FSMO Roles in Active Directory

By | October 30, 2019

There are five flexible single master operations (FSMO) roles in the Active Directory infrastructure. Each of them will be performing specific Active Directory tasks that other domain controllers in the infrastructure are not permitted to perform.

These five FSMO roles are divided into two categories based on their operation boundaries:

Forest Level
> Schema operations master
> Domain naming operations master

Domain Level
> Primary domain controller (PDC) emulator operations master
> Relative identifier (RID) operations master
> Infrastructure operations master

When we create the first Active Directory forest and the first Active Directory domain, all these FSMO roles will be installed in the domain’s first domain controller (obviously there’s no other place to place them). A majority of the Active Directory infrastructures leave the default configuration as it is even though they keep adding domain controllers.

Keeping them in one domain controller makes it easier to manage them, but there are certain guidelines on how to place them correctly in the infrastructure in order to get the best benefits, which we will discuss later in this chapter. This will not only improve the performance, it will also remove the risk of a single point of failure. It’s always good not to put all our eggs in one basket.

Schema operations master

This role boundary is the forest. This means that an Active Directory forest can have only one schema master. The owner of this role is the only domain controller in the forest who can update the Active Directory schema.

In order to make schema changes in the forest, it also needs to have a user account that is a member of the Schema Admins group. Once the schema changes are done from the schema master role owner, they will be replicated to other domain controllers in the forest.

Use the following command to find Schema Master DC in your domain:
Get-ADForest | select SchemaMaster

When you add a new version of Active Directory to the domain the first time, it will need a schema modification. If you run the Active Directory configuration wizard with a user account that has the Domain Admin permission, it will fail. You need an account with Schema Admin privileges.

Domain naming operations master

The domain naming operations master role holder is responsible for adding domain controllers and removing domains controllers from the Active Directory forest. When you add or remove a domain controller for the forest, it will contact the domain naming operation master role holder via the Remote Procedure Call (RPC) connection, and if it fails, it will not allow you to add or remove the domain controller from the forest. This is a forest-wide role, and only one domain naming operations master role holder can exist in one forest.

In AD the domain naming operations master role owner can be found using the following command:
Get-ADForest | select DomainNamingMaster

Primary domain controller emulator operations master

The PDC operations master role is a domain-wide setting, which means each domain in the forest will have a PDC operations master role holder. One of the common Active Directory interview questions is this: what FSMO role is responsible for time synchronization? The answer is PDC!

In an Active Directory environment, it allows a maximum of five minute time difference (time skew) by default. If it’s more than 5 minutes, devices will not be able to add to the domain, users will not be able to authenticate, and the Active Directory-integrated application will start throwing authentication-related errors.

It is important that domain controllers, computers, and servers in the Active Directory domain controller agree on one clock: Computers and servers in a domain will sync their time with the domain controller they are authenticated with.

Then, all of the domain controllers will sync their time with their domain PDC role holder. All the domain PDC role holders will sync the time with the forest root domain PDC role holder. In the end, the root domain PDC role holder will sync the time with an external time source.

Apart from time synchronization, the PDC role holder is also responsible for maintaining password change replications. Also, in the event of authentication failures, PDC is responsible for locking down the account. All the passwords changed in other domain controllers will be reported back to the PDC role holder. If any authentication failure occurs in a domain controller before it passes the authentication failure message to the user, it will check the password saved in the PDC, as that will prevent errors that can occur due to password replication issues.

The PDC is also responsible for managing the Group Policy Object (GPO) edit. Every time the GPO is viewed or updated, it will be done from the copy stored in the PDC’s SYSVOL folder.

In the Active Directory domain, the PDC role owner can be found using the following command:
Get-ADDomain | select PDCEmulator

Relative ID operations master role

The RID master role is a domain-wide setting, and each domain in the forest can have RID role owners. It is responsible for maintaining a pool of relative identifiers that will be used when creating objects in the domain. Each and every object in a domain has a unique security identifier (SID). The RID value is used in the process of SID value creation.

SID is a unique value to represent an object in Active Directory. RID is the incremental portion of the SID value. Once RID value is being used to generate a SID, it will not use again. Even after deleting an object from AD, it will not able to reclaim the RID value back. This ensure the uniqueness of the SID value.

The RID role owner maintains a pool of RIDs. When the domain has multiple domain controllers, it will assign a block of 500 RID values for each domain controller. When they are used more than 50%, domain controllers will request another block of RID for the RID role owner.

In the event of an RID role owner failure, its impact will be almost unnoticeable until all domain controllers run our of allocated RID values. . It will also not allow you to move objects between domains.

In the Active Directory domain, the RID role owner can be found using the following command:
Get-ADDomain | select RIDMaster

Infrastructure operations master

This role is also a domain-wide setting, and it is responsible for replicating SID and distinguished name value changes to cross-domains. SID and DN values get changed based on their location in the forest. So if objects are moved, their new values need to be updated in groups and ACLs located in different domains.

This is taken care of by the infrastructure operations master. This will ensure that the changed objects have access to their resources without interruptions.

The infrastructure operation master role owner checks its database periodically for foreign group members (from other domains) and once it finds those objects, it checks its SID and DN values with the global catalog server. If the value in the global catalog is different from the local value, it will replace its value with the global catalog server value. Then, it will replicate it to other domain controllers in the domain. By design, the global catalog server holds a partial copy of every object in the forest.

It does not have the need to keep a reference of cross-domain objects. If the infrastructure master is in place in a global catalog server, it will not know about any cross-domain objects. Therefore, the infrastructure operations master role owner should not be a global catalog server. However, this is not applicable when all the domain controllers are global catalogs in a domain because that way, all the domain controllers will have up-to-date information.

In the Active Directory domain, the infrastructure operations master role owner can be found using the following command:
Get-ADDomain | select InfrastructureMaster

Leave a Reply

Your email address will not be published. Required fields are marked *