Active Directory FSMO ROLES-fitnessnit_com

What are the Active Directory FSMO ROLES?

Posted on Posted in Technology


Active Directory has five special roles which are vital for the smooth running of AD as a multi-master system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. While Active Directory is a distributed system, some servers only carry out specific roles. If something happens to this server or you need a more substantial server to handle a particular role, you must know which servers are handling each role.

There are five FSMO roles anda brief summary of the role is below:

Forest Wide Roles:

  1. Domain naming Master: The first forest-specific FSMO role is the Domain Naming Master, and this role also resides in the forest root domain. The Domain Naming Master role processes all changes to the namespace, for example adding the child domain to the forest root domain requires that this role be available, so if you can’t add a new child domain or new domain tree, check to make sure this role is running properly.
    There can be only one domain naming master in the entire forest.


  2. Schema Master: Schema Master Role and the one above are forest-specific and are found only in the forest root domain (The first domain you create when you create a new forest). This means there is only one Schema Master in a forest, and the purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema of Active Directory is rarely changed however, the Schema Master role will rarely do any work. Typical scenarios where this role is used would be when you deploy Exchange Server onto your network, or when you upgrade domain controllers from Windows 2000 to Windows Server 2003, as these situations both involve making changes to the Active Directory schema.There can be only one schema master in the entire forest.



Domain Wide roles:

  1. Relative ID (RID) Master: This role allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.It is the task of RID master to allot sequences of relative IDs to each of the (numerous) domain controllers in its domain. When a domain controller creates a user, group, or computer object, a unique security ID (SID) is assigned to the object.When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.


  2. PDC Emulator: The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.In order to ensure consistency, password changes from client computers must be replicated and updated to all domain controllers throughout the domain. And the PDC emulator can be configured to synchronize with an external time source. It provides consistency in password experience for users across sites.It is also responsible for time synchronizing within a domain. It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.


  3. Infrastructure Master: The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.Tasks such as updating references from objects in its domain to objects in other domains are under the purview of the infrastructure master. The infrastructure master compares its data with that of a global catalog, which receives regular updates for objects in all domains through replication, thus making the global catalog data up to date. Say, in a scenario where the infrastructure master suspects outdated data, it fetches updated data from the GC and replicates it to the other domain controllers in a domain.