Microsoft Active Directory FSMO (Flexible Single Master Operations) Roles are a set of five specialized roles that are responsible for managing different functions within an Active Directory domain. Each FSMO role serves a specific purpose and performs specific tasks. In this section, we will explore the working infrastructure of Microsoft Active Directory FSMO Roles in great detail.
- Schema Master Role:
The Schema Master Role is responsible for managing the Active Directory schema. The schema defines the structure of objects in the Active Directory database. The schema master role is a single instance role and there can be only one schema master in the entire forest.
Example: When a new attribute or object class is added to the Active Directory schema, it is replicated to all domain controllers in the forest by the schema master. If a change is made to the schema, it can only be made on the schema master, and the changes are then replicated to all other domain controllers.
- Domain Naming Master Role:
The Domain Naming Master Role is responsible for managing the addition or removal of domains in a forest. This role is responsible for ensuring that domain names are unique throughout the forest. The domain naming master role is a single instance role and there can be only one domain naming master in the entire forest.
Example: When a new domain is added to the forest, the domain naming master allocates a unique name for the domain. Similarly, when a domain is removed from the forest, the domain naming master ensures that the name is available for use in the future.
- Infrastructure Master Role:
The Infrastructure Master Role is responsible for updating cross-domain references. This role ensures that group membership changes are replicated to all domain controllers in the domain. The infrastructure master role is a per-domain role and there can be only one infrastructure master in each domain.
Example: When a user is added to a group in one domain, the infrastructure master in that domain is responsible for updating the group membership information on all domain controllers in the domain.
- Relative ID (RID) Master Role:
The Relative ID (RID) Master Role is responsible for allocating a unique pool of RIDs to each domain controller in a domain. RIDs are used to create security principals such as users, groups, and computers. The RID master role is a per-domain role and there can be only one RID master in each domain.
Example: When a domain controller creates a new security principal, it uses a RID from its allocated pool. If the domain controller runs out of RIDs, it requests additional RIDs from the RID master.
- PDC Emulator Role:
The PDC Emulator Role is responsible for several tasks, including:
- Time synchronization across the domain.
- Password changes for user accounts that have set the “password never expires” option.
- Processing account lockout policies.
- Authentication of legacy clients.
The PDC emulator role is a per-domain role and there can be only one PDC emulator in each domain.
Example: When a client attempts to authenticate with the domain, the client sends a request to the PDC emulator to verify the user’s credentials. The PDC emulator also ensures that the time on all domain controllers is synchronized.
In conclusion, Microsoft Active Directory FSMO Roles are a critical component of Active Directory domain management. The five FSMO roles are responsible for managing different functions within an Active Directory domain, including schema management, domain naming management, cross-domain reference updating, RID allocation, time synchronization, password changes, and legacy client authentication. Understanding the functions and tasks associated with each FSMO role is essential for designing and managing an efficient Active Directory domain.
