What are the FSMO roles of a domain controller?

Active Directory was officially released in February 2000 with Windows 2000 server edition. It is an identity management service that contains all the information and data about a network and its objects. Users, computers, groups, and printers are some of the objects in Active Directory. All these objects have a distinct set of attributes assigned to them.

Active Directory follows a structure that consists of domains, trees, and a forest.

• Domain:

  It contains objects, like users, computers, groups, printers, and file servers.

• Tree:

  It is a collection of domains. Objects from different domains can interact through ‘trusts’.

• Forest:

  It is a collection of trees and is the top-level classification. Objects from different forests cannot interact with each other, which limits information and data exchange across forests.

The administrator in Active Directory holds the power to assign privileges to various objects and allow them access to the network. One of the responsibilities of an admin role is to secure the network from malicious attacks and keep the organization safe from any intrusion. With time, Active Directory has gone through changes to its security protocols.

Purpose of FSMO Roles

Need:

Despite several enhancements and upgrades, Active Directory had certain flaws. With multiple domain controllers, there was an overlap in managing changes, as DCs would fight over which DC gets to make changes. That meant there were high chances of change requests being overlooked.

Solution by Microsoft:

To cater to this, Microsoft introduced the “Single Master Model” where one domain controller held the power to make changes whereas the other domain controllers fulfilled authentication requests. Although this was a major upgrade, it still had errors. When the master domain controller was down, no changes could be made until it was up again.

To control these issues, Microsoft introduced Flexible Single Master Operation (FSMO) Roles for domain controllers in 2003. Responsibilities are distributed among different domain controllers. No role is bound to one domain controller. If a domain controller goes down, another DC takes over the missing role.

Types of FSMO Roles

There are five FSMO roles, as listed below:

1. Relative ID (RID) Master
2. Primary Domain Controller (PDC) Emulator
3. Infrastructure Master
4. Domain Naming Master
5. Schema Master

Of these, the first three roles (RID Master, PDC Emulater, and Infrastructure Master) function at the domain level while the last two functions at the forest level.

Functions of FSMO Roles

Following is a discussion of the FSMO roles and their functions.

FSMO Roles Per-Domain Roles:

Following FSMO roles function at the domain level.

• Relative ID (RID) Master
• PDC (Primary Domain Controller) Emulator
• Infrastructure Master

Relative ID (RID) Master

A Relative ID Master is responsible for allocating a pool of relative identifiers (RIDs) to each domain controller in a domain. When a DC creates an object, such as a user or a group, it assigns a unique Identification called SID (Security Identification) to it. A SID has the following format:

S-R-X-Y1-Y2-Yn-1-Yn

For example:

S-1-5-21-770366253-3460018376-311458404-1005

A SID consists of the following components:

• S – indicates that the string is a SID
• R – Revision level
• X – Identifier Authority value
• Y1-Y2-Yn-1 – Domain ID The Domain ID identifies the SIDs that are issued by a domain. In other words, it identifies all objects created in a domain. The Domain ID is unique to each domain in an enterprise.
• Yn – Relative ID The Relative ID is taken from the pool of RIDs that the RID Master has assigned to the DC. This ID uniquely identifies an object in a domain. No two objects in a domain have the same RID.

A SID is just like a national identity number assigned to a person. It is unique and cannot be duplicated. The permissions and rights that an object gets are associated with the SID assigned to it.

Example of SID

Let’s suppose you create a user account, Albert Ferguson. If you delete this account and create a new account with the same name, it will not have the same SID or the same permissions as before.

The RID Master assigns a pool of 500 RIDs to a domain controller. For example, if a pool of RIDs from 4001 to 4500 is assigned to a domain controller, the next DC will receive a pool from 4501 to 5000. When a DC has consumed 50% of the allocated RIDs, it issues a request to the RID Master for additional RIDs.

The RID Master also takes care of objects when they are moved from one domain to another.

There is one RID Master per domain in a directory.

PDC (Primary Domain Controller) Emulator

The PDC Emulator has a wide range of functions as follows:

Synchronizes Time

It synchronizes time in an enterprise. The clocks of all the DCs in a domain are synched with the domain controller having the PDC Emulator role. In a multi-domain AD forest, DCs hosting the PDC Emulator role synchronize their time with the PDC Emulator in the parent domain.

Replicates Password Changes Performed via DCs

Password changes performed through other DCs in the domain are replicated to the PDC Emulator. When authentication failure occurs at a DC due to an incorrect password, the failure is forwarded to the PDC Emulator to validate the request against the most current password.

Replicates Account Lockout to other DCs

The PDC Emulator also plays a part in the case of locked accounts. Account lockouts are instantly replicated to the other DCs through the ‘replicate single object’ process. This ensures that a locked-out account cannot log on to another DC.

Manages Group Policy

The Group Policy Management Console (GPMC) tool manages group policy. By default, GPMC connects to the DC with the PDC Emulator role to make changes in Active Directory. When the PDC Emulator is not reachable, GPMC will ask you to pick a different DC.

Infrastructure Master

An object in one domain is referenced in another domain by its:

• GUID (Globally Unique Identifier)
• SID (Security Identification)
• DN (Distinguished Name)

The Infrastructure Master is responsible for updating an object’s SID and distinguished name in a cross-domain object reference. This role also translates GUIDs, SIDs, and DNs between domains in a forest.

Example of how an Infrastructure Master works:

For example, on a domain-joined computer, go to the Security or Sharing tab of a folder in Windows Explorer with permissions set up for accounts in another domain. It will show the names of users, computers, and groups. If the Infrastructure Master role is not found in the domain, it will display the SIDs of accounts from other domains.

This FSMO role does not work if Active Directory has a single domain. Only one DC can act as an Infrastructure Master in a domain.

The Infrastructure Master role should not be held by a DC that is a global catalog server. Violating this rule means that the Infrastructure Master will not update object information. In fact, this role compares objects of the local domain against objects in other domains in the same forest. Since the global catalog holds a partial copy of every object in the forest, Infrastructure Master will not find any differences; hence it will not update object information.

If all the DCs in a domain are global catalog servers, they will have updated information. In such a case, the Infrastructure Master has no work to do.

Per-Forest Roles:

The Following FSMO roles are applicable at the forest level:

• Schema Master
• Domain Naming Master

Schema Master

The Schema Master role is responsible for updating the Active Directory schema. The AD schema is a set of attributes that can be applied to directory objects. The schema contains attributes (like employee ID, phone number, or group owner) and classes (like group, person, or msPKI-Key-RecoveryAgent).

Only a DC with the Schema Master role can process updates to the directory schema. The updated schema is replicated from the Schema Master to all other DCs in the directory. A forest has one Schema Master only.

With the Schema Master role, you can extend the Active Directory schema to raise a forest functional level or install Exchange.

Example of how a Schema Master works:

For example, when the telephone number of a user account is updated in a domain, the Schema Master will immediately replicate this change in the entire forest, preventing any conflicting schema changes from different domain controllers.

Domain Naming Master

The Domain Naming Master adds and removes domains in Active Directory. This role prevents you from creating domains in a forest with duplicate names. In this way, it ensures that each domain name is unique. In the absence of this role, domains cannot be added or removed from Active Directory.

This role can also add and remove cross-references to domains in external directories.

Default Security Groups and FSMO Roles

One of the main purpose of Active Directory is to ensure network security within an organization. Therefore, it has an entire system developed around permissions, rights, and their management. Security protocols are not restricted to FSMO roles. Default security groups in Active Directory lend another layer of security. Some of these security groups are.

• Domain Admins
• Enterprise Admins
• Backup Operators
• Account Operators
• Protected Users

Read More: Active Directory Group Types & Scopes

Jonathan Blackwell

Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.

What are the 5 FSMO roles?

What are FSMO roles explain each role?

What are the roles of domain controller?

Which is the most important FSMO role?