{"id":342,"date":"2018-12-11T00:35:42","date_gmt":"2018-12-10T23:35:42","guid":{"rendered":"http:\/\/hentati.org\/?p=342"},"modified":"2020-11-25T20:30:41","modified_gmt":"2020-11-25T19:30:41","slug":"fsmo-in-active-directory-5-roles","status":"publish","type":"post","link":"https:\/\/hentati.org\/index.php\/2018\/12\/11\/fsmo-in-active-directory-5-roles\/","title":{"rendered":"FSMO in Active Directory ! 5 Roles"},"content":{"rendered":"<p><span style=\"color: #000000;\">Since Windows Server 2000, Microsoft has integrated the notion of FSMO role within an Active Directory environment. There are five different FSMO roles, each with a specific purpose. For your information, FSMO stands for Flexible Single Master Operation.<\/span><\/p>\n<p><span style=\"color: #000000;\">Microsoft separated the responsibilities of a DC into\u00a0<em>multiple<\/em>\u00a0roles. Admins distribute these roles across several DCs, and if one of those DCs goes out to lunch, another will take over any missing roles! This means domain services have intelligent clustering with built-in redundancy and resilience.<\/span><\/p>\n<p><span style=\"color: #000000;\">Microsoft calls this paradigm Flexible Single Master Operation (FSMO).<\/span><\/p>\n<h2><span style=\"color: #000000;\">FSMO Roles: What are They?<\/span><\/h2>\n<p><span style=\"color: #000000;\">Microsoft split the responsibilities of a DC into 5 separate roles that together make a full AD system.<\/span><\/p>\n<p><span style=\"color: #000000;\"><a href=\"https:\/\/www.varonis.com\/blog\/wp-content\/uploads\/2018\/04\/fsmo-roles.png\"><img loading=\"lazy\" class=\"alignnone size-full wp-image-10661\" src=\"https:\/\/www.varonis.com\/blog\/wp-content\/uploads\/2018\/04\/fsmo-roles.png\" sizes=\"(max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" srcset=\"https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles.png 1000w, https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles-300x240.png 300w, https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles-768x614.png 768w, https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles-960x768.png 960w, https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles-787x630.png 787w, https:\/\/blogvaronis2.wpengine.com\/wp-content\/uploads\/2018\/04\/fsmo-roles-400x320.png 400w\" alt=\"fsmo roles\" width=\"1000\" height=\"800\" \/><\/a><\/span><\/p>\n<h3><span style=\"color: #000000;\">The 5 FSMO roles are:<\/span><\/h3>\n<ul>\n<li><span style=\"color: #000000;\">Schema Master \u2013 one per forest<\/span><\/li>\n<li><span style=\"color: #000000;\">Domain Naming Master \u2013 one per forest<\/span><\/li>\n<li><span style=\"color: #000000;\">Relative ID (RID) Master \u2013 one per domain<\/span><\/li>\n<li><span style=\"color: #000000;\">Primary Domain Controller (PDC) Emulator \u2013 one per domain<\/span><\/li>\n<li><span style=\"color: #000000;\">Infrastructure Master \u2013 one per domain<\/span><\/li>\n<\/ul>\n<h2><span style=\"color: #000000;\">FSMO Roles: What do They do?<\/span><\/h2>\n<h5><span style=\"color: #000000;\"><strong>1- Schema Master:<\/strong><\/span><\/h5>\n<p><span style=\"color: #000000;\">The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes \u2013 things like employee ID, phone number, email address, and login name \u2013 that you can apply to an object in your AD database.<\/span><\/p>\n<h5><span style=\"color: #000000;\"><strong>2- Domain Naming Master:<\/strong><\/span><\/h5>\n<p><span style=\"color: #000000;\">The Domain Naming Master makes sure that you don\u2019t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn\u2019t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.<\/span><\/p>\n<h5><span style=\"color: #000000;\"><strong>3- RID Master:<\/strong><\/span><\/h5>\n<p><span style=\"color: #000000;\">The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.<\/span><\/p>\n<h5><span style=\"color: #000000;\"><strong>4- PDC Emulator:<\/strong><\/span><\/h5>\n<p><span style=\"color: #000000;\">The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It\u2019s good to be the PDC.<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>The Primary Domain Controller (PDC) emulator<\/strong> is unique within a domain and must perform five primary tasks:<\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>&#8211; Change domain group policies (avoid conflicts and crashes)<\/strong><\/span><br \/>\n<span style=\"color: #000000;\"> <strong>&#8211; Synchronize clocks on all domain controllers (time and date)<\/strong><\/span><br \/>\n<span style=\"color: #000000;\"> <strong>&#8211; Manage account lock<\/strong><\/span><br \/>\n<span style=\"color: #000000;\"> <strong>&#8211; Change passwords<\/strong><\/span><br \/>\n<span style=\"color: #000000;\"> <strong>&#8211; Ensures compatibility with Windows NT domain controllers<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\">In summary, it is unique within a domain and performs various security-related tasks and by default it acts as a time server for the entire domain.<\/span><\/p>\n<h5><span style=\"color: #000000;\"><strong>5- Infrastructure Master:<\/strong><\/span><\/h5>\n<p><span style=\"color: #000000;\">The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn\u2019t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).<\/span><\/p>\n<h4><span style=\"color: #000000;\"><strong>FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).<\/strong><\/span><\/h4>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since Windows Server 2000, Microsoft has integrated the notion of FSMO role within an Active Directory environment. There are five different FSMO roles, each with a specific purpose. For your &#8230;<\/p>\n","protected":false},"author":1,"featured_media":349,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/342"}],"collection":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/comments?post=342"}],"version-history":[{"count":7,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions"}],"predecessor-version":[{"id":443,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/342\/revisions\/443"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media\/349"}],"wp:attachment":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media?parent=342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/categories?post=342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/tags?post=342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}