This article mainly helps you understand the flexible single-master operation (FSMO) role in Active Directory. You can know what FSMO is and what the 5 FSMO roles are in this post. Now, you can continue to read this post to get detailed information.
What Is FSMO
What is FSMO? It is the abbreviation of Flexible Single Master Operations. It is a single host operation or operation host, which is a feature of the Microsoft Active Directory. FSMO is a set of dedicated domain controller (DC) tasks, used when standard data transfer and update methods are insufficient.
AD usually relies on multiple peer DCs, each of which has a copy of the AD database and is synchronized through multi-master replication. FSMO is not suitable for multi-master replication tasks, only suitable for single-master databases. If you want to learn more information about FSMO, you can continue to read this post from MiniTool.
5 FSMO Roles
Active Directory extends the single-host model in earlier versions of Windows to include multiple roles and the ability to transfer roles to any DC in the enterprise. Since Active Directory roles are not bound to a single DC, they are called FSMO roles. Currently, in Windows, there are five FSMO roles.
- RID master
- PDC emulator
- Infrastructure master
- Schema master
- Domain naming master
Now, I will introduce the 5 FSMO roles respectively.
1. RID Master
The RID master FSMO role owner is a single DC responsible for handling RID pool requests for all DCs in a given domain. It is also responsible for deleting the object from the object’s domain and placing it in another domain while the object is moving.
When DC creates a security principal object, it attaches a unique Security ID to the object. This SID contains a domain SID and a relative RID, which is unique for each security principal SID created in the domain. Each Windows DC in the domain is assigned a RID pool, which is allowed to be assigned to the security principal it creates.
2. PDC Emulator
The PDC simulator is necessary to synchronize the time in the enterprise. Windows includes the W32Time (Windows Time) time service required by the Kerberos authentication protocol. All Windows-based computers in the enterprise use public time.
The purpose of time service is to ensure the hierarchical relationship of Windows time service usage control authority and does not allow loops to ensure proper public time use. The PDC emulator of the domain is authoritative to the domain. The PDC simulator in the forest root directory is authoritative to the enterprise and should be configured to collect time from external sources.
3. Infrastructure Master
The infrastructure master role converts globally unique identifiers (GUID), SID, and distinguished names (DN) between domains. If you have multiple domains in your forest, the infrastructure master is the Babelfish between them. If the infrastructure master cannot do its job correctly, you will see the SID in the access control list (ACL) instead of the resolved name.
4. Schema Master
The schema master role manages the read-write copy of the Active Directory schema. The AD schema defines all the attributes that can be applied to objects in the AD database, such as employee ID, phone number, email address, and login name.
5. Domain Naming Master
The domain naming master ensures that you do not create another domain with another name in the same forest. The creation of a new domain does not happen often, so in all roles, this domain is likely to live in the same DC as another role.
Transfer FSMO Roles
By default, AD assigns all operations master roles to the first DC created in the forest. To provide fault tolerance, there should be multiple domain controllers available in each domain of the forest. If a new domain is created in the forest, the first DC in the new domain has all domain-wide FSMO roles.
If the domain has a large number of domain controllers, this is not a satisfactory location. Microsoft recommends carefully dividing FSMO roles and preparing a backup DC to take over each role. The PDC simulator and RID host should be on the same DC, if possible. The schema master and domain naming master should also be in the same DC.
What is FSMO? The first section tells you the specific definition. Then, you can know the 5 FSMO roles. Read here, you may have an overall understanding of FSMO. Hope the above information can be helpful for you. Here comes to the end.