An Overview of FSMO Roles
When you think about your AD design, you immediately think about multiple domain controllers. And some of them might even be read only. This is to distribute the great load that might be placed on these servers in a very active enterprise. Why not distribute this load and ensure that AD resources are always available in the event of a machine or machines failing!
While it is true that we should design our forests in this manner, keep in mind that there are Flexible Single Master Operator (FSMO) Roles that dictate only one domain controller be responsible for certain functions. In these cases, AD nominates a specific domain controller as the master for such functions.
There are five of these roles total. Three exist for every domain, and two of the roles apply to the entire forest. Keep in mind, however, that you can have a single server providing multiple of these roles. This keeps us requiring at least 5 domain controllers for every forest.
Well, it is obviously time for us to cover each of these 5 roles in detail!
Schema Master (forest wide)
Want to make changes to your AD schema? Wow, you are fancy! You need to do this on the Schema Master. By default, this is the first DC you promoted in your forest.
Since changes to the schema are well-planned and pretty rare after your initial deployment is up and running, you can afford to have this role offline for measured time periods.
Domain Naming Master (forest wide)
This is the device that is in charge of changes to the forest-wide name space. Perhaps you need to add a domain to your domain tree in your forest? This machine needs to be online in order to make that happen. Once again, it defaults to the first DC you promote in your forest.
Once again, these types of changes (are thankfully) rare. Having this role offline for a time period is not typically then end of your world!
PDC Emulator (domain wide)
This FSMO role has many functions, including:
- It maintains backward compatibility functioning as an old school Windows NT Primary Domain Controller (PDC)
- It acts as the old school NT master browser
- It attempts to maintain the latest passwords for all accounts (note this function like many others of the PDC Emulator has nothing to do with backward compatibility functions!)
- It is the target server for most Group Policy management tools
- It is responsible for acting as the primary time source for the domain and forest
- It authorizes domain controller cloning
Since this device fulfills so many important functions, you want to make sure it is always online for the most part!
RID Master (domain wide)
This Relative Identifier (RID) Master exists per domain. This device ensures that Security Identifiers (SIDs) in the domain are unique. In my next post in this AD series, I will provide you with great details on the SIDs in your domain. Turns out they are pretty damn important!
RID Masters provide the relative identifier information to other domain controllers in large blocks so these devices can create many SIDs without needing to bother the RID Master again for a very long time. So again, we have a situation where the RID Master can be offline and it not cause huge problems. An obvious exception to this would be if you were in the process of adding a huge number of accounts that need SIDs in your domain.
Infrastructure Master (domain wide)
This FSMO role maintains references to objects in other domains. We call these objects phantoms. Let’s say you have 10 users in Domain1 that actually exist in Domain2. It is the job of the Infrastructure Master of Domain1 to maintain the phantom information for these users.
This important device has many functions and aspects as follows:
- This role is responsible for updating SID information and distinguished name information when this changes in the source domain
- It checks in with the Global Catalog of the source domain to ensure it does not possess “stale” phantom information
- This role is also responsible for performing updates to the domain when moving from Windows Server 2003 or later
It is important to note that if you enable the Active Directory Recycle Bin functionality, every DC in the forest now performs the roles above.
This role could be offline, of course, and how long you could tolerate that is very forest design specific.
Could you have all of these roles on a single DC? Sure you could, and many administrators do this for simplicity. You can transfer these roles however for simplicity:
- Domain Naming Master – changed with the Active Directory Domains and Trusts snap-in
- The Schema Master – changed with the Active Directory Schema snap-in
- The RID, Infrastructure, and PDC Emulator Masters – changed with the Active Directory Users and Computers snap-in
Note that you can also use Windows PowerShell for these controls. From a Command Prompt, use NTDSUTIL.
I hope you will be joining me for tomorrow’s post on SIDs!
Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments