FSMO Roles

FSMO (Flexible Single Master Operations) roles are specialized operations in Active Directory that are necessary for the smooth functioning of the domain. These roles are responsible for performing specific tasks that require centralized control within a domain or forest. There are five FSMO roles in Active Directory, divided into two categories: forest-wide roles and domain-wide roles.

Forest-wide FSMO roles:
- Schema Master: The Schema Master role is responsible for maintaining and replicating the schema for the entire forest. Any changes to the schema, such as adding or modifying attribute definitions or object classes, must be performed on the domain controller holding this role. There can be only one Schema Master per forest.
- Domain Naming Master: The Domain Naming Master role is responsible for managing the addition or removal of domains within the forest. This role controls the assignment of unique names to each domain in the forest and ensures that the domain names remain unique. There can be only one Domain Naming Master per forest.
Domain-wide FSMO roles:
- RID Master: The RID (Relative Identifier) Master role is responsible for allocating pools of unique RIDs to each domain controller in a domain. RIDs are used to create security principals (such as users, groups, and computers) and are appended to the Security Identifier (SID) of each object. This role ensures that every object created in the domain has a unique SID. There is one RID Master per domain.
- Primary Domain Controller (PDC) Emulator: The PDC Emulator role provides backward compatibility for client computers running older versions of Windows (such as Windows NT). It acts as the primary point of authentication for domain controllers, replicates password changes within the domain, and serves as the time synchronization source for the domain. Additionally, it maintains compatibility with NT4-style replication. There is one PDC Emulator per domain.
- Infrastructure Master: The Infrastructure Master role is responsible for updating references to objects in other domains. It ensures that cross-domain object references are properly maintained. This role is important in environments with multiple domains. However, in single-domain environments or where all domain controllers also host global catalog servers, the Infrastructure Master role has no operational effect. There is one Infrastructure Master per domain.

It's important to ensure that FSMO roles are appropriately distributed and that domain controllers holding these roles are highly available and backed up regularly to prevent any disruptions in Active Directory operations. Additionally, proper planning should be undertaken when transferring FSMO roles between domain controllers or decommissioning domain controllers holding FSMO roles.

PreviousRead-Only Domain Controller (RODC)NextGlobal Unique Identifier (GUID)

Last updated 1 year ago

FSMO Roles

Forest-wide FSMO roles:
- Schema Master: The Schema Master role is responsible for maintaining and replicating the schema for the entire forest. Any changes to the schema, such as adding or modifying attribute definitions or object classes, must be performed on the domain controller holding this role. There can be only one Schema Master per forest.
- Domain Naming Master: The Domain Naming Master role is responsible for managing the addition or removal of domains within the forest. This role controls the assignment of unique names to each domain in the forest and ensures that the domain names remain unique. There can be only one Domain Naming Master per forest.
Domain-wide FSMO roles:
- RID Master: The RID (Relative Identifier) Master role is responsible for allocating pools of unique RIDs to each domain controller in a domain. RIDs are used to create security principals (such as users, groups, and computers) and are appended to the Security Identifier (SID) of each object. This role ensures that every object created in the domain has a unique SID. There is one RID Master per domain.
- Primary Domain Controller (PDC) Emulator: The PDC Emulator role provides backward compatibility for client computers running older versions of Windows (such as Windows NT). It acts as the primary point of authentication for domain controllers, replicates password changes within the domain, and serves as the time synchronization source for the domain. Additionally, it maintains compatibility with NT4-style replication. There is one PDC Emulator per domain.
- Infrastructure Master: The Infrastructure Master role is responsible for updating references to objects in other domains. It ensures that cross-domain object references are properly maintained. This role is important in environments with multiple domains. However, in single-domain environments or where all domain controllers also host global catalog servers, the Infrastructure Master role has no operational effect. There is one Infrastructure Master per domain.

PreviousRead-Only Domain Controller (RODC)NextGlobal Unique Identifier (GUID)

Last updated 1 year ago