Active Directory FSMO Roles

Focus : Active Directory FSMO Roles


FSMO - Expansion and its relevance


FSMO is the short representation of Flexible Single Master Operations. Each of these word has its own significance. Operation Master is a set of roles which handles a separate operation. So why ‘Flexible’ & ‘Single’ used?




‘Single’ is used since each role works independently on a Single DC. Since these operations master roles can be moved across the DCs, it is called ‘Flexible’ and that’s why the name ‘Flexible Single Master Operations. The terms Operations Master, Single Master Operation are also used interchangeably for FSMO.


FSMO roles need not be installed separately. It will be installed automatically during the domain creation. And by default, it will be available in the first DC of the forest. All the roles can be moved to any DC in the forest. But there are some criterias for this which will be explained later.


FSMO Roles


There are 5 FSMO roles. These roles can be classified as Forest wide role and Domain wide role.

Forest wide roles: -

  • Schema Master
  • Domain Naming Master

There will be only one Schema Master and Domain Naming Master across the forest.

Domain wide roles:

  • Infrastructure Master
  • PDC Emulator
  • RID Master

These roles are domain specific and has to be there for each domain.

Schema Master

  • This role manages the schema of the forest.
  • Any updates or modifications to the existing schema will be managed by this role.
  • Not dependent on Global Catalog server
  • Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability
  • Since schema master role is required as long as the forest exists, it is recommended to place this role in the root domain.

If Schema Master is down ?
  • No impact on the domain. Domain will work as usual.
  • But if the admin tries to perform any schema related change, error will occur.


Domain Naming Master

  • Manages the addition and removal of domains in a forest.
  • It is recommended to make a DC with Domain Naming Master a Global Catalog server
  • Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability
  • Since Domain Naming Master role is required as long as the forest exists, it is recommended to place this role in the root domain.

If Domain Naming Master role is down?
  • No impact on the domain. The work of the domain will continue as always.
  • New domains cannot be added. Existing domains cannot be deleted.

Infrastructure Master

  • When an object in one domain is referenced in another domain, it represents the reference by the GUID, SID and the DN of the object being referenced (Phantom Object).
  • Responsible in updating this cross domain references
  • Plays an important role when there are multiple domains. But no relevance when it is a single domain environment.
  • Do not hold Infrastructure Master role in a DC holding Global Catalog role unless all the DCs in the environment holds the GC role.

If infrastructure master role is down?
  • No impact in a single domain environment.
  • If there are multiple domains, any change in an object which is referenced by another object in another domain will not be reflected.



PDC Emualtor

  • Gives backward compatibility with legacy systems such as Windows NT
  • Responsible for handling password changes in a domain
  • Manages account lock out. Whenever authentication fails a lock out counter will be incremented by the PDC.
  • Responsible for keeping domain time in sync. DC holding this role will be the most credible and authoritative time server in the domain.
  • Responsible in updating group policy
  • It is always better to hold DC which connects the most number of users a PDC emulator as user login often need to contact this DC for authenticating.

If PDC Emulator is down?

  • Users will not be able to change password
  • Can lead to unsynced time which can lead to logon failures
  • Group policy update issues

RID Master

  • RID master is responsible in allocating the RIDs to the DCs
  • Each object will have an SID which is a combination of Domain SID and RID
  • Initially, each DC will have a pool of  500 RIDs
  • Once the RIDs allocated to a DC gets drained, the DC contacts the RID master for a new pool of RIDs

If RID master is down?

  • Not of much impact if the DCs have enough RIDs available in its pool
  • New objects will not be created if RIDs gets drained

I've tried to inlcude whatever relevant details a system administrator needs to know about FSMO roles. Thanks for reading!!!

Comments

  1. Best of the information I have ever read regarding FSMO...

    ReplyDelete
  2. Thank you. very useful information :)

    ReplyDelete
  3. very easy to understand ... nice article !

    ReplyDelete
  4. Its too good to see all the information. Ultimate work and efforts. Thanks a ton for your time and efforts to gather the information and making all the IT admins to know many unknown things. All the Best. God Bless you.

    ReplyDelete
  5. Really great job u r doing to achieve our interviews n settle lifes

    ReplyDelete
  6. This what i want ,this is simple and easy to understand.

    ReplyDelete
  7. Simple and right up to the point for understanding
    Keep up your Knowledge sharing

    ReplyDelete
  8. best explanation to fsmo roles ever.. keep it up guys..

    ReplyDelete

Post a Comment

Popular posts from this blog

VMware and Windows Interview Questions: Part 2

VMware and Windows Interview Questions: Part 3

VMware vMotion error at 14%