Windows Server

FSMO: Active Directory Flexible Single-Master Operations Roles

Active Directory

The five operations master roles are also referred to as FSMO roles. When installed on a single machine, this ensures all changes occur in a single location. This in turns makes the Active Directory database consistent.

These 5 operations master roles are classified into two categories, namely;

Forest level and 
Domain level Schema master
Single-Master Operations

Usually the five operation roles are held by the
– The first domain controller installed in a Forest or 
– The first Domain Controller (DC) in the domain in another domain.

The forest level roles are;
– Schema Master and
– Domain Naming Master

The Domain level roles are as follow;
– Infrastructure Master
– PDC Emulator
– RID Master

Note: The domain-level roles are available on all domain controllers in the domain.

Let’s emphasize on these roles;
– Schema Master: This determines the structure and what can be saved in Active Directory. This contains details of all the objects stored in Active Directory. The changes made to the Schema can’t be reversed but disabled. Therefore, absolute care should be taken when modifying the schema.

– Domain Naming Master: This role ensures no two Domain Controller in a Domain can have the same name. If you do not plan to have another domain and this role is installed on a different server. You can shut the server down (turn off).

– Relative ID (RID): Relative Identifier simply allocate RID pools. This is a sequential number added to the end of a Security Identifier (SID). RID allocates a pool or blocks of RIDs’ to a Domain Controller. These RID pools are used by a Domain Controller when an Active Directory object is created. 

Note: This use-case refers to a distributed Active Directory environment. If all roles are installed on a single server, ignore these tips below.

– PDC Emulator: The primary responsibility of this role is to help in ensuring/providing accurate time synchronization with your environment. It forms the root of the time sync hierarchy in your domain. This role is also contacted for logins and Password change

Note: If you have a single server having all these roles, these points below are not relevant.

  • Ensure the server have this role connects to an external time source to ensure the time is accurate and
  • All other Domain controller needs to sync their time from this server.

This ensures brute force attach is not possible.

– Infrastructure Master: This role is responsible for ensuring that objects that use multiple domain references are kept consistent and up to date. Nonetheless, This means, when an object changes in one of the domains, they are updated on other DC. Examples of possible changes include Group Policies etc.

Furthermore, Like I have said previously, if you have a single domain, you do not need to care about this. It is only relevant in a multi-domain environment.

Note: However, The infrastructure master does not need to be a global catalogue (GC) in a multi domain environment because the global catalogue already has all the records and will never sense any new changes for the infrastructure master role to update.

Moreover, The rules for deciding this are as follow;
– Similarly, You can either have all your Domain Controllers as a Global Catalogue (GC) Server (this method is widely used by a lot of firms) or
– Nevertheless, Ensure the Server housing the infrastructure Master role is not a GC. This is a very good practice.

I hope you found this blog post helpful. Therefore, If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x