Active Directory: Flexible Single Master Operation (FSMO) Roles Explained

  • Article

Active Directory uses a multi-master replication model to replicate and perform changes in the domain or a forest.

Certain changes in Active Directory (AD) need to be performed by One Domain Controller (DC) rather than just any and every domain controller. This is to avoid conflicts and catastrophic failures when these changes are rolled out. The DC performing the change is called the Operation Master

There are five Operation Master Roles which are needed for Active Directory to function smoothly; these roles are called FSMO Roles.

The five FSMO Roles are:

  1. Schema Master
  2. Domain Naming Master
  3. RID Master
  4. PDC Emulator
  5. Infrastructure Master

These five Roles are split into two groups:

  1. Forest Wide Roles and
  2. Domain Wide Roles

Forest Wide Roles

These roles can have only a single instance in the entire AD Forest

  1. Schema Master Role
  2. Domain Naming Master

Domain Wide Roles

These roles can have a single instance per domain, if a forest spans multiple domains, then every domain will have an instance of these three roles

  1. RID Master
  2. PDC Emulator
  3. Infrastructure Master

Now that we know what the five roles are and how they’re grouped, let’s examine each role and see what operation they perform in an AD environment.

Roles explained

Schema Master

Whenever an object is created in Active Directory, it uses a framework or a definition based on which the object is created. These are called “object definitions”. And all these object definition put together is the schema. This is the Schema in simple terms. All updates or modifications to Schema have to be done through the DC having the Schema Master Role. Schema is consistent across the forest. This role failure will only be noticed when we’re trying to modify the Schema and does not hamper regular AD activity.

  

Domain Naming Master:

The DC holding this role is the one which is responsible for any additional domain creations or any domain removal within the forest. If this role is down there will be no impact on regular AD activity unless we’re adding or removing a domains which is not a daily activity usually. Like Schema only one DC in the Forest can hold this role.

 

RID Master

Every object that is created in AD (User, Computer, etc.) has a unique Security Identifier called SID. When permission is set on an object the permission is set on the SID of an Object and not the object name. This ensures that no two objects have conflicting permissions. A SID can never be repeated twice in a Domain. The SID of an object is made up by concatenating a Relative Identifier (RID) and domain SID (common for all objects created in the domain). The DC holding RID master is responsible for generating unique relative identifiers. Every domain in a forest has its own RID master.

 

PDC Emulator

This is the most active role in terms of regular AD activity. This DC holding this role is responsible for replicating password changes, ensuring the time is in sync across the domain. Group Policy objects are also first written in the database of the DC holding the PDC and then replicated across. DFS Namespaces cannot be created without PDC as well. This is a per domain role and has maximum impact on end users in case it fails.

 

Infrastructure Master

The function of this role needs some attention to understand. This role has no part to play in a single domain environment. This role comes into play when we have multiple domains in a forest and is needed for updating references to cross-domain objects. A simple example is adding a user in a ‘X’ domain to a group in a ‘Y’ domain, Infrastructure Master replicates this information to other domain controllers. There is an important relationship between Infrastructure Master and Global Catalog, which is a topic for discussion some other day.