Active Directory FSMO Roles Best Practices

Flexible Single Master Operations (FSMO) is a special type of operation performed by Active Directory domain controllers that requires a DC server to be unique in a domain or forest. Various FSMO roles can be performed on the same or multiple domain controllers. A domain controller with any FSMO roles is called an Operations Master DC.

You can perform most operations in Active Directory on any domain controller. AD Replication service synchronizes changes with other domain controllers, ensuring that the AD database is identical across of all the DCs in the domain. AD conflict resolution works as follows: if two DCs try to change the attributes of one AD object at the same time, the automatic conflict resolution system keeps track of which change was made last.

However, there are several actions (such as changing the AD schema), in which conflicts are not allowed. The task of servers with FSMO roles is to avoid such conflicts. Thus, each FSMO role can only run on one of the domain controllers. And if necessary, you can transfer FSMO role to another domain controller at any time.

What Are the 5 FSMO Roles in Active Directory?

There are 5 FSMO roles: 2 unique roles for Active Directory forest and 3 for every domain.

  • Schema Master — responsible for changes to the Active Directory schema to available domain controllers. There can be only one role owner for the entire domain forest.
  • Domain Naming Master — responsible for the unique name for a domain and application partitions in the forest. Used to add and remove domains to the forest. There can be only one for the entire domain forest.
  • Infrastructure Master — stores data about users from other domains, that are added to domain local security groups of your domain. Responsible for updating the SID of a specific object and updating the full name of the object reference between different domains. There can be one for each domain in the forest.
  • RID pool manager — responsible for assigning unique relative ID (RID), required when creating domain objects (user and computer accounts, groups, contacts, etc.). There can be one for each domain in the forest.
  • PDC (Primary Domain Controller) Emulator — responsible for compatibility with NT4 domain and pre-Windows 2000 clients, for the domain time synchronization in the forest, for changing passwords, and manages lockouts when users enter the wrong password.
READ ALSO  Using Quest Active Directory Cmdlets for PowerShell

Hint. There is a sixth, unofficial FSMO domain controller role in AD called the Global Catalog.

Best Recommended Practices for FSMO Roles Placement

When you install a new Active Directory domain, all FSMO roles are placed on a single server (on the first promoted domain controller in the domain). According to Microsoft recommendation, the Best Practice is to split the FSMO roles between the different domain controllers.

The forest-wide FSMO roles should be placed on one DC, and the domain-wide roles to another. If you have only one domain controller, it is recommended you to deploy an additional DC. Thus, in an AD domain with a minimum configuration (2 DCs), you need to place FSMO role as follows:

Place the following domain roles on a DC1:

  • RID Master;
  • Infrastructure Master;
  • PDC Emulator.

Place the forest roles on a DC2:

  • Schema Master;
  • Domain Master.

Consider other best practices for placing operations master roles in a domain:

  1. In multi-domain environments, place both forest-wide roles on the root controller, which is also a Global Catalog server;
  2. Place all domain-wide roles on one server with sufficient performance;
  3. If all DCs in the domain have the Global Catalog role (today this is the configuration recommended by Microsoft), you can place the Infrastructure Master role on any domain controller. If not, move the Infrastructure Master role to a domain controller that doesn’t have the Global Catalog role enabled;
  4. Do not move FSMO roles in the domain too often. It is a bad idea to force domain clients to rediscover the PDC on a regular basis;
  5. If you are using virtualized domain controllers, disable time synchronization of virtual machines with FSMO roles with the host;
  6. Do not place any other tasks on the domain controllers;
READ ALSO  Active Directory Temporary Group Membership on Windows Server 2016

Hint. If your domain has AD Recycle Bin enabled, each DC is responsible for updating its cross-domain object references. In this case, in fact, the Infrastructure FSMO role is not needed and it doesn’t matter where you place it.

To get the current FSMO Roles owners, perform the following command:

netdom query fsmo

fsmo roles best practice

In this case, the FSMO roles are split between the two DCs.

You can also find FSMO role owners using PowerShell cmdlets. To get the domain-wide FSMO owner, run:

Get-ADDomain | Select-Object -Property RIDMaster, PDCEmulator, InfrastructureMaster | fl

For forest-wide roles, use:

Get-ADForest | Select-Object -Property SchemaMaster, DomainNamingMaster

Or use the PowerShell one-liner to list all FSMO owners:

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}

What Happens if FSMO Role Owner Fails?

Forest-wide roles are the least critical to AD functioning. What happens if you leave the FSMO role offline for an extended period of time?

  • Schema Master — cannot change AD schema. However, this procedure is performed not often (once or twice in several years) when adding controllers with a new version of Windows Server to the domain or when installing some server products (Exchange, Lync / S4B). In practice, you may not notice the missing schema master for years.
  • Domain Master — it is impossible to add or remove a domain (subdomain). Also not a frequent task

Domain-wide roles exist in every domain and are more important to the overall functioning of AD.

  • Infrastructure Master — if there are multiple domains on DCs that are not hosting Global Catalogs, membership in local domain groups may be broken;
  • RID Master — after a while it will be impossible to create a new object in AD, the time depends on the remaining amount of free SIDs, which are issued in blocks of 500 RIDs. If your AD has a small number of objects and you don’t add new ones every day, then the absence of the RID master will go unnoticed for a long time.
  • PDC Emulator — the most critical FSMO role. If it is not available, the domain time synchronization will stop and some password lockout policies won’t work.
READ ALSO  PowerShell: Move Computer to OU

Keep in mind, that there is no FSMO role which failure would result in a significant loss of Active Directory functionality. Even in case of failure of all FSMO role owners, the domain infrastructure can operate normally within a few days, weeks, or even months. Therefore, if you are going to bring a DC to maintenance for a while with one or all FSMO roles, there is no need to transfer roles to the other DC.

Failure of a DCs with FSMO roles does not lead to malfunction of a domain. However, it makes it impossible to perform many operations, actually shifting the domain to the “read-only” mode. In case of failure of a domain controller with the FSMO roles, you can use the procedure of seizing FSMO roles from a failed DC.

Admin Tools to Manage FSMO roles

To manage and transfer FSMO roles in Active Directory domain use the ntdsutil.exe command line tool or the graphical user interface MMC snap-ins:

  • Active Directory Domains and Trusts — Domain Naming Master role;
  • Active Directory Users and Computers — Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles;
  • Active Directory Schema — Schema Master role.

fsmo roles best practices

That’s all. Hope that we were able to clarify the situation with the FSMO role a bit. In future articles, we will take a closer look at each FSMO role and its features.

Cyril Kardashevsky

One comment

  1. Failure of PDC emulator role will create a major problem as it is responsible for password changes and account lockouts as well. If this role holder is down, password changes and account lockouts will not be replicated eventually creating a huge mess with the domain accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.