I am new in Active Directory infrastructures. Could you please give me more details about AD Muti-Master and its FSMO rules? I hope your responses will be enough clear ;)

Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003/2008 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003/2008 incorporates methods to prevent conflicting Active Directory updates from occurring.

FSMO is an abreviation of flexible single master operations. They are roles that can be assigned to domain contollers. Some of them are unique in the forest and others are unique in the domain. To prevent conflicting updates in Windows 2000/2003/2008 , the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. There is 5 FSMO roles which are: 1- Schema Master 2- Domain Naming Master 3- Infrastructure Master 4- Relative ID (RID Master) 5- PDC Emulator

Schema Master (Unique in the forest): The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master (Unique in the forest): The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master (Unique in the domain): When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master (Unique in the domain): The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator (Unique in the domain): The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003/2008 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003/2008 -based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003/2008 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003/2008. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

This is a Microsoft article about how to display and transfer FSMO roles on Microsoft Windows Server 2003: http://support.microsoft.com/kb/324801 It will help you to know the FSMO roles are holded by which domain controller and will also help you if you want to transfer a FSMO role.

This is a link about the best practices for assigning FSMO roles: http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html Have a look at it. I hope that all these informations are enough clear. Best regards.

Just forgot something: let's suppose that you a domain controller hosting FSMO roles and this DC is down. You've two ways to procceed: 1- Restore a performed backup for the domain controller so that it will be back 2- Proceed by resizing the FSMO roles and in this case it is not recommanded to let up again your down DC because you may have several problems. This is a Microsoft article about how to proceed resize the FSMO roles: http://support.microsoft.com/kb/255504

The problems you can face while you let up again your down DC after a FSMO role resizing are the following: Resizing the schema master may be the cause a corrupted forest => You should reconstruct it Resizing the domain name master can oblige you to reconstruct all your domains Resizing the RID Master may be the cause of corrupted datas => You should reconstruct your domain (Microsoft Official Course 2194A Module 9)

thanks for the replies. Most of the informations are clear. Just a question: There is no problem by giving up a down DC hosting the PDC Emulator and the Infrastructure Master FSMO roles after resizing them?

After resizing the PDC Emulator and the Infrastructure Master FSMO roles and giving up the down DC which hosted them before resizing, you will have no affects on your active directory environement. So, don't worry. Best regards.

When you install your first DC, by default, it will hold all 5 FSMO roles. A forest with one domain has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2). http://support.microsoft.com/kb/324801 http://support.microsoft.com/kb/223346/en-us You can verify the FMSO roles using the following command: Netdom Query FSMO Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you guys. For the global catalogs what should I do? I will use a single domain and a single forest. I use two or one will be enough?

I recommand to you to use two global catalogs so that if the first DC is down the other one will take its place. If you have more than a domain with trust relationships, it is not recommanded to use a domain controller hosting a global catalog and the Domain Naming Master FSMO role. Best regards.

If you have no other questions, please mark as helpful and as a response all the replies that helped you. Best regards.

Hi Mike and Dave, MS Helper ( Malek Ahmed ) account is under scrutiny , every post made by him is monitored. Locking the thread.