FSMO roles

Forest wide roles (2)

1. Schema Master
2. Domain Naming Master

Domain wide roles (3)

1. RID Master
2. PDC Emulator
3. Infrastructure Master

Description of the FSMO roles

• Schema Master

The Domain Controller holding the Schema Master role is required for maintaining the schema of the entire forest. Schema contains the attributes or properties of each object of an Active Directory object. To elaborate, an Active Directory User object has many attributes or properties like ‘First Name’, ‘Last Name’, ‘Organization’, ‘Logon Name’ etc. That means, the schema decides or contains what all ‘tabs’ and the fields that should appear under each tab when the properties window of an Active Directory User object is opened. Hence, the domain controller that holds the Schema master should be unique. Some applications require updating the Schema (Like Microsoft Exchange or Microsoft Lync). During such activities the Domain Controller which holds the Schema Master role should be available.

• Domain Naming Master

The first rule in Active Directory environment is that, no two domains should have the same name in a forest. Same is the case when navigating downstream through the domains. No two machines should have the same host name within the same domain, but two machines can have the same host name if they are in different domains within the same forest. That will ensure that the FQDN (Fully Qualified Domain Name) is different for the two machines. Domain Naming Master maintains uniformity across the forest, ensuring that the names are different for each object. In that case, can two user objects have the same name?

• RID Master

RID stands for Relative Identifier. The RID Master is responsible for the generation of a unique identifier for each object in the Active Directory Domain. All active directory searches and transactions happen within the domain based on this relative identifier. The Relative Identifier for an Active Directory User object is called Security Identifier (SID). The reader should now get the answer to the above question – can two user objects have the same name? Of course yes. For user objects, the uniqueness is followed based on the Security Identifier.

To maintain integrity in the SID generated by the Domain Controllers across the domain (any Domain Controller can create a user account), the RID Master of the domain will allocate unique pools of RID’s to each Domain Controller. This can ensure that no two RIDs generated by  Domain Controllers are the same.

• Infrastructure Master

The Infrastructure Master is useful in cross-domain reference. A user in one domain can access resource in another domain, if there is a trust established. A two-way trust is automatically created if the two domains are within the same forest. In that case, a security group or a distribution group can also be created, comprising users of different domains. After creating such a group, suppose that an attribute like ‘Last Name’ of a user object is changed. The same user object is still referenced in a group which is in another domain. The Infrastructure Master role validates these changes and keeps the membership updated. To understand this, consider the below multi-domain forest scenario below.

1. User1 who is a member of domain1.com (user1@domain1.com)
2. User1 is a member of group1, which is created in domain2.com (group1@domain2.com)
3. User1 is renamed later to User2 in domain1.com (user2@domain1.com)
4. The change is propagated across all the GCs in the forest (specifically to the GC in domain2.com)
5. The Infrastructure Master compares these information with the GC in domain2.com
6. The Infrastructure Master in domain2.com detects the change that has happened to the user object user1 and update the group1@domain2.com with the updated information

• PDC Emulator

The PDC (Primary Domain Controller) Emulator has the major and critical roles of the Active Directory environment. The PDC emulator opens connection to the writable domain controller and hence it is very important. Some of the important functions of the PDC Emulator are as mentioned below.

Ensuring backward compatibility – for environment running Windows NT 4.0, and older versions of Active Directory like Windows 2000

Updating/replicating Password changes – Ensuring that any password resets are replicated quickly to the other domain controllers in the domain

Managing the Group Policies configured

Acts as the primary time source for the domain – All the machines in the domain synchronize time with the PDC emulator

Transferring FSMO roles

To see which DC is owning what FSMO role use the following command: “netdom query fsmo”

Tools to change the FMSO role holder:

-        The domain wide FSMO roles (RID, PDC, Infrastructure) can be transferred to a different DC via Active Directory Users and Computers

-        The owner of the Domain Naming Master role can be changed via Active Directory Domains and Trusts

-        The owner of the Schema Master role can be changed via the Active Directory Schema mmc. You should first register the Schmmgmt.dll library via the following command:

“regsvr32 schmmgmt.dll”.