Did you know that there are really six (6) FSMO roles? I didn’t either until I was interviewing a candidate at Microsoft one day and I made the same request I make of every candidate – name the FSMO roles. The only two that he knew were the PDC and Schema Master but he also named another role that made me think – the ISTG. It’s the reason I love to do interviews. I almost always learn something – even if it is just a glimpse at a fresh perspective.
The ISTG, huh? Okay, so it’s not technically a FSMO role but I can’t fault him for that answer because I think it has merit. What is a Flexible Single Master Operation? It is a role that only one DC can (or should) hold at any given time within its boundary.
There’s five FSMO roles right? Well if I have two domains in a forest, how many FSMO role holders do I have? Eight. As we know, three of my five FSMO roles are domain-bound and two of my five FSMO roles are forest-bound. The point is that a FSMO role holder is unique within a boundary. This is done, as Microsoft states, because, “by designating a single domain controller to manage specific tasks, Active Directory enhances your ability to avoid conflicts in the directory, ensure consistency…”
Well, the ISTG role fits that model. The ISTG is designated to manage the unique task of creating intersite connection objects for all bridgehead servers in its site. To avoid duplication and promote consistency, there is only one ISTG (single master) per site (boundary). Though each domain controller runs the KCC (assuming it hasn’t been disabled), only one DC within a site runs the ISTG sub-process. The fact that every DC can run the role though is what makes the role Flexible.
I talked with some other folks at Microsoft and heard that at one point the ISTG was loosely considered a FSMO role but it never carried through. I never validated this so I don’t know why exactly but I am guessing that it had something to do with administrative responsibility.
There aren’t any concerns with ISTG role placement. There’s not really a need to seize the ISTG role (though I suppose you can do this technically – just not with an operational attribute). Failover is handled automagically. There aren’t any role conflicts for the ISTG. And maybe most importantly, the addition of the boundary doesn’t require the addition of the role (just because there’s a site, doesn’t mean that there’s an ISTG role holder for that site).
So while by Microsoft’s designation the ISTG is not a FSMO role, by the most literal definition, you could make a very strong argument for its induction.