FSMO Roles explained

Active Directory is the first word that that comes to the mind when thinking about Windows Servers. And the Spinal Cord of Active Directory is of course the FSMO (Flexible Single Master Operations) roles. The FSMO roles are has other names like

  • Operations Master
  • Operations Master Roles
  • Single Master Roles
  • Operations tokens

There are 5 roles, which makes up the FSMO roles each having its own well defined functionalities. This stresses the reason why the 5 roles are separated and signifies the importance of no two Domain Controllers performing the same roles simultaneously. These 5 roles can be again classified into two – Forest wide & Domain wide.

The Forest Wide roles shall run only in one server across the Forest. Similarly, Domain Wide roles shall run only in one server across the domain.

The second statement made above is flexible though. The number of Domain Controllers is scalable as required, purely based on the number of users, redundancy and the physical locations spanned across. In this context, there can be more than one Domain Controllers, holding the same Operations Master roles in a Domain. But, this is applicable only to the Domain wide roles.

Forest wide roles

  1. Schema Master
  2. Domain Naming Master

Domain wide roles

  1. RID Master
  2. PDC Emulator
  3. Infrastructure Master

A detailed understanding of all the 5 roles is given below.

  • Schema Master

The Domain Controller holding the Schema Master role is required for maintaining the schema of the entire forest. Schema contains the attributes or properties of each object of an Active Directory object. To elaborate, an Active Directory User object has many attributes or properties like ‘First Name’, ‘Last Name’, ‘Organization’, ‘Logon Name’ etc. That means, the schema decides or contains what all ‘tabs’ and the fields that should appear under each tab when the properties window of an Active Directory User object is opened. Hence, the domain controller that holds the Schema master should be unique. Some applications require updating the Schema (Like Microsoft Exchange or Microsoft Lync). During such activities the Domain Controller which holds the Schema Master role should be available.

  • Domain Naming Master

The first rule in Active Directory environment is that, no two domains should have the same name in a forest. Same is the case when navigating downstream through the domains. No two machines should have the same host name within the same domain, but two machines can have the same host name if they are in different domains within the same forest. That will ensure that the FQDN (Fully Qualified Domain Name) is different for the two machines. Domain Naming Master maintains uniformity across the forest, ensuring that the names are different for each object. In that case, can two user objects have the same name?

  • RID Master

RID stands for Relative Identifier. The RID Master is responsible for the generation of a unique identifier for each object in the Active Directory Domain. All active directory searches and transactions happen within the domain based on this relative identifier. The Relative Identifier for an Active Directory User object is called Security Identifier (SID). The reader should now get the answer to the above question – can two user objects have the same name? Of course yes. For user objects, the uniqueness is followed based on the Security Identifier.

To maintain integrity in the SID generated by the Domain Controllers across the domain (any Domain Controller can create a user account), the RID Master of the domain will allocate unique pools of RID’s to each Domain Controller. This can ensure that no two RIDs generated by  Domain Controllers are the same.

  • Infrastructure Master

The Infrastructure Master is useful in cross-domain reference. A user in one domain can access resource in another domain, if there is a trust established. A two-way trust is automatically created if the two domains are within the same forest. In that case, a security group or a distribution group can also be created, comprising users of different domains. After creating such a group, suppose that an attribute like ‘Last Name’ of a user object is changed. The same user object is still referenced in a group which is in another domain. The Infrastructure Master role validates these changes and keeps the membership updated. To understand this, consider the below multi-domain forest scenario below.

  1. User1 who is a member of domain1.com (user1@domain1.com)
  2. User1 is a member of group1, which is created in domain2.com (group1@domain2.com)
  3. User1 is renamed later to User2 in domain1.com (user2@domain1.com)
  4. The change is propagated across all the GCs in the forest (specifically to the GC in domain2.com)
  5. The Infrastructure Master compares these information with the GC in domain2.com
  6. The Infrastructure Master in domain2.com detects the change that has happened to the user object user1 and update the group1@domain2.com with the updated information
  • PDC Emulator

The PDC (Primary Domain Controller) Emulator has the major and critical roles of the Active Directory environment. The PDC emulator opens connection to the writable domain controller and hence it is very important. Some of the important functions of the PDC Emulator are as mentioned below.

Ensuring backward compatibility – for environment running Windows NT 4.0, and older versions of Active Directory like Windows 2000

Updating/replicating Password changes – Ensuring that any password resets are replicated quickly to the other domain controllers in the domain

Managing the Group Policies configured

Acts as the primary time source for the domain – All the machines in the domain synchronize time with the PDC emulator