Active Directory FSMO Roles

Flexible single-master operations (FSMO) operations performed by the Active Directory domain controllers, which require a mandatory server uniqueness for each operation. Various FSMO types can be performed on the same or on multiple domain controllers. Server operating FSMO roles known as Operations Master DC.

Most operations in AD can be made on any domain controller. AD Replication service copies the changes to other domain controllers, ensuring the AD database identity on all the controllers of the same domain. Conflict resolution is as follows: if the two DC trying to change attributes of one AD object at the same time, automatic conflict resolution sуstem keep track of which change was made last.

However, there are several actions (such as changing the AD schema), in which conflicts are unacceptable. The task of a servers with FSMO roles is to avoid such conflicts. Thus, each FSMO role can be performed only simultaneously on one server. And if necessary, it can be transferred to another domain controller at any time.

FSMO roles

There are 5 FSMO roles: 2 unique roles for AD forest and 3 for every domain.

  • Schema Master responsible for changes to the Active Directory schema. There can be only one for the entire domain forest.
  • Domain Naming Master responsible for the unique name for a domain and application partitions in the forest. There can be only one for the entire domain forest.
  • Infrastructure Master stores data about users from other domains, that are part of your domain local groups. There can be one for each domain in the forest.
  • RID pool manager responsible for assigning unique relative ID (RID), required when creating domain accounts. There can be one for each domain in the forest.
  • PDC (Primary Domain Controller) Emulator responsible for compatibility with NT4 domain and pre-Windows 2000 clients, for the domain time synchronization in the forest, for changing passwords and tracks locks when users enter the wrong password.

Recommended Best Practice for placement of FSMO roles

When you install a new AD domain, all FSMO roles are placed on a single server. According to Microsoft recommendation, the Best Practice is to spread the FSMO roles between the different domain controllers.

The forest FSMO roles should be placed on one DC, and the domain role to another. In that case, if you have only one domain controller, it is recommended to deploy 1 additional DC. Thus, in an AD domain with a minimum configuration (2 DC), you need to place FSMO role as follows:

Place the following domain roles on a DC1:

  • RID Master
  • Infrastructure Master
  • PDC Emulator

Place the forest roles on a DC2:

  • Schema Master
  • Domain Master

To determine current FSMO Roles holders, perform the following command:

netdom query fsmo

command prompt fsmo roles

In this case, the FSMO roles are distributed between the two DC.

However, you should be note, that there is no FSMO role which failure would lead to a significant loss of functionality of AD. Even in case of failure of all FSMO roles, infrastructure can operate normally within a few days, weeks or even months. Therefore, if you are going to bring DC, that contains some or all of the roles to a maintenance for some time, there is no need to transfer available FSMO roles on the other DC, your AD some time will work normally.

Failure of a DCs with FSMO roles does not lead malfunction of a domain. However, it makes it impossible for many operations, actually shifting the domain to the “read-only” mode. In case of failure of a domain controller with the FSMO roles, you can resort to the procedure of seizing FSMO roles from a failed DC.

Tools to admin FSMO roles

To manage and transfer FSMO roles in Active Directory domain use a command line utility NTDSUTIL or GUI MMC snap-ins:

  • Active Directory Domains and Trusts Domain Naming Master role
  • Active Directory Users and Computers Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles
  • Active Directory Schema Schema Master role

active directory operation masters

That’s all. Hope that we were able to clarify the situation with the FSMO role a bit. In future articles, we will take a closer look at each FSMO role and their features.

One comment

  1. Failure of PDC emulator role will create a major problem as it is responsible for password changes and account lockouts as well. If this role holder is down, password changes and account lockouts will not be replicated eventually creating a huge mess with the domain accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.