- Schema Master
- Domain Naming Master
Domain wide roles (3)
- RID Master
- PDC Emulator
- Infrastructure Master
Description of the FSMO roles
- Schema Master
The Domain Controller holding the Schema Master role is required for
maintaining the schema of the entire forest. Schema contains the attributes or
properties of each object of an Active Directory object. To elaborate, an
Active Directory User object has many attributes or properties like ‘First
Name’, ‘Last Name’, ‘Organization’, ‘Logon Name’ etc. That means, the schema
decides or contains what all ‘tabs’ and the fields that should appear under
each tab when the properties window of an Active Directory User object is
opened. Hence, the domain controller that holds the Schema master should be
unique. Some applications require updating the Schema (Like Microsoft Exchange
or Microsoft Lync). During such activities the Domain Controller which holds
the Schema Master role should be available.
- Domain Naming Master
The first rule in Active Directory environment is that, no two domains
should have the same name in a forest. Same is the case when navigating
downstream through the domains. No two machines should have the same
host name within the same domain, but two machines can have the same
host name if they are in different domains within the same forest. That will
ensure that the FQDN (Fully Qualified Domain Name) is different for the two
machines. Domain Naming Master maintains uniformity across the forest, ensuring
that the names are different for each object. In that case, can two user
objects have the same name?
- RID Master
RID stands for Relative Identifier. The RID Master is responsible for the
generation of a unique identifier for each object in the Active Directory
Domain. All active directory searches and transactions happen within the domain
based on this relative identifier. The Relative Identifier for an Active
Directory User object is called Security Identifier (SID). The reader should
now get the answer to the above question – can two user objects have the same
name? Of course yes. For user objects, the uniqueness is followed based on the
Security Identifier.
To maintain integrity in the SID generated by the Domain Controllers across
the domain (any Domain Controller can create a user account), the RID Master of
the domain will allocate unique pools of RID’s to each Domain Controller. This
can ensure that no two RIDs generated by Domain Controllers are
the same.
- Infrastructure Master
The Infrastructure Master is useful in cross-domain reference. A user in
one domain can access resource in another domain, if there is a trust
established. A two-way trust is automatically created if the two domains are
within the same forest. In that case, a security group or a distribution group
can also be created, comprising users of different domains. After creating such
a group, suppose that an attribute like ‘Last Name’ of a user object is
changed. The same user object is still referenced in a group which is in
another domain. The Infrastructure Master role validates these changes and
keeps the membership updated. To understand this, consider the below
multi-domain forest scenario below.
- User1 who is a member of domain1.com (user1@domain1.com)
- User1 is a member of group1, which is created in domain2.com (group1@domain2.com)
- User1 is renamed later to User2 in domain1.com (user2@domain1.com)
- The change is propagated across all the GCs in the forest (specifically to the GC in domain2.com)
- The Infrastructure Master compares these information with the GC in domain2.com
- The Infrastructure Master in domain2.com detects the change that has happened to the user object user1 and update the group1@domain2.com with the updated information
- PDC Emulator
The PDC (Primary Domain Controller) Emulator has the major and critical
roles of the Active Directory environment. The PDC emulator opens connection to
the writable domain controller and hence it is very important. Some of the
important functions of the PDC Emulator are as mentioned below.
Ensuring backward compatibility – for environment running Windows NT 4.0,
and older versions of Active Directory like Windows 2000
Updating/replicating Password changes – Ensuring that any password resets
are replicated quickly to the other domain controllers in the domain
Managing the Group Policies configured
Acts as the primary time source for the domain – All the machines in the
domain synchronize time with the PDC emulator
Transferring FSMO roles
To see which DC is owning what FSMO role use the
following command: “netdom query fsmo”
Tools to change the FMSO role holder:
-
The domain
wide FSMO roles (RID, PDC, Infrastructure) can be transferred to a
different DC via Active Directory Users and Computers
-
The
owner of the Domain Naming Master role can be changed via Active
Directory Domains and Trusts
-
The
owner of the Schema Master role can be changed via the Active
Directory Schema mmc. You should first register the Schmmgmt.dll
library via the following command:
“regsvr32 schmmgmt.dll”.
