Windows Domain Controller Operations Masters Placement

Hey guys,

So someone PM'd me on a topic that more should know about so here is a short blurb on the topic:

Windows Domain Controller Operations Masters Placement

Active Directory Domain Services (AD DS) supports multimaster replication of directory data, which means any domain controller can accept directory changes and replicate the changes to all other domain controllers. However, certain changes, such as schema modifications, are impractical to perform in a multimaster fashion. For this reason certain domain controllers, known as operations masters, hold roles responsible for accepting requests for certain specific changes.

Three operations master roles (also known as flexible single master operations or FSMO) exist in each domain:

The primary domain controller (PDC) emulator operations master processes all password updates.
The relative ID (RID) operations master maintains the global RID pool for the domain and allocates local RIDs pools to all domain controllers to ensure that all security principals created in the domain have a unique identifier.
The infrastructure operations master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain.

In addition to the three domain-level operations master roles, two operations master roles exist in each forest:

The schema operations master governs changes to the schema.
The domain naming operations master adds and removes domains and other directory partitions (for example, Domain Name System (DNS) application partitions) to and from the forest.

Place the domain controllers hosting these operations master roles in areas where network reliability is high, and ensure that the PDC emulator and the RID master are consistently available.
Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain.

Typically I've found you want the RDC, RID Pool Manager, and Infrastructure Master on the Primary Domain Controller. You then want the last two, Schema Master and Domain Naming Master on a Secondary Domain Controller.

If you'd like to view your Operations Masters placement on your network, you run the following command in a elevated command prompt from any domain controller: "netdom query fsmo".

Hope this helps others.

Find more posts tagged with

Comments

cyberguypr

This is a standard question I used to ask people I suspected of be fluffing the resume with "Active Directory Expert Knowledge". 75% of the people had no idea what they were. The faces they made when I asked them about seizing roles were priceless.

Deathmage

cyberguypr wrote: »

This is a standard question I used to ask people I suspected of be fluffing the resume with "Active Directory Expert Knowledge". 75% of the people had no idea what they were. The faces they made when I asked them about seizing roles were priceless.

placement is key to a optimized Active Directory.

I'm not even certified in AD and I know this.

gespenstern

Actually a simple stuff people tend to ask on interviews, so I consider this theme as spoiled because many people memorize it before interview and know nothing about ADDS besides that. And to be honest this FSMO concept is easy to grasp.

I have my own set of questions for "experts" in ADDS related to Kerberos and permissions and replication types scenarios and majority of people fail them. However, ADDS is pretty complicated thing overall and it's really hard to know everything. I personally bombed ADDS interview this year for a high-profile ADDS position. In addition to pure ADDS you usually have to know perfectly ADFS, lots of trusts stuff and acquisitions scenarios, Azure AD, ports, protocols, encryption, DNS, powershell AD modules, how it integrates with other services such as Exchange and ADCS, group policies/preferences, how ADDS database works and its schema, ADAM/LDS stuff, etc.

Overall, it's hard to know ADDS perfectly and vast majority of people don't know it.

techfiend

It'd be nice if microsoft implemented a way to do auto failover by moving the PDC and IM when they aren't available. Currently it needs to be scripted and those are the only 2 roles that can be seized and moved back again. Maybe in 2016.

AD is the only critical server role I can think of that isn't easy to auto failover outside of clustering. There's some good reasons to avoid clustering.