The five FSMO roles

Since Windows Server 2000, Microsoft has integrated the notion of FSMO role within an Active Directory environment. There are five different FSMO roles, each one with a specific purpose.

Keep in your mind, FSMO stands for Flexible Single Master Operation.

In this Article, we will see each of these five roles in detail.

FSMO roles, what is it for?

When setting up an Active Directory environment, there is a very good chance (because it is recommended) that you have multiple domain controllers. As a result, all "normal" domain controllers have write access to the directory.

However, some tasks are more sensitive than others, and it would be dangerous to allow the modification of some data on two different domain controllers at the same time. Because of this, and to minimize the risk of conflicts, Microsoft has decided to implement FSMO roles that limit the modification of certain internal data to the Active Directory.

Within an environment, the notion of "FSMO role" will be attributed to "operation master". In fact, the operation master is the domain controller who holds one or more FSMO roles. Holding a role means for a domain controller that he is able to "perform a particular action within the directory".

It should be noted that there can not be multiple operations masters for the same FSMO role, within a domain or forest (depending on the role involved).

Here are the five roles we will study:

Schema Master

As a reminder, schema refers to the structure of the Active Directory, so the schema is a critical element within the Active Directory environment. This implies the uniqueness within the forest of this operating master, which will be the only domain controller, to be able to initiate changes in the structure of the directory (schema). In fact, as the schema is unique, its manager is unique as well.

In summary, it is unique within a forest and manages the schema structure.

Domain Naming Master

The operation master that holds this role is unique within the forest, and is the only one authorized to distribute domain names to domain controllers when creating a new domain.

Because of this, it is used in particular when creating a new domain. The domain controller initiating the creation must be able to contact the domain controller with the FSMO role "Master of Domain Name Assignment" otherwise the procedure will fail.

Finally, I want to clarify that it also has the mission to rename the domain names.

In summary, it is unique within a forest and assigns domain names.

RID Master

As you already know, objects created within the Active Directory have several unique identifiers. Among them, there is in particular the GUID and the DistinguishedName but also the security identifier "SID", it is the latter which interests us within the framework of the RID master.

- Why RID?

RID is a relative identifier that is unique within each SID, in order to be sure to have a unique SID for each object in the directory. Since the SID consists of a common part that corresponds to the domain, the RID is essential to make each SID unique. This is where the RID master intervenes ...

Unique within a domain, this operation master will allocate blocks of identifiers for each domain controller in the domain. Thus, each domain controller will have a unique RID block that it can assign to future objects created in the directory.

Of course, not all domain controllers will run out of the RID pool at the same rate ... A domain controller that will reach a certain level of depletion of its available RID pool will contact the RID Master to get new ones. This implies that the creation of an object is not possible if the RID master of the domain is not available.

In summary, it is unique within a domain and assigns RID blocks to domain controllers to ensure that object SIDs are unique.

PDC Emulator

The Primary Domain Controller (PDC) emulator is unique within a domain and must perform five primary tasks:

- Modify domain group policies (avoid conflicts and crashes)
- Synchronize clocks on all domain controllers (time and date)
- Manage account lockout
- Change passwords
- Ensures compatibility with Windows NT domain controllers

In summary, it is unique within a domain and performs various security-related tasks and by default it acts as a time server for the entire domain.

Infrastructure Master

Unique in a domain, the domain controller that has the role of Infrastructure Master aims to manage the references between several objects.

Let's take an example to better understand what it means. Imagine that a user of a domain A is added within a group of domain B. The domain controller "master of infrastructure" will become responsible for this reference and will have to ensure the replication of this information on all the domain controllers in the domain.

These object references are also called "ghost objects" and allow the domain controller to facilitate links between different objects. A ghost object will contain little information about the object it refers to (DN, SID, and GUID). In the case of the above example, a ghost object will be created on domain B to refer to the domain A user.

As a result, if the object is changed or deleted in the future, the Infrastructure Master will have to initiate the update of the ghost object with the other domain controllers. In a way, it speeds up replication processes and communication between domain controllers.

In summary, it is unique within a domain and must handle object references within the domain.

Management of operation masters

By default, the first domain controller in the domain holds the five FSMO roles, for lack of choice. However, it is possible to transfer the roles if you want to distribute them between several domain controllers, there is a real flexibility at this level.

To transfer a role from one domain controller to another, you can use the Windows GUI or the "ntdsutil" utility.

I will now answer a question that should have come to your mind: "How to do if the domain controller that has one or more roles is corrupt? ". Rest assured, not everything is lost. Indeed, it will be necessary to perform a "seizing" operation that consists in fact to force the recovery of one or more roles, which will be of crucial use in case of corruption of a domain controller. Again, we can proceed via the utility "ntdsutil".

This chapter is finished, now you know the concepts of FSMO roles and you know the role of each of them.