FSMO Roles in Active Directory are explained in this article. Introduced by Microsoft, Active Directory is a set of directory services that help connect users with various Windows domain networks to achieve their goals. The directory comprises information about the users and their computers. The domain controller (server running AD) authenticates all the users and computers connected with the Windows domain network. Further, their job is to assign and enforce security policies for all devices, create objects, install/update software, manage and store critical information. AD comprises multiple Domain Controllers (DC) and directory services.
With multiple Domain Controllers (DC), there can be issues over which DC will get the chance to make changes. Looking at the circumstances, Microsoft introduced Single Master Model for AD to improve the Domain Controller’s performance and avoid such issues. According to this model, the single master DC can make changes to the domain, and the rest have to follow the requests. However, if this fails or notices a problem, changes to the domain will not be possible unless it’s back up.
To further help fix it, different roles and responsibilities were assigned to the Domain Controllers by Microsoft. It is more like if one DC is out for a break, the other will its space and perform the responsibilities of the missing role. The idea to create Flexible Single Master Operation or FSMO roles made everything simple and faster to perceive. In total, there are five FSMO roles, out of which two (Domain Naming Masters and Schema Masters) restrict to the enterprise level (one per forest), and the rest three are limited to domain level (one per domain). Here are the following Flexible Single Master Operation or FSMO roles by Microsoft.
FSMO Roles in Active Directory
- Schema Master
- Domain Naming Master
- Infrastructure Master
- PDC or Primary Domain Controller Emulator
- RID or Relative ID Master
In this post, we will further discuss these separate roles and how together they complete an AD system. Remember, the original domain controllers often have access to these roles. However, these FSMO roles can be switched or transferred, if needed.
FSMO Roles Explained
1. Schema Master FSMO Role
The Schema Master is the only enterprise level FSMO role that comprises a writable schema partition. As a result, the domain controller who will be assigned this role will have access to modify its forest schema. It is the AD forest’s single Schema Master role that has the authority to raise the functional level and upgrade the domain controllers operating system to a higher version.
The Schema Master role also has the power to manage the AD schemas read write copy. The schema keeps all the Active Directory classes and attributes, such as employee ID, phone number, email, and username. Make sure to maintain an AD backup before starting with the changes. Once the changes in the forest schema are updated by the schema master, they are further replicated from the server to the rest domain controllers. This role is essential to reduce conflicts related to schema changes. Overall, it can be a little overhead, but the loss with have a negligible operational impact.
2. Domain Naming Master FSMO Role
The Domain Naming Master is the other only enterprise level FSMO role that can add new or remove existing domains and application partitions in an Active Directory Forest. Keep in mind, if the domain naming expert is not present due to any technical or functional reason, you have no power or access to create a new domain in the AD forest. Also, it is the job of the Domain Naming Master to make sure no similar domain names are created in the same forest. To be more precise, here is what the Domain naming master can perform:
- Add or eliminate domains
- Add or exclude directory partitions
- Make changes to the cross reference objects
- Administer a domain rename
As the creation and elimination of domains or partitions do not happen regularly, there is little overhead and a negligible operational impact due to any loss. Also, the roles can be seized, only if the owner of the DC is impossible to be brought back online.
3. Infrastructure Master FSMO Role
The Infrastructure Master is a domain level role that manages phantom objects in an Active Directory Forest. The purpose of Phantom objects is to monitor the local domain’s references of deleted objects and link valued attributes in other domains. These are created in cross reference between an object in the directories. Only one Infrastructure Master role is assigned in every single domain, responsible for updating Security Identifiers (SIDs), Distinguished Names (DNs), and Globally Unique Identifiers (GUIDs) amid between domains controller roles. Keep in mind that this role must be handled by a Domain controller and not a Global Catalog server (GC). If the role is run by the GC server, then all updating object processes will stop as it holds no references to objects. Also, the DC refreshes the Security Identifiers and identifies the name in the object reference.
The FSMO role helps you verify the clients and their authorizations without a disturbance. Only the administrators will get to know and not the users if you lose the original domain controller. When building your domain controllers, make sure to follow domain controller best practices
How Secure is Your Active Directory ?
78% of companies have an insecure Active Directory and are vulnerable to a potential attack!!
Download our FREE Active Directory Security Best Practices Compliance Checker
4. Primary Domain Controller Emulator FSMO Role
Another domain level role, the Primary Domain Controller is responsible for reverting to authentication requests, modifying passwords, and managing Group Policy Objects in an AD forest. Each domain requires a primary domain controller emulator role owner to perform the below listed tasks:
- Backward Compatibility – The primary domain controller emulator role owner registers for legacy applications as a target domain controller to address backward compatibility concerns. They behave similarly to the single master role as they perform writable operations.
- Distributed File System – As per the default setting, the Distributed File System occasionally demands updated DFS namespace data from the primary domain controller leading to bottle necking of resources.
- Password Update Processing – When a non primary domain controller changes or resets PC and passwords, a duplicate copy of the submitted update retreats to the primary domain controller emulator. Also, the primary domain controller emulator role owner processes account lockouts in an AD forest.
- Time Synchronization – Each primary domain controller emulator behaves as the master time source and synchronizes its clock with the forest root in the domain. However, the non PDCE synchronize their clock with the domain’s PDCE.
- Group Policy Updates – All the essential policy updates are submitted to the domain PDCE to prevent conflicts, such as if changes were made by two domain controllers simultaneously.
5. Relative ID Master FSMO Role (RID Master)
A domain level role that interacts with active Relative ID Pool demands and assigns blocks of Security Identifiers (SID) to numerous domain controllers in a domain. The Relative ID Pool comprises unique RIDs used at the time of object creation to additionally produce a new object’s Security Identifier (SID). To prevent similar SIDs for multiple objects, the RID Master grants the benefit to assign unique SIDs. They also have the power to move or remove objects from their domain. The Security Identifier contains domain security identifiers and a RID. If the domain controller Relative ID pool fails or notices a cut off, it requests an additional Relative ID from the Domain’s Relative ID Master.
FSMO Roles in Active Directory - Conclusion
Active Directory by Microsoft connects users with Windows domain networks to create objects, install and update software, enable secure policies, store crucial data, and more. To avoid any conflict between the multiple domain controllers various roles are assigned. The above-listed FSMO roles are essential to prevent conflicts, add more flexibility to perform operations, and provide security to your active directory. FSMO stands for Flexible Single Master Operation.
In the initial versions of AD, many conflicts were reported by the administrators. To resolve the issue, different models and separate roles were introduced. Schema Master, Domain Naming Master, Infrastructure Master, Primary Domain Controller Emulator, Relative ID Master are the five Flexible Single Master Operation or FSMO roles assigned to each domain in an Active Directory Forest. There are two levels of FSMO roles:
- an enterprise-level role
- a domain-level role
Two of the five roles belong to the enterprise level, while the rest three are restricted to the domain level role. If due to any reason your FSMO role crashes, you have the option to seize the FSMO role to the other domain controller, fix the issue, and bring the domain controller back online. The best method to actively transfer the FSMO role is to use Management Console, PowerShell, or ntdsutil.exe For practicing the manual transfer, the source domain controller primarily needs to synchronize with the target domain controller. Follow the above pointers to learn more about the responsibilities of each FSMO role.