Understanding FSMO Roles in Active Directory

Let’s discuss today the major part in Active Directory which FSMO

FSMO stands for Flexible Single Master Operations, and FSMO roles (also known as operations master roles) help you prevent conflicts in Active Directory.

There are 5 specific types of updates to Active Directory that are very specific & conflicts should be avoided. To avoid conflicts, those updates are all performed on a single Domain Controller. And though each type of update must be performed on a single Domain Controller, they do not all have to be handled by the same Domain Controller.

These types of updates are handled by Domain Controllers Flexible Single Master Operations roles, or FSMO roles.  Each of the five roles is assigned to only one domain controller.

There are five of these FSMO roles in every forest.  And out of five 3 are Domain level and 2 are Forest level.

They are:

The partition for each FSMO role is in the following list:

Let’s discuss about Roles in detail: Even the Roles are assigned from Forest level to Domain Level, for better understanding let’s domain level.

PDC Emulator: The domain controller that has the PDC emulator FSMO role assigned to it has many duties and responsibilities in the domain.

For example:

The PDC emulator is necessary to synchronize time in an enterprise.

The DC with the PDC emulator role is the DC that updates passwords for users and computers.

When a user attempts to login, and enters a bad password, it’s the DC with the PDC emulator FSMO role that is consulted to determine if the password has been changed without the replica DC’s knowledge.

Note: Each domain in the forest needs its own PDC emulator.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain.

The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any given time, there can be only one domain controller acting as the RID master in the domain.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID for references to security principals, and the DN of the object being referenced.

The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog (GC) server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

Domain Naming Master

The domain naming master DC controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Schema Master

The schema master domain controller controls all updates and modifications to the schema. Once the schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Summary:

For Morenfo :

 http://support.microsoft.com/kb/223346

http://support.microsoft.com/kb/197132

Praveen Kumar

MCSA MCSE