12

I've always understood that there are five FSMO roles, but sometimes I see something that says there are seven. How many are there, really?

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59

1 Answers1

14

The standard answer that Windows admins have given to this question is five:

Schema Master (One per forest)
Domain Naming Master (One per forest)
PDC Emulator (One per domain)
RID Master (One per domain)
Infrastructure Master (One per domain)

But it turns out that there are two other roles that usually don't matter, but can cause trouble if the server that they were assigned to is taken off-line.

Reminder - what are FSMO roles?

Active Directory primarily uses a multi-master model for directory updates: any Domain Controller can update its local copy of the directory and then those changes will get replicated to all the other DCs.

HOWEVER, there are some updates that are more critical and those are done in a single-master fashion: only one DC is able to make these updates and they get replicated from that DC to the others. The ability to make one of these critical updates is called a role and these roles are assigned to one DC at a time (single-master), but it's fairly easy to move a role to a different DC (flexible), which leads to the name "Flexible Single-Master Operation role."

The five FSMO roles listed above are described in this article, including a brief explanation of what type of directory updates each FSMO role holder is responsible for (e.g. the Schema Master is the only DC that can make changes to the AD schema.)

Infrastructure Master role(s)

It turns out that even with a single domain, there's more than one Infrastructure Master role. In the MS article mentioned above, it says:

A separate infrastructure master is created for each application partition including the default forest-wide and domain-wide application partitions created by Windows Server 2003 and later domain controllers.

I'm not going to explain directory partitions and application directory partitions in AD (the links are to a TechNet document that explains them better than I could), it's enough to know that they exist.

So if you have a single AD domain, you have 3 Infrastructure Masters, for a total of seven FSMO roles.

Do the extra roles cause problems?

Sometimes...

I can't find a definitive answer, but there is strong circumstantial evidence that the "extra" FSMO roles can only be moved manually, e.g. Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com"

The most common reason for that error is that when a domain is set up, the first DC holds all 7 roles, but the two extra infrastructure master roles are not moved by any of the usual tools (DCPROMO, etc.) So if the original DC is ever retired, there's no server holding those roles and the RODC preparation fails because it needs to talk to them.

The place I ran across the extra roles was with Samba 4: the samba-tool utility can transfer FSMO roles to a different DC and prior to version 4.3 it would tell you that all the roles had been transferred, but when you tried to demote a DC it would complain that the DC still held 2 FSMO roles. This has been fixed now.

dominix
  • 366
  • 2
  • 3
  • 12
Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
  • 1
    You are very correct. There is one Infrastructure Master for every domain and application NC in a directory, as MS-ADTS states: msdn.microsoft.com/en-us/library/cc223753.aspx The reason why this very rarely causes problems is because non-domain NCs can't contain partial objects so there are no phantoms to update. However, you can still see this crop up when you trying to demote a domain controller who is still referencing an IM for a non-domain NC that does not exist anymore. In which case, just update that attribute to point to the domain NC IM. No problem. This answer is good. – Ryan Ries Apr 23 '16 at 17:23