What is FSMO role

by




Operation Master Roles
FSMO roles avoid conflicts in an active directory and, at the same time, give you the flexibility to handle different operations within the Active directory. They can be broadly divided into five roles, of which the first two are for the entire forest, while the remaining three belong to a particular domain.
Active Directory knows seven FSMO roles with different scopes:

RID Master (one per domain)
PDC Emulator (one per domain)
Infrastructure Master (one per DOMAIN)
Domain Name Master (one per forest)
Schema master (one per forest)

RID Master role: Every time you create a security principle, be it a user account, group account, or a master account, you want to add access permissions to it. But you can’t do it based on the name of a user or group because that can change at any time.
Let’s say you had Andy with a particular role, and he left the company. So, you closed Andy’s account and instead brought in Tim. Now, you’ll have to go and replace Andy with Tim in the security access lists of every resource.
This is not practical, as it’s time-consuming and error prone.
This is why you associate every security principle with something called a security ID or SID. This way, even if Andy changes to Tim, the SID will remain the same, so you’ll have to make just one change.
This SID has a specific pattern to ensure that every SID in the system is unique. It always starts with the letter “S” followed by the version (starts with 1) and an identifier authority value. This is followed by the domain or local computer name that’s common for all SIDs located within the same domain. Lastly, the domain name is followed by what’s called a relative ID or RID.
Essentially, RID is the value that ensures uniqueness between different objects in the active directory.
A SID will look like this: S-1-5-32365098609486930-1029. Here 1029 is the RID that makes a SID unique while the long series of numbers is your domain name.
But this can lead to conflicts, too. Let’s say we create two user accounts at the same time. This can cause conflict as there’s a possibility for both these objects to have the same SID.
To avoid this conflict, the RID master assigns blocks of 500 to each domain controller. This way, DC1 gets RIDs from 1 to 500, DC2 gets RIDs from 501 to 1,000, and so on. When a domain controller runs out of RIDs, it contacts the RID master and in turn, this RID master assigns another block of 500.
RID Master FSMO role
So, RID master is responsible for processing RID pool requests from DCs within a single domain to ensure that every SID is unique.

PDC Emulator role: PDC stands for Primary Domain Controller and it comes from a time when there was only one domain controller that had a read-write copy of the schema. The remaining domain controllers were a backup for this PDC. So, if you wanted to change a password, you’d have to go to the PDC.
Today, there are no more PDCs. But a few of its roles like time synchronization and password management are taken over by a domain controller called PDC emulator.
Let’s look at its password management first.
Let’s say I go to one domain controller and reset my password because it’s expired. Then I log on to another machine for a different site and, let’s say, it contacts a different domain controller for authentication. There’s a chance that my login will fail because the first domain controller may not have replicated my password change to other controllers.
A PDC emulator avoids these confusions by being the controller for password resets. So, my client will contact the PDC emulator when a login fails, to check if there was a password change. Also, all account lockouts due to wrong passwords are processed on this PDC emulator.
Other than password management, PDC emulator syncs the time in an enterprise system. This is an important functionality because AD authentication uses a protocol called kerberos for security. This protocol’s main task is to ensure that data packets are not taken off the network or tampered while it’s getting transmitted.
So, when there is a difference of five minutes or more between a server clock and your system during the authentication process, kerberos thinks this is an attack and will not authenticate you.
Fine, but what’s the role of a PDC emulator here?
Well, your local system syncs its time with the domain controller, and the domain controller, in turn, syncs its time with the PDC emulator. This way, the PDC emulator is the master clock for all the domain controllers in your domain.
PDC emulator FSMO role
When this controller is down, your security goes down a few notches and makes passwords vulnerable to attacks.

Infrastructure Master role: The core functionality of an infrastructure master is to reference all local users and references within a domain. This controller understands the overall infrastructure of the domain including what objects are present it.
It is responsible for updating object references locally and also ensures that it is up to date in the copies of other domains. It handles this update process through a unique identifier, possibly a SID.
Infrastructure master is similar to another AD tool called Global Catalog (GC). This GC is like an index that knows where everything is, inside an active directory. The infrastructure master, on the other hand, is a smaller version of GC, as it is restricted within a single domain.
Now, why is it important to know about GC here? Because GC and infrastructure master should not be placed in the same domain controller. If you happen to do that, the infrastructure master will stop working as the GC gets precedence.
In general, if you have only one domain controller, this won’t matter so much. But, if you have a large forest with multiple domain controllers, the presence of both GC and infrastructure master will cause problems.
Let’s take a situation here. We have multiple domains that look up to a GC server. Inside one domain, we make a change to the group membership and the infrastructure master knows about this change. But it doesn’t update the GC server because the change was not made to a universal group. This means, there’s a chance for your GC and infrastructure master to be out of sync, and in turn, this can cause authentication issues. That’s why make sure you have either an infrastructure master or a GC for every domain, but not both.

Domain Naming Master role: The owner of the FSMO role Domain Naming Master is the DC responsible for making changes to the domain name space of the entire directory forest in the Partitions container. This DC is the only one that can add or remove a domain or NC application from the directory.

Schema Master role: Schema master, as the name suggests, holds a read-write copy of your AD’s entire schema. If you’re wondering what a schema is, it’s all the attributes associated with a user object and includes password, role, designation, and employee ID, to name a few.
So, if you want to change the employee ID, you’ll have to do it in this DC. By default, the first controller you install in your forest will be the schema master.

Active Directory Database: Active Directory data is stored in the Ntds.dit database file. The Active Directory database (Ntds.dit) contains three internal tables, the data table, link table, and SD table, which are described in the following sections.
Two copies of Ntds.dit are present in separate default locations on a domain controller, systemrootNTDS and systemrootSystem32:

What is Ntdsutil Command?: Ntdsutil.exe is a command-line tool for accessing and managing a Windows Active Directory (AD) database. Microsoft recommends that Ntdsutil only be used by experienced administrators and requires that the tool be used from an elevated command prompt. (Start / Command Prompt / Run as administrator)

Seize FSMO Roles on Windows Server 2012
This article will show you how to take FSMO roles in Windows Server 2012 R2
Just as a reminder, the Windows Sever Active Directory 
contains 5 roles

Schema master
Domain Name Master
Relative ID (RID) master
PDC emulator
Infrastructure Master

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
To seize the FSMO roles by using Ntdsutil, follow these steps:
On any domain Press Windows+R to open “Run” box. Type “cmd” and then click “OK” to open a regular Command Prompt. Type “cmd” and then press Ctrl+Shift+Enter to open an administrator Command Prompt

Contents hide
1 Related Article: Migrating Active Directory FSMO Roles From Windows Server 2012 R2 to 2016
2 Note: If you find this article helpful, then you should not forget to comment and share it. This will encourage me and my team to write more good technical articles. Thanks !!!!!!.

                On the command prompt Type ntdsutil

                                        Type role

                                   Type connection
                             Type connect to Server
server connections: connect to server labpexmbx1.test.local



Binding to labpexmbx1.test …
Connected to labpexmbx1.test using credentials of locally logged on user.
server connections: q (Type q then again Enter)
fsmo maintenance: seize pdc


Next type one or all the lines below to seize the role or roles needed to seize (type all 5 If you need to seize all roles).



seize pdc
seize rid master
seize infrastructure master
seize schema master
seize domain naming master


Related Article:  Migrating Active Directory FSMO Roles From Windows Server 2012 R2 to 2016

Note: If you find this article helpful, then you should not forget to comment and share it. This will encourage me and my team to write more good technical articles. Thanks !!!!!!.

 
Post Views: 85

3 thoughts on “What is FSMO role”

  1. Pingback: Step by step Install And configure of Active Directory on Windows Server 2012 R2 - ITSUNIL
  2. Pingback: Step by Step Migrate Active Directory From 2012 R2 to 2016
  3. Pingback: How to Install DHCP Server on Windows 2012 R2 Step by Step

Leave a comment