What is FSMO Roles?

Speed is one of the inevitable qualities needed in managing data in databases. When there are conflicts among the components of databases, it will definitely reduce speed and overall performance. Coming to the point, look at Microsoft's active directory. When it works in multi-master mode, it creates conflicts among the domains. As a result, it raises latency issues and decreases the speed of managing data.

However, when the active directory works in single-master mode, it eliminates conflicts among the domains with the help of FSMO roles. Hence, the performance of the active directory is increased.

Are you wondering how FSMO roles reduce complexity and boost performance?

Well! This blog discusses the different FSMO roles and the associated operations in detail. Let’s jump on board right now!

FSMO Roles - Table of Contents

• What is the Active Directory (AD)?
• Elements of Active Directory
• Multi-Master Model
• Single Master Model
• What is FSMO Roles?
• When to Use FSMO Roles?
• Types of FSMO Roles

What is the Active Directory (AD)?

It is a hierarchical-based and multi-master type database. It is the central repository where you can store and organize the volume of objects. Not just that, but you can share them with others seamlessly.

Mainly, AD plays a pivotal role in the operations of an IT environment. For example, AD performs authentication for users and authorization to access resources. As a whole, Active Directory simplifies IT management, enhances security, and drives business continuity.

If you want to enrich your career and become a professional in Azure Directory, then enroll in "Microsoft Azure Training". This course will help you to achieve excellence in this domain.

What are the Core Elements of Active Directory?

Know that every active directory has three core elements – Forests, Domain, and Organisational Units (OU).

Let’s have a look at them below:

 

 

• Forest: It is the highest level in the logical hierarchy of the active directory. Its basic form is a security boundary that includes many domains. Isolation is the core feature of forests, which separates domains based on the logical hierarchy. That’s why the interaction between two forests is not simple. There must be mutual trust between objects of forests to interact effectively.
• Domain: It is a management boundary that includes users, systems, and others. You can easily store data in the databases of domain controllers. It is essential to note that information that belongs to a particular domain is stored in a single database. With domains, you can have more control over objects in a forest. You can only replicate relevant information in other domain controllers. At the same time, you cannot replicate information that is not relevant to other domains, but you can replicate them in that domain.
• Organizational Units (OUs): Information is grouped in OUs based on user accounts, systems, etc. This setup supports applying the group policy to multiple accounts. Users can easily access a single resource. Besides, OUs simplify delegating administrators to control information in active directory.

Multi-Master Model in Active Directory

Multi-master mode allows any domain controller in Active Directory to process changes or updates. But, this model creates more conflicts among domain controllers in the directory. Not only that, it creates latency issues too. The significant thing about this model is that you can easily balance load operations in domains.

The conflict resolution algorithm resolves the issues arising from the multi-master model. This algorithm handles discrepancies in values effectively. Apart from this, you can also resolve conflicts using the ‘Last writer wins’ approach.

It is essential to note that it is always better to prevent conflicts in the active directory rather than resolve them after it has occurred.

Single Master Model in Active Directory

This model is used to effectively overcome the conflicts between domain controllers in the active directory. Based on this model, only one domain controller in the active directory can process domain updates or changes. That domain controller is the single master to perform a specific FSMO role in the directory.

[ Related Article: Azure Active Directory Domain Services ]

What is FSMO Roles?

As you know, FSMO is a multi-master active directory. However, you can use a single server or domain controller to perform a specific function. The server or the master used to execute the function is the FSMO role owner. It is also known as fizmo role owner. With FSMO roles, you can efficiently resolve conflicts between domain controllers in Active Directory.

When a domain is installed in a forest, initially, it comes with five roles. In other words, there are five FSMO roles in a single master model. For every other domain installation in the same forest, the domain will have only three FSMO roles. Simply put, the additional domains in a forest come with only three FSMO roles. This is because two FSMO roles are common for all domains in a forest - namely, schema master and domain naming master. In short, three FSMO roles belong to the domains of a forest. And two other roles belong to the entire forest.

When one FSMO role is down, another FSMO role takes responsibility and ensures the continuous execution of the FSMO role. You must note that you can quickly transfer roles between domain controllers. It means that you can view, move, and stop FSMO roles. You can achieve this by using MMC tools or visual basic scripts.

When to Use FSMO Roles?

There are limitations to using FSMO roles in the active directory.  Let's take a look at the conditions for using FSMO roles as follows:

• You can use the schema master role only when you make changes to the schema.
• You can use domain naming master only when adding domains and application partitions.
• You can make phantom updates only when the infrastructure master is online.
• You can issue RID pools to domain controllers based on requests only when the RID master is online.

Types of FSMO Roles in Active Directory

Let’s discuss the different FSMO roles in the following in detail:

 

 

1. Schema Master

Know that the active directory schema defines all attributes, such as employee ID, email address, contact number, etc. These attributes are stored in objects of the databases.

There is only one schema master for one forest in the active directory. This master or FSMO role or server is only responsible for updating the active directory schema. In other words, the schema master manages the read and write in the schema. Only this server can make changes in schemas in domain controllers. No other server can perform this function. 

Mainly, you can use this schema master to perform manual and programmatic schema updates. The schema master must be online while updating schemas. With this FSMO role, you can copy the updated schema to other domain controllers in the active directory.

2. Domain-Naming Master

This master or FSMO role manages the domain name spaces. In other words, it is a domain controller or server responsible for making domain name spaces. There is always only one domain naming master in a forest in the active directory. Only the domain-naming master can add or remove namespaces in the directory. Additionally, this FSMO role is responsible for renaming and moving forest domains. This server must be online while adding or removing domains.

Moreover, This FSMO role supports adding or removing cross-references to domains in external directories. This master doesn’t allow the same domain name to repeat in a forest. Above all, you can authorize the creation of application partitions by using this FSMO role. Also, it adds or removes application partitions in and out of forests.

3. RID Master or Relative ID Master

Know that every domain in the active directory has a RID master. This master ensures that all domains have unique identifiers. There are two parts to unique identifiers – SID and RID. Every domain has the same SID value, whereas RID has a range of values. This FSMO role ensures that the RID ranges do not overlap with other domains.

Essentially, this FSMO role is responsible for generating and maintaining a pool of unique RID values. This FSMO role allows existing and standby RID pools to usually replicate domain controllers in the same domain. The RID master is a single domain controller responsible for processing RID pool requests within a domain. This FSMO role can remove objects from its domain and transfer them to other domains.

Importantly, the RID master assigns security identifiers (SID) to objects. So, every object in the active directory will have a SID. You can use SIDs to ensure security in objects. Note that SIDs must be unique all across the domain. The RID master ensures that all the SIDs in a domain use unique SID values.

The RID master must be online while promoting domain controllers to generate a local RID pool. Also, this master must be online while domain controllers update their existing or standby RID pool allocation.

4. PDC Emulator

PDC Emulator is the short form of Primary Domain Controller Emulator. This FSMO role is also known as a backup domain controller since it is used to resolve backward compatibility issues. This role is known as the authoritative domain controller.

This FSMO role responds to authentication requests and manages group policy objects. It receives the details of password updates when they are changed. Mainly, you can maintain the latest password for any account in a domain using this FSMO role. If there is any mismatch in passwords, the replica domain controllers consult this master.

Besides, the PDC emulator acts as the default target server for group policy updates and management tools. It prevents the same policy from being modified in various domain controllers by different administrators at a time. Further, you can process account lockouts and manage the group policy console by using this FSMO role.

The significant thing about this FSMO role is that it acts as the time source for the domain. Simply put, this role acts as the time service. Moreover, this FSMO role serves as the domain controller for legacy applications and some admin tools. Note that this master must be online and be available for access at any time.

5. Infrastructure Master

There is only one infrastructure master per domain. This FSMO role is responsible for updating the SIDs of objects in the active directory. It is also responsible for updating names in the cross-domain object reference. In other words, this FSMO role is responsible for maintaining references to objects in other domains.

With this FSMO role, you can update phantoms from the global catalog. It also maintains phantoms continually. Phantoms are nothing but implementation constructs. They are used to maintain consistency.

This master operates based on a relationship between two domains. Only when there is trust this master allows users of other domains to access resources in a particular domain. Note that a separate infrastructure master is created for every application partition.

Summing Up

At a glance, we will look at all five FSMO roles. First, the schema master is responsible for updating schemas in domain controllers. The domain naming master is responsible for adding and removing domains in the active directory. The RID master is responsible for generating unique RID values across a domain. PDC emulator updates password changes and manages group policy objects. The last one, the infrastructure master, is responsible for updating cross-domain object references. Right! This blog should have helped you understand the different FSMO roles clearly.