Active Directory FSMO Roles

March 11, 2017 at 1:10 pm


An Overview of FSMO Roles

When you think about your AD design, you immediately think about multiple domain controllers. And some of them might even be read only. This is to distribute the great load that might be placed on these servers in a very active enterprise. Why not distribute this load and ensure that AD resources are always available in the event of a machine or machines failing!

While it is true that we should design our forests in this manner, keep in mind that there are Flexible Single Master Operator (FSMO) Roles that dictate only one domain controller be responsible for certain functions. In these cases, AD nominates a specific domain controller as the master for such functions.

There are five of these roles total. Three exist for every domain, and two of the roles apply to the entire forest. Keep in mind, however, that you can have a single server providing multiple of these roles. This keeps us requiring at least 5 domain controllers for every forest.

Well, it is obviously time for us to cover each of these 5 roles in detail!

Schema Master (forest wide)

Want to make changes to your AD schema? Wow, you are fancy! You need to do this on the Schema Master. By default, this is the first DC you promoted in your forest.

Since changes to the schema are well-planned and pretty rare after your initial deployment is up and running, you can afford to have this role offline for measured time periods.

Domain Naming Master (forest wide)

This is the device that is in charge of changes to the forest-wide name space. Perhaps you need to add a domain to your domain tree in your forest? This machine needs to be online in order to make that happen. Once again, it defaults to the first DC you promote in your forest.

Once again, these types of changes (are thankfully) rare. Having this role offline for a time period is not typically then end of your world!

PDC Emulator (domain wide)

This FSMO role has many functions, including:

  • It maintains backward compatibility functioning as an old school Windows NT Primary Domain Controller (PDC)
  • It acts as the old school NT master browser
  • It attempts to maintain the latest passwords for all accounts (note this function like many others of the PDC Emulator has nothing to do with backward compatibility functions!)
  • It is the target server for most Group Policy management tools
  • It is responsible for acting as the primary time source for the domain and forest
  • It authorizes domain controller cloning

Since this device fulfills so many important functions, you want to make sure it is always online for the most part!

RID Master (domain wide)

This Relative Identifier (RID) Master exists per domain. This device ensures that Security Identifiers (SIDs) in the domain are unique. In my next post in this AD series, I will provide you with great details on the SIDs in your domain. Turns out they are pretty damn important!

RID Masters provide the relative identifier information to other domain controllers in large blocks so these devices can create many SIDs without needing to bother the RID Master again for a very long time. So again, we have a situation where the RID Master can be offline and it not cause huge problems. An obvious exception to this would be if you were in the process of adding a huge number of accounts that need SIDs in your domain.

Infrastructure Master (domain wide)

This FSMO role maintains references to objects in other domains. We call these objects phantoms. Let’s say you have 10 users in Domain1 that actually exist in Domain2. It is the job of the Infrastructure Master of Domain1 to maintain the phantom information for these users.

This important device has many functions and aspects as follows:

  • This role is responsible for updating SID information and distinguished name information when this changes in the source domain
  • It checks in with the Global Catalog of the source domain to ensure it does not possess “stale” phantom information
  • This role is also responsible for performing updates to the domain when moving from Windows Server 2003 or later

It is important to note that if you enable the Active Directory Recycle Bin functionality, every DC in the forest now performs the roles above.

This role could be offline, of course, and how long you could tolerate that is very forest design specific.

Transferring Roles

Could you have all of these roles on a single DC? Sure you could, and many administrators do this for simplicity. You can transfer these roles however for simplicity:

  • Domain Naming Master – changed with the Active Directory Domains and Trusts snap-in
  • The Schema Master – changed with the Active Directory Schema snap-in
  • The RID, Infrastructure, and PDC Emulator Masters – changed with the Active Directory Users and Computers snap-in

Note that you can also use Windows PowerShell for these controls. From a Command Prompt, use NTDSUTIL.

I hope you will be joining me for tomorrow’s post on SIDs!

Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments

Identifying Objects in Microsoft Active Directory

March 9, 2017 at 6:49 pm



To be able to uniquely identify objects in Active Directory, Microsoft uses a 128-bit Globally Unique Identifier or GUID. You should note that if you move an object in your AD tree, or even if you rename the object inside of Active Directory, this GUID remains unchanged. There is one important exception to this, and that would be a move across a forest to another forest using something like the Active Directory Migration Tool (ADMT). This situation does not preserve the GUID.

Distinguished Names

We humans are certainly not going to work with GUIDs to identify objects in AD. Fortunately, there is another method of identification called distinguished names (DN). This approach is actually referenced in the LDAP specifications. The DN provides a nice hierarchical path to the object in addition to names. For example, we might have a domain of The DN would be:


We also have relative distinguished names (RDN) to identify the object in a parent container. For example, consider this DN:


The RDN would be:


Attribute Types

Notice from our examples above there is an Attribute Type as part of the DN. Here is a list of these Attribute Types:

  • CN = Common Name
  • L = Locality Name
  • ST = State or Province Name
  • O = Organization Name
  • OU = Organizational Unit Name
  • C = Country Name
  • STREET = Street Address
  • DC = Domain Component
  • UID = User ID

AD uses CN, L, O, OU, C, and DC.
Pearson Education (InformIT)

CBT Nuggets’ Windows 10 70-697: Configuring Windows Devices Course Outline

February 10, 2017 at 8:48 am


I know that many of you are going through the Nuggets as they publish each week here at the CBT Nuggets site. Here is the complete course outline so you can easily track your progress. Enjoy! By the way – the Nuggets you see in bold means I have completed and uploaded them. If they do not appear in your course yet – it is because they are going through the very stringent review process.

  • Nugget 1: 70-697 Course Introduction
  • Nugget 2: Key Administration Tools
  • Nugget 3: Install Apps Using Office 365
  • Nugget 4: Windows Store Apps
  • Nugget 5: Sideloading Apps
  • Nugget 6: Using your Microsoft Account with Windows 10
  • Nugget 7: Other Authentication Options
  • Nugget 8: User Profiles
  • Nugget 9: Hyper-V
  • Nugget 10: Offline Files
  • Nugget 11: Windows To Go
  • Nugget 12: WiFi Direct
  • Nugget 13: Power
  • Nugget 14: BitLocker
  • Nugget 15: Manage Devices with Microsoft Intune
  • Nugget 16: Support Mobile Devices with Intune
  • Nugget 17: Deploy Software Updates by Using Microsoft Intune
  • Nugget 18: Configure IP and Network Settings
  • Nugget 19: Configure and Maintain Network Security
  • Nugget 20: Data Storage Topics
  • Nugget 21: EFS
  • Nugget 22: Share and NTF Permissions
  • Nugget 23: Libraries
  • Nugget 24: HomeGroups
  • Nugget 25: Other Printer and File Options
  • Nugget 26: Configure Remote Connections
  • Nugget 27: Deploy and manage Azure RemoteApp
  • Nugget 28: Support desktop apps
  • Nugget 29: Your 70-697 Exam