Active Directory (AD) relies on the AD replication process to keep the information updated across all its domain controllers (DC) in the network. This replication is done through the multi-master replication method, where if the information is modified in one DC, that DC
initiates the replication process to update the other DCs. You can learn more about AD replication in this article. However, in this replication method, if multiple DCs updates the same information, the update that stays is the one that was implemented last. This could not always be favorable. So, Microsoft introduced the single master replication method where one domain takes control over
the entire replication process. However, this method posed yet another problem. Should the single master DC fail for some reason, the whole replication process would come to a standstill. To avoid this situation, Microsoft introduced Flexible Single Master Operations (FSMO) roles. In this article, we will take a look at what are AD FSMO roles, and what are the various types of FSMO roles. FSMO roles are replication roles that are assigned to DCs by
administrators. Each role takes care of a certain part of the replication process so that one DC does not have to monitor and control all the replication processes. Moreover, these roles are called ‘flexible’ because should a DC which has a role go down, its role can be taken up by another DC. Thus, FSMO roles are distributed to a group of DCs that communicate with themselves to ensure that replication continues seamlessly within the AD network. The DCs that have these roles are called the
operations master, and since 2005, the operations master term has been in use over FSMO. There are a total of five FSMO roles in AD, which are as follows: Certain operations master roles must be present at least once in every domain, and certain roles must be present at least once in a forest. Let’s take a look
at the roles in detail. These roles are ones that must appear at least once in a forest. They are as follows: Note: There can only be one schema master and one domain naming master in a forest Any update or modification done to the schema must go via the schema master domain controller.
To make such updates/modifications to the schema of a forest, access has been established with the schema master. There can be only one schema master in the entire forest. The domain controller holding the domain naming master role exclusively controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest.
Domain-wide operations master rolesThese roles are ones that must appear at least once in a domain. They are as follows:
Note: Each domain in a forest can have only one RID master, PDC emulator, and infrastructure master. RID masterIt is the task of the RID master to allot sequences of relative IDs to each of the (numerous) domain controllers in its domain. When a domain controller creates a user, group, or computer object, a unique security ID (SID) is assigned to the object. The SID contains two elements:
Activities such as moving an object between domains (using Movetree.exe) must be instigated on the domain controller acting as the RID master of the domain (that currently contains the object). PDC emulator masterIn order to ensure consistency, password changes from client computers must be replicated and updated to all domain controllers throughout the domain. And the PDC emulator can be configured to synchronize with an external time source. Provides consistency in password experience for users across sites. (To turn off use: AvoidPdcOnWan registry parameter). Double-check incorrect passwords and reviews new password changes. The domain controller configured with the PDC emulator role supports two authentication protocols:
Infrastructure masterTasks such as updating references from objects in its domain to objects in other domains are under the purview of the infrastructure master. The infrastructure master compares its data with that of a global catalog, which receives regular updates for objects in all domains through replication, thus making the global catalog data up to date.Say, in a scenario where the infrastructure master suspects outdated data, it fetches updated data from the GC and replicates it to the other domain controllers in a domain. Pointers:
In scenarios where users/members of a group are renamed/modified, the infrastructure master is responsible for revising the group-to-user references. When the member of a group is moved or renamed, especially if that member resides in a different domain from the group, the member would temporarily not appear in the group. It is the infrastructure master of the group’s domain’s responsibility to update the group of the new name or location of the member. This prevents the loss of group memberships associated with a user account. The update is distributed by the infrastructure via multi-master replication. Identifying DCs that have been authorized with FSMO rolesIdentifying DCs that have been authorized FSMO rolesThere are three methods by which you can identify the DC that have FSMO roles. Method 1: Go to Command Prompt, and type NetDOM /query FSMO -> Enter Method 2: Determining the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
Determining the Schema FSMO Holder in a Forest
Note: For the Active Directory Schema snap-in to be available, you have to register the Schmmgmt.dll file. To do this, you can follow this step: Click Start -> Run -> type regsvr32 schmmgmt.dll in the Open box -> click OK. A message is displayed that states the registration was successful. Determining the Domain Naming FSMO Holder in a Forest
Method 3: On any domain controller, perform the following steps:
What are Domain Controllers? NTLM authentication and Kerberos Authentication Protocols Explained Trusts in Active Directory: An overview What role ensures that objects in a domain are not assigned the same SID?The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
What is the role of domain naming master?The Domain Naming Master FSMO role owner is the DC responsible for making changes to the forest-wide domain name space of the directory in the Partitions container. This DC is the only one that can add or remove a domain or application NC from the directory.
What are the 5 operations master roles?In Windows, the 5 FSMO roles are:
Domain Naming Master – one per forest. Relative ID (RID) Master – one per domain. Primary Domain Controller (PDC) Emulator – one per domain. Infrastructure Master – one per domain.
Which operations master role must be unique in a domain?Forest-Wide Operations Master Roles
The schema master and the domain naming master must be unique in the forest. Each role is performed by only one domain controller in the entire forest.
|