Active Directory FSMO Roles

March 11, 2017 at 1:10 pm


An Overview of FSMO Roles

When you think about your AD design, you immediately think about multiple domain controllers. And some of them might even be read only. This is to distribute the great load that might be placed on these servers in a very active enterprise. Why not distribute this load and ensure that AD resources are always available in the event of a machine or machines failing!

While it is true that we should design our forests in this manner, keep in mind that there are Flexible Single Master Operator (FSMO) Roles that dictate only one domain controller be responsible for certain functions. In these cases, AD nominates a specific domain controller as the master for such functions.

There are five of these roles total. Three exist for every domain, and two of the roles apply to the entire forest. Keep in mind, however, that you can have a single server providing multiple of these roles. This keeps us requiring at least 5 domain controllers for every forest.

Well, it is obviously time for us to cover each of these 5 roles in detail!

Schema Master (forest wide)

Want to make changes to your AD schema? Wow, you are fancy! You need to do this on the Schema Master. By default, this is the first DC you promoted in your forest.

Since changes to the schema are well-planned and pretty rare after your initial deployment is up and running, you can afford to have this role offline for measured time periods.

Domain Naming Master (forest wide)

This is the device that is in charge of changes to the forest-wide name space. Perhaps you need to add a domain to your domain tree in your forest? This machine needs to be online in order to make that happen. Once again, it defaults to the first DC you promote in your forest.

Once again, these types of changes (are thankfully) rare. Having this role offline for a time period is not typically then end of your world!

PDC Emulator (domain wide)

This FSMO role has many functions, including:

  • It maintains backward compatibility functioning as an old school Windows NT Primary Domain Controller (PDC)
  • It acts as the old school NT master browser
  • It attempts to maintain the latest passwords for all accounts (note this function like many others of the PDC Emulator has nothing to do with backward compatibility functions!)
  • It is the target server for most Group Policy management tools
  • It is responsible for acting as the primary time source for the domain and forest
  • It authorizes domain controller cloning

Since this device fulfills so many important functions, you want to make sure it is always online for the most part!

RID Master (domain wide)

This Relative Identifier (RID) Master exists per domain. This device ensures that Security Identifiers (SIDs) in the domain are unique. In my next post in this AD series, I will provide you with great details on the SIDs in your domain. Turns out they are pretty damn important!

RID Masters provide the relative identifier information to other domain controllers in large blocks so these devices can create many SIDs without needing to bother the RID Master again for a very long time. So again, we have a situation where the RID Master can be offline and it not cause huge problems. An obvious exception to this would be if you were in the process of adding a huge number of accounts that need SIDs in your domain.

Infrastructure Master (domain wide)

This FSMO role maintains references to objects in other domains. We call these objects phantoms. Let’s say you have 10 users in Domain1 that actually exist in Domain2. It is the job of the Infrastructure Master of Domain1 to maintain the phantom information for these users.

This important device has many functions and aspects as follows:

  • This role is responsible for updating SID information and distinguished name information when this changes in the source domain
  • It checks in with the Global Catalog of the source domain to ensure it does not possess “stale” phantom information
  • This role is also responsible for performing updates to the domain when moving from Windows Server 2003 or later

It is important to note that if you enable the Active Directory Recycle Bin functionality, every DC in the forest now performs the roles above.

This role could be offline, of course, and how long you could tolerate that is very forest design specific.

Transferring Roles

Could you have all of these roles on a single DC? Sure you could, and many administrators do this for simplicity. You can transfer these roles however for simplicity:

  • Domain Naming Master – changed with the Active Directory Domains and Trusts snap-in
  • The Schema Master – changed with the Active Directory Schema snap-in
  • The RID, Infrastructure, and PDC Emulator Masters – changed with the Active Directory Users and Computers snap-in

Note that you can also use Windows PowerShell for these controls. From a Command Prompt, use NTDSUTIL.

I hope you will be joining me for tomorrow’s post on SIDs!

Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments

Active Directory (AD) Components

March 10, 2017 at 12:16 pm


AD Components Overview

In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.


The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:

  • An X.500 (LDAP) based hierarchical structure of containers and objects
  • A DNS domain name
  • A security service
  • Policies
  • A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)

Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have as our first domain, then we create as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.


What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest,  trust relationships permit resource sharing.

You can even create forest trust relationships if your forest must access resources in another separate forest.

While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.

Organizational Units

What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.

When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.

The Global Catalog (GC)

Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.

I hope you found this post informative, and I would like to thank you for reading. Next up, we will examine the Flexible Single Master Operator (FSMO) Roles in AD.
Pearson Education (InformIT)

Identifying Objects in Microsoft Active Directory

March 9, 2017 at 6:49 pm



To be able to uniquely identify objects in Active Directory, Microsoft uses a 128-bit Globally Unique Identifier or GUID. You should note that if you move an object in your AD tree, or even if you rename the object inside of Active Directory, this GUID remains unchanged. There is one important exception to this, and that would be a move across a forest to another forest using something like the Active Directory Migration Tool (ADMT). This situation does not preserve the GUID.

Distinguished Names

We humans are certainly not going to work with GUIDs to identify objects in AD. Fortunately, there is another method of identification called distinguished names (DN). This approach is actually referenced in the LDAP specifications. The DN provides a nice hierarchical path to the object in addition to names. For example, we might have a domain of The DN would be:


We also have relative distinguished names (RDN) to identify the object in a parent container. For example, consider this DN:


The RDN would be:


Attribute Types

Notice from our examples above there is an Attribute Type as part of the DN. Here is a list of these Attribute Types:

  • CN = Common Name
  • L = Locality Name
  • ST = State or Province Name
  • O = Organization Name
  • OU = Organizational Unit Name
  • C = Country Name
  • STREET = Street Address
  • DC = Domain Component
  • UID = User ID

AD uses CN, L, O, OU, C, and DC.
Pearson Education (InformIT)

A Brief History of Microsoft’s Active Directory

March 8, 2017 at 5:43 pm

Active Directory

Active Directory Overview

For my latest CBT Nuggets course, you and I are going on an intense exploration of the wonders of Active Directory (AD). AD is a Network Operating System (NOS) that Microsoft originally built on top of Windows 2000! Obviously, with Windows Server 2016 powering many data centers today, this NOS has seen many change and improvements.

The Database

It is fair to think of AD as a sophisticated database. It holds information about your users, groups, computers, printers, and any other objects you need to define in order to make your network thrive. When Microsoft first introduced Windows NT, they were struggling with what to do about a NOS. In fact, the original “domain” concept from Microsoft featured information stored in a flat file structure and constrained administrators to a fixed number of objects they could add to the domain. It is amazing to think about this today with the vastly scalable network architectures of Server 2016.

The key technology that changed everything for Microsoft was the Lightweight Directory Access Protocol (LDAP). Microsoft was so impressed with this open standard for NOS functions they based their own Active Directory on these principles and ensured the compliance of AD with LDAP.

It is no coincidence that LDAPv3 became a reality in 1997 and Microsoft released AD in Windows 2000.

The Database Revealed

While Active Directory presents a hierarchical structure to users and administrators, it is still actually stored in a flat file database structure. Users never see this, however. They see container objects and non-container objects (leaf nodes). The most common container we use today is the OU (OrganizationUnit). These incredibly powerful structures allow us to group similar objects and then apply security and management policies to these devices as a whole.

I hope you are super excited like I am for the Windows Server 2016 Identity course at CBT Nuggets where we will use Hands On Labs to ensure you master all aspects of AD!
Pearson Education (InformIT)

70-742 Exam – Identity with Windows Server 2016

March 6, 2017 at 10:20 am


70-742 Overview

70-742 is one of the exams that makes up the MCSA: Windows Server 2016 Microsoft Certified Solutions Associate certification from Microsoft. I am creating a course for this certification at CBT Nuggets beginning on 3/13/2017.

This exam focuses on the identity functionality in Windows Server 2016. It covers the installation and configuration of Active Directory Domain Services (AD DS), in addition to Group Policy implementation for non-Nano Server environments. It also covers functionality such as Active Directory Certificate Services (AD CS), Active Directory Federations Services (AD FS), and Web Application proxy implementations.

70-742 Complete Outline

This is one really long outline – so be sure to click the Read More button below if you are interested in the entire thing!

Install and configure Active Directory Domain Services (AD DS) (20–25%)

  • Install and configure domain controllers
    • Install a new forest
    • Add or remove a domain controller from a domain
    • Upgrade a domain controller
    • Install AD DS on a Server Core installation
    • Install a domain controller from Install from Media (IFM)
    • Resolve DNS SRV record registration issues
    • Configure a global catalog server
    • Transfer and seize operations master roles
    • Install and configure a read-only domain controller (RODC)
    • Configure domain controller cloning

Pearson Education (InformIT)