Microsoft: Flexible Single Master Operations ( FSMO ) / Operations Master

There are five operations master roles managing the single-master operations in Active Directory domain service.

Two operations master roles exist in each forest:

• Schema master - govern all changes to the schema
• Domain naming master - add and remove domains to and from the forest

In addition to the two forestwide operations master roles, three operations master roles exist in each domain:

• Primary domain controller (PDC) emulator - process all replication requests from Microsoft Windows NT 4.0 backup domain controllers and processes all password updates for clients that are not running Active Directory–enabled client software
• Relative identifier (RID) master - allocate RIDs to all domain controllers to ensure that all security principals have a unique identifier
• Infrastructure master - maintain a list of the security principals from other domains that are members of groups within its domain

By default AD assigns all operations master roles to the first DC created in a forest. If new domains are created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. When a FSMO role is transferred to a different DC, the original FSMO holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the original FSMO holder experienced an unrecoverable failure, you can force another DC to seize the lost roles; however, there is a risk of data loss because of the lack of communications. If you seize a FSMO role instead of transferring the role, that domain controller can never be allowed to host that FSMO role again, except for the PDC emulator Master operation and the Infrastructure Master Operation. Corruption can occur within Active Directory. FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool.

Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. For example, the Infrastructure Master role must not be housed on a domain controller which also houses a copy of the global catalog in a multi-domain forest (unless all domain controllers in the domain are also global catalog servers), while the Domain Naming Master role should be housed on a DC which is also a GC. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon.

Certain domain and enterprise-wide operations that are not well suited to multi-master updates must be performed on a single domain controller in the domain or in the forest. The purpose of having a single-master owner is to define a well-known target for critical operations and to prevent the introduction of conflicts or latency that could be created by multi-master updates. Having a single-operation master means that the relevant FSMO role owner must be online, discoverable, and available on the network by computers that have to perform FSMO-dependent operations.

The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Naming Master should also be on the same DC. To provide fault tolerance, there should be at least 2 domain controllers available within each domain of the Forest. Furthermore, the Infrastructure Master role holder should not also be a Global Catalog Server, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment.


References:
1.  How Operations Masters Work
http://technet.microsoft.com/en-us/library/cc780487%28v=ws.10%29.aspx

2.  Flexible single master operation
http://en.wikipedia.org/wiki/Flexible_single_master_operation

3.  FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/kb/223346