Introduction to FSMO Roles in Active Directory

Aaron Paul updated on Dec 16, 2022 to Knowledge Center

Over the previous decades, Microsoft has raised numerous updates. FSMO Roles in AD are one of them. So, if you're also searching for authentic information about FSMO Roles in the active directory, this article is for you. Because with this information you get everything you want to know about it. Just read on to explore more.

fsmo roles

Overview of FSMO Roles

What is Flexible Single-Master Operation, and what is FSMO roles?

Flexible single master operation (FSMO) is a Microsoft Active Directory component specialized domain controller task used when you transfer standard data and inadequate update methods.

More importantly, Tasks that do not suit multi-master duplicates are only viable as flexible single-master operations.

Multimaster models have various operators, which a single master holds. This problem is solved by applying several operations to a single domain controller.

As a single domain controller, it holds the role of a particular operation and is the single master for that operation. These operation masters are called flexible single-master operations.

Once you know what FSMO rules are, you must clearly understand the five most essential FSMO Roles mentioned below.

List of 5 FSMO Roles

Microsoft divided the duties of a DC into five different roles that concurrently make a complete AD system. Let's explore them.

  • Schema Master FSMO Role
  • Relative ID (RID) Master SMO Role
  • Domain Naming Master FSMO Role
  • Primary Domain Controller (PDC) Emulator FSMO Role
  • Infrastructure Master FSMO Role

How do they work?

Schema Master FSMO Role

The Schema Master role organizes the read-write copy of your Active Directory schema. Further, The AD Schema defines all the attributes. That includes employee ID, phone number, email address, and login name. More importantly, you can apply it to an object in your AD database.

Furthermore, The AD schema is a database partition that contains metadata about AD objects. For example, it includes classes like a person, group, or msPKI-Key-RecoveryAgent and attributes like phone number, badPwdCount, or DNS-HostName.

AD requires a service to manage the schema, thus the Schema Master role. The Schema Master role is responsible for holding changes to the AD schema.

If you've ever increased the AD schema to install products like Exchange or raise a forest functional level, you've worked with the Schema Master role.

RID Master FSMO Role

Here comes another role, The Relative ID Master assigns Security Identifiers (SID) blocks to distinguished DCs they can use for newly established objects.

Each object in AD has a SID; the last few digits of the SID are the Relative portion. To keep multiple things from having the same SID, the RID Master grants each DC the honor of allocating distinguished SIDs.

Domain Naming Master FSMO Role

After Schema Master, the Domain Naming Master ensures that you don't establish another domain in the same forest with the older name as a new one.

In other words, It is the master of your domain names. Because creating new domains isn't something that happens often, of all the roles, this one is most feasible to stay on the same DC with another function.

PDC Emulator FSMO Role

Arguably, the essential FSMO role in AD is the PDC. The PDC role is accountable for tasks like password modifications, account lockouts (and unlocks), time sync, and many more.

In the starting days of Active Directory (Windows NT), the Primary Domain Controller (PDC) was the only writable DC in an AD domain. All other DCs were Backup Domain Controllers (BDCs) used only for authentication purposes.

Commencing with Windows 2000, all DCs became writable, excluding read-only domain controllers (RODCs), published in Windows Server 2008.

Because AD still required the performance of the PDC but didn't technically have a PDC anymore, Microsoft initiated the PDC emulator (PDCe) role.

Infrastructure Master FSMO Role

The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have various domains in your forest, the Infrastructure Master is the Babelfish that lives between them.

If the Infrastructure Master doesn't work perfectly, you will observe SIDs in place of determining names in your Access Control Lists (ACL).

FSMO provides faith that your domain can authenticate users and permissions without interruption (with standard caveats, like the network staying every AD object has a SID allocated by the RID Master FSMO role.

When you see users, groups, and other AD information, in this regard, we want to know a name and not a SID. This is where the Infrastructure Master role functions.

Each DC is constructed as a global catalog (GC) by default. A GC provides information from all domains in a forest. One way to reduce duplication traffic between sites was to configure some DCs not to be GCs.

For instance, from a domain-joined computer, check the Security or Sharing tab of a given folder in Windows Explorer with permissions set up for accounts in another domain.

Moreover, You'll see the names of users, computers, and groups, not their SIDs. If your computer cannot find the Infrastructure Master role in the domain, you'll only see the SIDs of accounts in other domains.

Final Words

FSMO roles are critical to ensuring AD continues to function as designed. Although you usually don't need to be concerned about FSMO parts, it's still essential to understand how they act when the time comes!

Was This Page Helpful?