What happens when a FSMO holder goes down?

JustAGuy

3/4/23, 11:23 AM

Let's say I have 2 DCs and one of them which happens to hold all FSMO Roles goes down.

Please correct me if I'm wrong but from what I understand:

No Schema Master = no updating user details, no creating new users\computers\groups\group policies.
No RIF Master = no applying altering or adding new permissions to files\users\groups.
No Domain Naming Master = no adding new domains to the forest.
No PDC Emulator = no time synchronization, no password change or reset, no account lockout.
No Infrastructure Master = no cross-referencing objects between domains but only where you have a non-global catalog DC. Also no deletion of objects takes place.

Also, let's assume that the DC that contained all FSMO roles went dark for 1 hour and came back online. I suppose that the changes that were performed during that time will be will be overwritten?

160

0 + 0

active-directory

fsmo

Score:1

Server

TomTom

3/4/23, 12:14 PM

You literally need to read the documentation. It tells how things are handled and will handle a lot of confusions.

I.e.:

No Schema Master - you are WRONG. The schema master is responsible for the SCHEMA. Updating user details is not changing the schema. Schema updates are (i.e. adding a field to the user object).

No RIF master (it is RID, not RIF) - you can add permissions as you want, as this does not create a RID. The RID master is responsible for handing out RID's. Like when a USER IS CREATED (new object). Here is the point though - the DC's all CACHE UNUSED RID. So, a RID master going down for an hour is mostly a non issue unless you try to create thousands of users on another DC during this time.

No PDC Emulator: Time Sync not sure (as this is done via PDC emulator), but why PW change or reset? YOu have so old windows machines that they use the old PDC concept / API? Because otherwise there is no reason for this. I find info saying otherwise in not necessarily current technical info so - a little complex.

The list goes on. YOu seem to make up limitations because it looks like you have no real idea what the roles do.

Anyhow, the exact documentation you look for is here:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-roles

Generally assume that roles are not necessary to be operational all the time - in many cases the system will work with limitations (i.e. no update that requires a schema update when the schema master is offline, but you CAN update OBJECTS as this is not a schema update).

0 + 0

JustAGuy

3/4/23, 12:22 PM

I read the very same doc you mentioned and about the PDC it says: "Password changes done by other DCs in the domain are replicated preferentially to the PDC emulator. Account lockout is processed on the PDC emulator." If no PDC is there to accept the resets nor the lockouts then what does? Also "The PDC emulator is necessary to synchronize time in an enterprise". I guess my servers aren't that old afterall...

TomTom

3/4/23, 12:38 PM

Yeah, but pw change - you are aware of the meaning of "preferentially"? You go from that to "PDC REQUIRED" - that is NOT WHAT PREFERENTIALLY MEANS. "then what does"?" - ANY DC. PW change can then replicate. Also you go from me saying workstations old to your servers old? Come on, SOME common sense. I mean old windows machines as old - pre the new active directory. Those machines use non-kerberos and will connect to the PDC as there was no multi master.

JustAGuy

3/4/23, 12:55 PM

This doc that you sent me applies to Win 2012 R2. That's A LOT after the beginning of the Multi-Master era. Yet it still states and I quote "The PDC emulator is necessary to synchronize time in an enterprise. " Did they make that up?

TomTom

3/4/23, 12:56 PM

No, it is not. It is WAY after the beginning of multi master, but when you talk enterprise there EVEN NOW Are still a lot of old machines around. Otherwise - I am out. Sorry, you got your answer. DISCUSSION with me you have to pay for. Wasting my time to teach you history not my hobby is.