I've always understood that there are five FSMO roles, but sometimes I see something that says there are seven. How many are there, really?
I've always understood that there are five FSMO roles, but sometimes I see something that says there are seven. How many are there, really?
The standard answer that Windows admins have given to this question is five:
But it turns out that there are two other roles that usually don't matter, but can cause trouble if the server that they were assigned to is taken off-line.
Reminder - what are FSMO roles?
Active Directory primarily uses a multi-master model for directory updates: any Domain Controller can update its local copy of the directory and then those changes will get replicated to all the other DCs.
HOWEVER, there are some updates that are more critical and those are done in a single-master fashion: only one DC is able to make these updates and they get replicated from that DC to the others. The ability to make one of these critical updates is called a role and these roles are assigned to one DC at a time (single-master), but it's fairly easy to move a role to a different DC (flexible), which leads to the name "Flexible Single-Master Operation role."
The five FSMO roles listed above are described in this article, including a brief explanation of what type of directory updates each FSMO role holder is responsible for (e.g. the Schema Master is the only DC that can make changes to the AD schema.)
Infrastructure Master role(s)
It turns out that even with a single domain, there's more than one Infrastructure Master role. In the MS article mentioned above, it says:
I'm not going to explain directory partitions and application directory partitions in AD (the links are to a TechNet document that explains them better than I could), it's enough to know that they exist.
So if you have a single AD domain, you have 3 Infrastructure Masters, for a total of seven FSMO roles.
Do the extra roles cause problems?
Sometimes...
I can't find a definitive answer, but there is strong circumstantial evidence that the "extra" FSMO roles can only be moved manually, e.g. Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com"
The most common reason for that error is that when a domain is set up, the first DC holds all 7 roles, but the two extra infrastructure master roles are not moved by any of the usual tools (DCPROMO, etc.) So if the original DC is ever retired, there's no server holding those roles and the RODC preparation fails because it needs to talk to them.
The place I ran across the extra roles was with Samba 4: the samba-tool utility can transfer FSMO roles to a different DC and prior to version 4.3 it would tell you that all the roles had been transferred, but when you tried to demote a DC it would complain that the DC still held 2 FSMO roles. This has been fixed now.