The five operations master roles are also referred to as FSMO roles. When installed on a single machine, this ensures all changes occur in a single location. This in turns makes the Active Directory database consistent. In this article, we shall discuss “Active Directory Flexible Single-Master Operations Roles [FSMO]”. Please see Pleasant User Group Permission and User Access, the “schema version of the database is from a newer version of wsus“, and “Getscreen.me: Flexible Remote Access Software For Customer Support“.
These 5 operations master roles are classified into two categories namely “Forest level” and “Domain level Schema master”.
Usually the five operation roles are held by the “The first domain controller installed in a Forest” or “The first Domain Controller (DC) in the domain in another domain”.
Also, see how to Move Azure Resources between Subscriptions, and How to correctly disable BitLocker on Windows Server.
Forest Level
The forest level roles are; “Schema Master and Domain Naming Master”
Domain Level
The Domain level roles are as follow “Infrastructure Master, the PDC Emulator, and RID Master”
Note: The domain-level roles are available on all domain controllers in the domain. Let’s emphasize on these roles below
Schema Master
This determines the structure and what can be saved in Active Directory. This contains details of all the objects stored in Active Directory. The changes made to the Schema can’t be reversed but disabled. Therefore, absolute care should be taken when modifying the schema.
Domain Naming Master
This role ensures no two Domain Controller in a Domain can have the same name. If you do not plan to have another domain and this role is installed on a different server. You can shut the server down (turn off).
Relative ID (RID)
Relative Identifier simply allocate RID pools. This is a sequential number added to the end of a Security Identifier (SID).
RID allocates a pool or blocks of RIDs’ to a Domain Controller. These RID pools are used by a Domain Controller when an Active Directory object is created.
Note: This use-case refers to a distributed Active Directory environment. If all roles are installed on a single server, ignore these tips below.
PDC Emulator
The primary responsibility of this role is to help in ensuring/providing accurate time synchronization with your environment. It forms the root of the time sync hierarchy in your domain. This role is also contacted for logins and Password change
Note: If you have a single server having all these roles, these points below are not relevant.
- Ensure the server have this role connects to an external time source to ensure the time is accurate and
- All other Domain controller needs to sync their time from this server.
This ensures brute force attach is not possible.
Infrastructure Master
This role is responsible for ensuring that objects that use multiple domain references are kept consistent and up to date. Nonetheless, This means, when an object changes in one of the domains, they are updated on other DC. Examples of possible changes include Group Policies etc.
Furthermore, Like I have said previously, if you have a single domain, you do not need to care about this. It is only relevant in a multi-domain environment.
Note: However, The infrastructure master does not need to be a global catalogue (GC) in a multi domain environment because the global catalogue already has all the records and will never sense any new changes for the infrastructure master role to update.
Moreover, The rules for deciding this are as follow;
- Similarly, You can either have all your Domain Controllers as a Global Catalogue (GC) Server (this method is widely used by a lot of firms) or
- Nevertheless, Ensure the Server housing the infrastructure Master role is not a GC. This is a very good practice.
I hope you found this blog post on “Active Directory Flexible Single-Master Operations Roles [FSMO]” helpful. Therefore, If you have any questions, please let me know in the comment session.
