Understanding FSMO roles

Understanding FSMO roles

August 22, 2021 Active Directory 0

FSMO Roles – Active Directory Domain Service defines five operation master roles called:
Schema Master and Domain Naming Master are forest wide role and only available one on each Forest, Other roles are Domain wide and one for each Domain

Schema Master: Responsible for propagating changes to all DCs within a forest. Changes regarding schemas required throughout forest should be made on DC serving as schema master. There can be only one schema master in a forest at any time.

Active directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes

Object Class = User
Attributes = first name, last name, email, and others

operating system migration, installing new Exchange version and any other application which requires extending the schema. So if are Schema Master Server is not available, we can’t able to update the schema and it will not affect AD operation and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and have more time to bring back the Schema Master Server

Domain Naming Master: It is required to keep track of all the domains within an AD forest. The DC with domain naming master is accessed whenever domains are address/removed from a tree or forest. There can be only one domain naming master per forest. It ensures that no two domains have the same name existing in the same tree.

If Domain Naming Master Server is not available, we can’t able to create a new Domain and application partition, it may not affect the user, user even didn’t aware Domain Naming Master Server is down

Relative Identifier (RID): Allocates blocks of RIDs to each DC in a domain. When a DC creates a new security principal (user, group etc.) it assigns the object a unique security identifier SID.

The Domain controller assigned to allocates sequences of relative IDs to each domain controller in its domain. Whenever DC creates security principal object (user, group, etc.) RID DC assigns the object a unique Security ID (SID)

The SID contains a domain SID which us same for all the security principals created in the domain and a RID which uniquely identifies each security principal created in the domain.

Every DC is initially issued 500 RID’s from RID Master Server.  RID’s are used to create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID

When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master.

Primary Domain Controller (PDC) Emulator: Primary Domain Controller for backwards compatibility and it’s responsible for time synchronizing within a domain, also the password master. Any password change is replicated to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

Infrastructure Master: is responsible for updating object references in the domain that point to object in another domain. It updates object references locally and uses replication to being all other replicas of domain up to date. Object reference contains GUID global unique identifier, distinguished name and possible a SID. The distinguished name and SID on object reference are periodically updated to reflect changes made to actual object

Infrastructure Master updates the cross domain updates, Whenever user login to Domain the TGT has been created with the list of access user got through group membership (user group membership details) it also contain the user membership details from trusted domain, Infrastructure Master keep this information up-to-date, it update reference information every 2 days by comparing its data with the Global Catalog (that’s why we don’t keep Infrastructure Master and GC in same server)

In a single Domain and single Forest environment there is no impact if the Infrastructure Master server is down

In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the issue before it affect the end-user.

Non-Authoritative : Non-Authoritative method will restore an active directory to the server in which the restore is being done and will then receive all of the recent updates from its replication partners in the domain.

Example: You had hardware problems on a DC and you solved them after re-installing the DC OS. You can use a non-authoritative restore so that you don’t delete recently made changes.

Authoritative : Authoritative method restores the DC directory to the state that it was in when the backup was made, then overwrites all the other DC’s to match the restored DC.

Example: You accidentally deleted an AD user and you want to restore it. You can use an authoritative restore to perform that.

Note that now you can do that by enabling AD recycle Bin and you don’t still need a restore operation.

Below command will help us to understand FSMO holders in Active Directory Infrastructure.

  • Netdom query FSMO

Below sequence of command help us to Transfer or Seize the FSMO roles from One DC to another DC in case of any event.

  • Ntdsutil
  • Roles
  • Connections
  • Connect to server dc01.lab.com
  • Q
  • Transfer or Seize role (like PDC)


 976 total views,  1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *