Active Directory was officially released in February 2000 with Windows 2000 server edition. It is an identity management service that contains all the information and data about a network and its objects. Users, computers, groups, and printers are some of the objects in Active Directory. All these objects have a distinct set of attributes assigned to them. Show
Active Directory follows a structure that consists of domains, trees, and a forest.
The administrator in Active Directory holds the power to assign privileges to various objects and allow them access to the network. One of the responsibilities of an admin role is to secure the network from malicious attacks and keep the organization safe from any intrusion. With time, Active Directory has gone through changes to its security protocols. Purpose of FSMO RolesNeed:Despite several enhancements and upgrades, Active Directory had certain flaws. With multiple domain controllers, there was an overlap in managing changes, as DCs would fight over which DC gets to make changes. That meant there were high chances of change requests being overlooked. Solution by Microsoft:To cater to this, Microsoft introduced the “Single Master Model” where one domain controller held the power to make changes whereas the other domain controllers fulfilled authentication requests. Although this was a major upgrade, it still had errors. When the master domain controller was down, no changes could be made until it was up again. To control these issues, Microsoft introduced Flexible Single Master Operation (FSMO) Roles for domain controllers in 2003. Responsibilities are distributed among different domain controllers. No role is bound to one domain controller. If a domain controller goes down, another DC takes over the missing role. Types of FSMO RolesThere are five FSMO roles, as listed below:
Of these, the first three roles (RID Master, PDC Emulater, and Infrastructure Master) function at the domain level while the last two functions at the forest level. Functions of FSMO RolesFollowing is a discussion of the FSMO roles and their functions. FSMO Roles Per-Domain Roles:Following FSMO roles function at the domain level.
Relative ID (RID) MasterA Relative ID Master is responsible for allocating a pool of relative identifiers (RIDs) to each domain controller in a domain. When a DC creates an object, such as a user or a group, it assigns a unique Identification called SID (Security Identification) to it. A SID has the following format: S-R-X-Y1-Y2-Yn-1-Yn For example: S-1-5-21-770366253-3460018376-311458404-1005 A SID consists of the following components:
A SID is just like a national identity number assigned to a person. It is unique and cannot be duplicated. The permissions and rights that an object gets are associated with the SID assigned to it. Example of SIDLet’s suppose you create a user account, Albert Ferguson. If you delete this account and create a new account with the same name, it will not have the same SID or the same permissions as before. The RID Master assigns a pool of 500 RIDs to a domain controller. For example, if a pool of RIDs from 4001 to 4500 is assigned to a domain controller, the next DC will receive a pool from 4501 to 5000. When a DC has consumed 50% of the allocated RIDs, it issues a request to the RID Master for additional RIDs. The RID Master also takes care of objects when they are moved from one domain to another. There is one RID Master per domain in a directory. PDC (Primary Domain Controller) EmulatorThe PDC Emulator has a wide range of functions as follows: Synchronizes TimeIt synchronizes time in an enterprise. The clocks of all the DCs in a domain are synched with the domain controller having the PDC Emulator role. In a multi-domain AD forest, DCs hosting the PDC Emulator role synchronize their time with the PDC Emulator in the parent domain. Replicates Password Changes Performed via DCsPassword changes performed through other DCs in the domain are replicated to the PDC Emulator. When authentication failure occurs at a DC due to an incorrect password, the failure is forwarded to the PDC Emulator to validate the request against the most current password. Replicates Account Lockout to other DCsThe PDC Emulator also plays a part in the case of locked accounts. Account lockouts are instantly replicated to the other DCs through the ‘replicate single object’ process. This ensures that a locked-out account cannot log on to another DC. Manages Group PolicyThe Group Policy Management Console (GPMC) tool manages group policy. By default, GPMC connects to the DC with the PDC Emulator role to make changes in Active Directory. When the PDC Emulator is not reachable, GPMC will ask you to pick a different DC. Infrastructure MasterAn object in one domain is referenced in another domain by its:
The Infrastructure Master is responsible for updating an object’s SID and distinguished name in a cross-domain object reference. This role also translates GUIDs, SIDs, and DNs between domains in a forest. Example of how an Infrastructure Master works: For example, on a domain-joined computer, go to the Security or Sharing tab of a folder in Windows Explorer with permissions set up for accounts in another domain. It will show the names of users, computers, and groups. If the Infrastructure Master role is not found in the domain, it will display the SIDs of accounts from other domains. This FSMO role does not work if Active Directory has a single domain. Only one DC can act as an Infrastructure Master in a domain. The Infrastructure Master role should not be held by a DC that is a global catalog server. Violating this rule means that the Infrastructure Master will not update object information. In fact, this role compares objects of the local domain against objects in other domains in the same forest. Since the global catalog holds a partial copy of every object in the forest, Infrastructure Master will not find any differences; hence it will not update object information. If all the DCs in a domain are global catalog servers, they will have updated information. In such a case, the Infrastructure Master has no work to do. Per-Forest Roles:The Following FSMO roles are applicable at the forest level:
Schema MasterThe Schema Master role is responsible for updating the Active Directory schema. The AD schema is a set of attributes that can be applied to directory objects. The schema contains attributes (like employee ID, phone number, or group owner) and classes (like group, person, or msPKI-Key-RecoveryAgent). Only a DC with the Schema Master role can process updates to the directory schema. The updated schema is replicated from the Schema Master to all other DCs in the directory. A forest has one Schema Master only. With the Schema Master role, you can extend the Active Directory schema to raise a forest functional level or install Exchange. Example of how a Schema Master works: For example, when the telephone number of a user account is updated in a domain, the Schema Master will immediately replicate this change in the entire forest, preventing any conflicting schema changes from different domain controllers. Domain Naming MasterThe Domain Naming Master adds and removes domains in Active Directory. This role prevents you from creating domains in a forest with duplicate names. In this way, it ensures that each domain name is unique. In the absence of this role, domains cannot be added or removed from Active Directory. This role can also add and remove cross-references to domains in external directories. Default Security Groups and FSMO RolesOne of the main purpose of Active Directory is to ensure network security within an organization. Therefore, it has an entire system developed around permissions, rights, and their management. Security protocols are not restricted to FSMO roles. Default security groups in Active Directory lend another layer of security. Some of these security groups are.
Read More: Active Directory Group Types & Scopes Jonathan BlackwellView ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think. What are the 5 FSMO roles?Currently in Windows there are five FSMO roles:. Schema master.. Domain naming master.. RID master.. PDC emulator.. Infrastructure master.. What are FSMO roles explain each role?FSMO roles are services each hosted independently on a DC in an AD forest. Each role has a specific purpose, such as keeping time in sync across devices, managing security identifiers (SIDs), and so on. FSMO roles are scoped at either the forest or domain level and are unique to that scope, as shown below.
What are the roles of domain controller?Primary Domain Controller (PDC) Emulator
This is the most authoritative DC in the domain. The role of this DC is to respond to authentication requests, managed password changes and manages Group Policy Objects (GPO). Users cannot even change their passwords without the approval of the PDC Emulator.
Which is the most important FSMO role?The PDC Emulator (Primary Domain Controller) - This role is the most used of all FSMO roles and has the widest range of functions. The domain controller that holds the PDC Emulator role is crucial in a mixed environment where Windows NT 4.0 BDCs are still present.
|