introduction
The operations master roles, also known as flexible single master operations (FSMO) roles, perform specific tasks within a domain.
The five FSMO roles are:
- Schema Master
- Domain naming Master
- Infrastructure Master
- Relative ID (RID) Master
- PDC Emulator
In every forest, there is a single
- Schema and
- Domain naming Master
In each domain, there is
- 1 Infrastructure Master,
- 1 RID Master,
- and 1 PDC Emulator.
At any given time, there can only be one DC performing the functions of each role.
to understand how FSMO are deployed , please look at Pioneers forest diagram
FSMO distribution
Pioneers.lab has
- one Forest
- two trees [pioneers.lab] & [Leaders.lab]
- 7 domains
- 15 domain controllers
now back to FSMO :
in the whole forest pioneers.lab there is only ONE role [schema master] which installed on DC101
in the whole forest pioneers.lab there is only ONE role [Domain Naming master ] which installed on DC101
each domain should have one and ONLY one role [ Infrastructure Master,] installed in any DC inside domain
each domain should have one and ONLY one role [ RID Master,] installed in any DC inside domain
each domain should have one and ONLY one role [ PDC Emulator Master,] installed in any DC inside domain
please note : that Roles could be installed on same or different Domain controller ] > for example in domain leader.lab Roles are installed in different DC ]
what does each FSMO do ?
Schema Master: The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.
Domain Naming Master: The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.
RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.
PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.
Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).
FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).
Determining FSMO Role Holders
simply run command [ netdom query fsmo ]
Transfer FSMO
sometimes you have to shutdown domain controller for some reason [ maintenance , upgrade , moving DC , or any other reason
if this domain controller hold any ony of FSMO > then you have to transfer his Role to another live domain controller before shutdown [please note that transfer FSMO means that both DC are running ]
we can transfer FSMO buy any one methods below :
- power-shell command
Move-ADDirectoryServerOperationMasterRole -Identity <Target DC> -OperationMasterRole pdcemulator ,ridmaster, infrastructuremaster, schemamaster, domainnamingmaster
- graphically using AD console
NTDSUtil tool
currently ALL FSMO roles run on DC101.pioneers.lab as you see above
for example we will transfer RID role from DC101 to DC102 using powershell command
and also we we will transfer PDCemulator role from DC101 to DC102 using console
Seizing FSMO
transferring FSMO used when one DC about to be shutdown manually , so we transfer FSMO from DC to another DC
but what if one DC [that run some or ALL FSMO ] accidentally down for any reason [power shortage , Hardware failure , etc. ]
in this case we use [FSMO seizing ]
so lets to get the following scenario:
now we have 5 FSMO distributed as the following