fsmo roles

Active Directory FSMO Roles


Flexible single-master operations (FSMO) operations performed by the Active Directory domain controllers, which require a mandatory server uniqueness for each operation. Various FSMO types can be performed on the same or on multiple domain controllers. Server operating FSMO roles known as Operations Master DC.

Most operations in AD can be made on any domain controller. AD Replication service copies the changes to other domain controllers, ensuring the AD database identity on all the controllers of the same domain. Conflict resolution is as follows: if the two DC trying to change attributes of one AD object at the same time, automatic conflict resolution sуstem keep track of which change was made last.

However, there are several actions (such as changing the AD schema), in which conflicts are unacceptable. The task of a servers with FSMO roles is to avoid such conflicts. Thus, each FSMO role can be performed only simultaneously on one server. And if necessary, it can be transferred to another domain controller at any time.

FSMO roles

There are 5 FSMO roles: 2 unique roles for AD forest and 3 for every domain.

  • Schema Master responsible for changes to the Active Directory schema. There can be only one for the entire domain forest.
  • Domain Naming Master responsible for the unique name for a domain and application partitions in the forest. There can be only one for the entire domain forest.
  • Infrastructure Master stores data about users from other domains, that are part of your domain local groups. There can be one for each domain in the forest.
  • RID pool manager responsible for assigning unique relative ID (RID), required when creating domain accounts. There can be one for each domain in the forest.
  • PDC (Primary Domain Controller) Emulator responsible for compatibility with NT4 domain and pre-Windows 2000 clients, for the domain time synchronization in the forest, for changing passwords and tracks locks when users enter the wrong password.
READ ALSO  Active Directory Database File Compaction and Defragmentation

Recommended Best Practice for placement of FSMO roles

When you install a new AD domain, all FSMO roles are placed on a single server. According to Microsoft recommendation, the Best Practice is to spread the FSMO roles between the different domain controllers.

The forest FSMO roles should be placed on one DC, and the domain role to another. In that case, if you have only one domain controller, it is recommended to deploy 1 additional DC. Thus, in an AD domain with a minimum configuration (2 DC), you need to place FSMO role as follows:

Place the following domain roles on a DC1:

  • RID Master
  • Infrastructure Master
  • PDC Emulator

Place the forest roles on a DC2:

  • Schema Master
  • Domain Master

To determine current FSMO Roles holders, perform the following command:

netdom query fsmo

command prompt fsmo roles

In this case, the FSMO roles are distributed between the two DC.

However, you should be note, that there is no FSMO role which failure would lead to a significant loss of functionality of AD. Even in case of failure of all FSMO roles, infrastructure can operate normally within a few days, weeks or even months. Therefore, if you are going to bring DC, that contains some or all of the roles to a maintenance for some time, there is no need to transfer available FSMO roles on the other DC, your AD some time will work normally.

READ ALSO  Installing Active Directory Snap-in on Windows 10

Failure of a DCs with FSMO roles does not lead malfunction of a domain. However, it makes it impossible for many operations, actually shifting the domain to the “read-only” mode. In case of failure of a domain controller with the FSMO roles, you can resort to the procedure of seizing FSMO roles from a failed DC.

Tools to admin FSMO roles

To manage and transfer FSMO roles in Active Directory domain use a command line utility NTDSUTIL or GUI MMC snap-ins:

  • Active Directory Domains and Trusts Domain Naming Master role
  • Active Directory Users and Computers Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles
  • Active Directory Schema Schema Master role

active directory operation masters

That’s all. Hope that we were able to clarify the situation with the FSMO role a bit. In future articles, we will take a closer look at each FSMO role and their features.


You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...