This article offers a simplified explanation of the 5 Active Directory FSMO (pronounced “FisMO”) roles.
Active Directory FSMO Roles
Active Directory (AD) operates a multi-master database model. Meaning that all Domain Controllers (DC) have writable copies of the AD Database. Though AD is multi-master database, there are some roles that has to be single-master roles.
Single-master roles means that one DC performs the operation and replicates to other DCs. These single-master operations roles are called FSMO (Flexible Single-Master Operations) roles.
The FSMO roles are sensitive roles that if performed by more than one DC will cause conflict. After going through this article you will have a better understanding of the 5 Active Directory FSMO roles.
The 5 Active Directory FSMO roles are:
- RID Master
- Schema Master
- Domain Naming Master
- Infrastructure Master and
- PDS Emulator Master
RID Master Active Directory FSMO Role
Domain Controllers create security principals like users, computers and so on. Every time a security principal is created the DC assigns the object a unique Security ID (SID). The SID has two components – Domain SID and a Relative ID (RID). Every object created in a domain has the same Domain SID. But the Relative ID (RID) is unique for each security principal created.
For a domain controller to assign RIDs, it has to have a pool of RIDs. The assignment of RID pools to DCs is a single master operations role. This operation is performed by the DC asigned the RID Master Flexible Single-Master Operations (FSMO) role.
Schema Master Active Directory FSMO Role
Active Directory Schema is a definition of object classes and their attributes. An example of an object class is Users. A user attribute is the User Name, Job title, etc.
Sometimes, an administrator may need to extend the Active Directory Schema. To extend a schema is to define a new object and its attributes. Schema extension operation is handled by one DC. The DC that handles addition and deletion of objects in the schema is called the Schema Master.
Domain Naming Master Active Directory FSMO Role
In an Active Directory forest, domains may be added or deleted. To avoid conflict, the addition and deletion of domains is a single-master operations role. The DC assigned the Domain Naming Master FSMO role handles domain addition and deletion in the AD forest.
The Domain Naming Master DC is also responsible for adding or removing cross references to domains in external directories.
Infrastructure Master Active Directory FSMO Role
In an AD forest with multiple domains, objects are cross-referenced from one domain to the other. The Domain Controller holding the Infrastructure Master FSMO role is responsible for keeping cross-domain object references up to date.
As an example, say an object in Domain-A is referenced by another object in Domain-B. When the referenced object is modified, the Infrastructure Master is responsible for updating the references.
A simple explanation of object referencing is when an object is accessed. For example, a user in Domain-A accesses a shared folder in Domain-B. When that shared folder changes, the Infrastructure Master FSMO role DC stores the updated object reference and replicates it to other DCs.
PDS Emulator Master Active Directory FSMO Role
The PDC Emulator FSMO Domain Controller handles user authentication, password change and time synchronization. The DC assigned the PDC Emulator role also handles account lockouts and forwards authentication failures (triggered by incorrect passwords) to other DCs.
The Active Directory multi-master model means that any Domain Controller (DC) can update the AD database. But there ate 5 operations reserved for one DC. These are called Flexible Single-Master Operations (FSMO) roles.
I hope this guide simplified the explanation of these 5 Active Directory FSMO roles.
If you have any question or comment about Active Directory FSMO roles use the “Leave a Reply” form at the end of the page. Alternatively, you can share your experience transferring or seizing Active Directory FSMO roles.