects
(socalledphantoms)usedinreferencesuptodate.Thefollowingonlyappliestoobjectswithinthe
sameADforest.Forexample,ifagroupindomainAcontainsauserfromdomainB.TheIMwill
createaplaceholderobject(aphantom)indomainAthatrepresentstheuserfromdomainB,but
onlyiftheIMisnotaGC.TheDCwiththeIMFSMOshouldnotbeaGCifthereisatleast
ANOTHERDCinthesameADdomainthatisALSONOTaGC.TheIMalsokeepsthephantom
objectuptodatewithininformationfromtherealobject(e.g.distinguishedName,objectGUID,
objectSid).TheIMisalsousedbyADPREPtoperformactionsagainstdomainNCsand
applicationNCs.AndifImnotmistaken,theIMisalsousedforintraforestmigrationsofobjects
(Ineedtoblogaboutthis!).AlsoseeTheInfrastructureMasterFSMOAndTheGCRoleand
Phantoms,tombstonesandtheinfrastructuremaster.RememberthatwhentheRecycleBinis
enabledinaW2K8R2AD,everyDCbecomesaninfrastructuremaster.Inthatlastcasetheregular
IMFSMObecomesunimportant.InasingledomainADforest,theIMisalsolessimportantasit
doesnotneedtoupdatephantomsandyoucannotperformanintraforestmigrationasyouonly
haveoneADdomain.

RIDMaster/FSMOunavailable:thisisnotvisibletousersdirectlyasusersdonotneedit.Only
adminsandprovisioningsystemsneedthisFSMOtobeavailabletobeabletocreatedsecurity
principals(groups,computers,users).Intime,everyRWDC(RODCsdonot!)hastwoRIDpools,
thecurrentRIDpoolandthereserveRIDpoolandeachisablockof500RIDs.Whenthecurrent
RIDpoolisexhausted,theDCcopiesthevalueofthereserveRIDpooltothecurrentRIDpool.
WhenthecurrentRIDpoolisexhaustedforatleast50%,theRWDCrequestsanewRIDpoolfrom
theRIDFSMOandstoresthevalueinthereserveRIDpool,etc.,etc.WhentheRIDFSMOisnot
available,RWDCscannotrequestRIDpools.YoucanstillcreatesecurityprincipalsonaRWDCas
longasitsRIDpoolsarenotfullyexhausted.WhentheRIDpoolsarefullyexhaustedonany

RWDC,youcanstilluseanyotherRWDCaslongasitsRIDpoolsarenotfullyexhausted.When
https://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeingavailable/ 2/5
1/8/2017 (20110711)TheImpactOfFSMORolesNotBeingAvailableJorge'sQuestForKnowledge!

RWDC,youcanstilluseanyotherRWDCaslongasitsRIDpoolsarenotfullyexhausted.When
theRIDpoolsofallRWDCSintheADdomainarefullyexhausted.Didyouknowthatthedomain
RIDpoolislimited?Ifyoudidnot,itactuallyis!Thetoplimitis1073741823(over1billion
RIDs!).AlsoseeRIDMasterFSMOExplained.

PDCMaster/FSMOunavailable:theRWDCwiththePDCFSMOroleisthemostbusyFSMOasit
performsallkindsoffunctions.ThisisactuallyalsotheFSMOrolethatwillimpactusersmost.The
PDCFSMOperformsthefollowingfunctions:[1]actasthecentraltimesyncauthoritywithinan
ADforest(thisonlyappliestothePDCFSMOintheforestrootADdomain).Forthisalsosee
ConguringAndManagingTheWindowsTimeService(Part1),ConguringAndManaging
TheWindowsTimeService(Part2),ConguringAndManagingTheWindowsTimeService
(Part3)andConguringAndManagingTheWindowsTimeService(Part4),[2]Anypassword
changesoraccountlockoutsthatoccuronanyDCarecommunicatedtotheRWDCwiththePDC
FSMOoverthesecurechanneldirectly,[3]WhenalogonisaemptedagainstaRWDCthatfails
(becauseofanincorrectpassword),thatRWDCwillcheckwiththeRWDChostingthePDCFSMO
ifithasanewerpassword,[4]EditingGPOsbydefaultoccuragainsttheRWDCwiththePDC
FSMO,[5]Whenrootscalabilitymodeisnotenabled(thedefault),DFSrootserversgetupdates
fromtheRWDCwiththePDCFSMO.Whenrootscalabilityisenabled,DFSrootserversget
updatesfromtheclosestDCinstead,[5]ThePDCFSMOistheonlyDCthatappliesthePassword
policyseingsandtheaccountlockoutpolicyseingsspeciedatdomainlevelandwritesthe
informationtothedomainNC,[6]TheAdminSDHolderprocessisnotexecutedtocheck
protectedgroups/usersandreconguretheACLsifneeded,[7]IfyouhaveNTstyleapplications
thatwant/needtotargetthePDC,thoseappswillprobablybreakassoonasthePDCisnot
available.

FormoreinformationaboutFSMOfailures,seeRespondingtooperationsmasterfailures

So,themostcriticalFSMOwouldbethePDCFSMO!

TIP:IfyouwanttoshutdownaRWDCthathostsanyFSMOrole,asasafemeasureyoumightwant
toconsidertotemporarilytransfertheFSMOroletoanotherRWDCuntiltheoriginalRWDCisback
upandrunning.Atthattime,youcantransfertheFSMOrole(s)back.Thisissafer,thenforwhatever
reasonhavingtheneedtoseizetheFSMOrole(s)becausetheoriginalRWDCdroppeddead!.

Cheers,
Jorge

*ThispostingisprovidedASISwithnowarrantiesandconfersnorights!
*Alwaysevaluate/testyourselfbeforeusing/implementingthis!
*DISCLAIMER:hps://jorgequestforknowledge.wordpress.com/disclaimer/

###############JorgesQuestForKnowledge#############
https://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeingavailable/ 3/5
1/8/2017 (20110711)TheImpactOfFSMORolesNotBeingAvailableJorge'sQuestForKnowledge!

###############JorgesQuestForKnowledge#############
#########hp://JorgeQuestForKnowledge.wordpress.com/########

Abouttheseads

Thisentrywaspostedon20110711at05:13andisledunderActiveDirectoryDomainServices
(ADDS),FSMO.YoucanfollowanyresponsestothisentrythroughtheRSS2.0feed.Youcanleavea
response,ortrackbackfromyourownsite.

4Responsesto(20110711)TheImpactOfFSMORolesNot
BeingAvailable

1.RickardNobelsaid

20110906at20:35
NicearticleabouttheFSMOroles.TherearesomemoreimpactsofPDCEmulatorfailure:when
creatingexternaltruststhePDCmustbeavailable.
Alsosomewhatsurprising:ifusingtheredircmpcommanditmusttargetthePDCemulatororit
fails:hp://rickardnobel.se/archives/815

postedat:hp://blogs.dirteam.com/blogs/jorge/archive/2011/07/11/theimpactoffsmorolesnot
beingavailable.aspx#5940
YouweresentthisemailbecauseyouareanownerofJorgesQuestForKnowledge!

Reply

2.CSIComputerSystemIntegratorsTheImpactofFSMORoles
BeingUnavailablesaid

20110924at20:37
https://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeingavailable/ 4/5
1/8/2017 (20110711)TheImpactOfFSMORolesNotBeingAvailableJorge'sQuestForKnowledge!

20110924at20:37
[]hps://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnot
beingavailable/[]

Reply

3.trruthhsaid

20111025at03:23
ThisisoneofthebestarticlesonFSMOroles.ThanksJorge!

Reply

4.FSMOrolesBart'sWeblogsaid

20130220at09:39
[]TheImpactOfFSMORolesNotBeingAvailable
hps://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeing
available/[]

Reply

(20110710)TransferringAndSeizingFSMORolesThroughGUI,CommandLineOrPowerShell
(20110904)BlogMigratedToWordPress

BlogatWordPress.com.

https://jorgequestforknowledge.wordpress.com/2011/07/11/theimpactoffsmorolesnotbeingavailable/ 5/5