Active Directory FSMO Roles

Active Directory FSMO Roles

Active Directory FSMO Roles
Flexible single-master operations (FSMO)
operations performed by the Active Directory domain controllers, which
require a mandatory server uniqueness for each operation. Various FSMO
types can be performed on the same or on multiple domain controllers.
Server operating FSMO roles known as Operations Master DC.

Most operations in AD can be made on any domain controller. AD
Replication service copies the changes to other domain controllers,
ensuring the AD database identity on all the controllers of the same
domain. Conflict resolution is as follows: if the two DC trying to
change attributes of one AD object at the same time, automatic conflict
resolution sуstem keep track of which change was made last.

However, there are several actions (such as changing the AD schema),
in which conflicts are unacceptable. The task of a servers with FSMO
roles is to avoid such conflicts. Thus, each FSMO role can be performed
only simultaneously on one server. And if necessary, it can be
transferred to another domain controller at any time.

FSMO roles

There are 5 FSMO roles: 2 unique roles for AD forest and 3 for every domain.

  • Schema Master responsible for changes to the Active Directory schema. There can be only one for the entire domain forest.
  • Domain Naming Master
    responsible for the unique name for a domain and application partitions
    in the forest. There can be only one for the entire domain forest.
  • Infrastructure Master
    stores data about users from other domains, that are part of your
    domain local groups. There can be one for each domain in the forest.
  • RID pool manager
    responsible for assigning unique relative ID (RID), required when
    creating domain accounts. There can be one for each domain in the
    forest.
  • PDC (Primary Domain Controller) Emulator responsible for compatibility with NT4 domain and pre-Windows 2000 clients, for the domain time synchronization in the forest, for changing passwords and tracks locks when users enter the wrong password.

Recommended Best Practice for placement of FSMO roles

When you install a new AD domain, all FSMO roles are placed on a
single server. According to Microsoft recommendation, the Best Practice
is to spread the FSMO roles between the different domain controllers.

The forest FSMO roles should be placed on one DC, and the domain role
to another. In that case, if you have only one domain controller, it is
recommended to deploy 1 additional DC. Thus, in an AD domain with a
minimum configuration (2 DC), you need to place FSMO role as follows:

Place the following domain roles on a DC1:

  • RID Master
  • Infrastructure Master
  • PDC Emulator

Place the forest roles on a DC2:

  • Schema Master
  • Domain Master

To determine current FSMO Roles holders, perform the following command:

netdom query fsmo



In this case, the FSMO roles are distributed between the two DC.

However, you should be note, that there is no FSMO role which failure
would lead to a significant loss of functionality of AD. Even in case
of failure of all FSMO roles, infrastructure can operate normally within
a few days, weeks or even months. Therefore, if you are going to bring
DC, that contains some or all of the roles to a maintenance for some
time, there is no need to transfer available FSMO roles on the other DC,
your AD some time will work normally.
Failure of a DCs with FSMO roles does not lead malfunction of a
domain. However, it makes it impossible for many operations, actually
shifting the domain to the “read-only” mode. In case of failure of a
domain controller with the FSMO roles, you can resort to the procedure
of seizing FSMO roles from a failed DC.

Tools to admin FSMO roles

To manage and transfer FSMO roles in Active Directory domain use a command line utility NTDSUTIL or GUI MMC snap-ins:

  • Active Directory Domains and Trusts Domain Naming Master role
  • Active Directory Users and Computers Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles
  • Active Directory Schema Schema Master role

That’s all. Hope that we were able to clarify the situation with the
FSMO role a bit. In future articles, we will take a closer look at each
FSMO role and their features.

Leave a Reply