Active Directory FSMO Roles Best Practices

Flexible Single Master Operations (FSMO) are a type of operation performed by Active Directory domain controllers that requires a domain or forest’s DC server to be unique. On the same or many domain controllers, various FSMO roles can be performed. An Operations Master DC is a domain controller that has any FSMO roles.

On any domain controller, you may execute most Active Directory operations. The AD Replication service synchronizes changes with other domain controllers, ensuring that the AD database is the same on all domain controllers. When two DCs attempt to update the characteristics of the same AD object at the same time, the automatic conflict resolution system keeps note of which change was made first.

There are, however, some activities (such as modifying the AD schema) that are not permitted. Servers having FSMO roles have the duty of avoiding such conflicts. As a result, each FSMO role can only be operated on one domain controller. You can also migrate the FSMO role to another domain controller at any moment if necessary.

What Are the 5 FSMO Roles in Active Directory?

There are five FSMO roles: two for each Active Directory forest and three for each domain.

  1. Schema Master is in charge of distributing modifications to accessible domain controllers in the Active Directory schema. For the entire domain forest, there can only be one role owner.

  2. Domain Naming Master is in charge of a domain’s and application partitions’ unique names in the forest. This command is used to add and remove domains from the forest. For the entire domain forest, there can only be one.
  3. Infrastructure Master — holds information on users from other domains who have been added to your domain’s domain local security groups. Responsible for changing a specific object’s SID as well as the complete name of the object reference between domains. There can be one for each forest domain.
  4. RID pool manager — assigns a unique relative ID (RID) to domain objects when they are created (user and computer accounts, groups, contacts, etc.). There can be one for each forest domain.
  5. PDC (Primary Domain Controller) Emulator – responsible for NT4 domain and pre-Windows 2000 client compatibility, forest domain time synchronisation, password changes, and lockouts when users enter the erroneous password.

Best Recommended Practices for FSMO Roles Placement

All FSMO roles are installed on a single server when you create a new Active Directory domain (on the first promoted domain controller in the domain). The Best Practice, according to Microsoft, is to spread the FSMO roles among the several domain controllers.

forest-wide FSMO responsibilities should be assigned to one DC, while domain-wide roles should be assigned to another. It is advised that you deploy an additional domain controller if you only have one. As a result, in an AD domain with a minimum configuration (2 DCs), the FSMO role should be placed as follows:

On a DC1, assign the following domain roles:

  • RID Master;
  • Infrastructure Master;
  • PDC Emulator.

Place the forest roles on a DC2:

  • Schema Master;
  • Domain Master.

Other best practices for assigning operations master responsibilities to a domain include:

  1. Place both forest-wide responsibilities on the root controller, which is also a Global Catalog server, in multi-domain systems.
  2. Place all domain-wide roles on a single, high-performance server.
  3. If all domain controllers have the Global Catalog role (which is currently Microsoft’s recommended configuration), you can assign the Infrastructure Master role to any domain controller. If this isn’t possible, assign the Infrastructure Master role to a domain controller that does not have the Global Catalog role enabled.
  4. Do not shift FSMO roles around too much in the domain. Forcing domain clients to rediscover the PDC on a frequent basis is a bad idea.
  5. Disable time synchronisation of virtual machines with FSMO roles with the host if you’re utilising virtualized domain controllers.
  6. Do not assign any more responsibilities to domain controllers.

If AD Recycle Bin is enabled in your domain, each DC is responsible for updating its cross-domain object references. In this situation, the Infrastructure FSMO role is unnecessary, and it doesn’t matter where it is assigned.

Run the following command to get the current owners of FSMO Roles:

netdom query fsmo

In this case, the FSMO roles are split between the two DCs.

You can also find FSMO role owners using PowerShell cmdlets. To get the domain-wide FSMO owner, run:

Get-ADDomain | Select-Object -Property RIDMaster, PDCEmulator, InfrastructureMaster | fl

For forest-wide roles, use:

Get-ADForest | Select-Object -Property SchemaMaster, DomainNamingMaster

Or use the PowerShell one-liner to list all FSMO owners:

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}

What Happens if FSMO Role Owner Fails?

The roles played by the forest as a whole are the least important for AD functioning. What happens if you turn off the FSMO role for a long length of time?

  • Schema Master is unable to alter the AD schema. When adding controllers to the domain with a new version of Windows Server or installing server products (Exchange, Lync / S4B), this step is conducted seldom (once or twice every few years). In practise, the missing schema master may go unnoticed for years.
  • Domain Master – adding or removing a domain is impossible (subdomain). It’s also not a common task.

Every domain has domain-wide roles, which are more vital to AD’s overall operation.

  • Infrastructure Master — membership in local domain groups may be broken if there are numerous domains on DCs that are not hosting Global Catalogs.

  • RID Master — it will become difficult to establish a new item in AD after a certain length of time has passed; the amount of time depends on the remaining quantity of free SIDs, which are issued in blocks of 500 RIDs. The absence of the RID master will go unnoticed for a long time if your AD has a modest number of objects and you don’t add new ones every day.
  • The most important FSMO duty is the PDC Emulator. If it isn’t available, the domain time will cease synchronising, and some password lockout policies will fail.

Remember that there is no FSMO role that would result in a major loss of Active Directory functionality if it were to fail. Even if all FSMO role owners fail, the domain infrastructure can resume regular operations in a matter of days, weeks, or even months. There is no need to transfer roles to the other DC if you are bringing a DC to maintenance for a period with one or all FSMO roles.

Failure of a DC with FSMO roles does not result in domain failure. However, it renders many operations unfeasible, thus putting the domain into “read-only” status. You can apply the method for grabbing FSMO roles from a failing DC if a domain controller having FSMO roles fails.

Admin Tools to Manage FSMO roles

To manage and transfer FSMO roles in Active Directory domain use the ntdsutil.exe command line tool or the graphical user interface MMC snap-ins:

  • Active Directory Domains and Trusts — Domain Naming Master role;
  • Active Directory Users and Computers — Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles;
  • Active Directory Schema — Schema Master role.

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :