Before you start
Objectives: Learn what are FSMO roles and why are they used.
Prerequisites: no prerequisites.
Key terms: FSMO roles, forest level, domain level, domain controller
Operations Master Roles
One of the most important features of Active Directory (AD) are the five Flexible Single-Master Operation roles (FSMO roles). FSMO roles are special Domain Controller (DC) tasks which are assigned to a specific DC in the domain or forest. FSMO roles are:
- Schema master – maintains the schema. The schema is the mapping of all the different object types in AD, like users, computers, groups, etc.
- Domain naming master – enables us to add domains.
- RID (Relative Identifier) master – assigns SIDs (security identifiers) to objects. Remember, objects in AD are represented with security principals, like users or group. Each security principal is represented with unique SID.
- PDC (primary domain controller) emulator – gives support for Windows NT 4 domains, and provides support for time services.
- Infrastructure master – provides a mapping of all the container objects in AD.
These five roles function at different levels of our forest. The Schema and Domain naming master function at the forest level. Only one DC within the entire forest holds those roles. The RID, PDC emulator and Infrastructure master roles function at the domain level. In each domain one DC will hold those three roles.
If we have a single domain environment with only one Domain Controller (DC), all five roles will be on the one server. If we implement more DCs in our single domain environment, we should separate the five FSMO roles among our DCs.
If we have a multiple domain environment, we are dealing with a tree structure. The first DC that we install will maintain the forest infrastructure, and will hold the Schema master and the Domain naming master roles. At each domain level we will also have the other three roles (RID, PDC emulator, and the Infrastructure master).
As we plan our domain structure, we should thing about how are we going to distribute the five FSMO roles. DC that performs an operations master role is known as an operations master or operations master role owner. When installing or removing DCs we will have to be aware of which DCs hold which FSMO roles.