Active Directory FSMO Roles: What Are They and What Do They Do?

Danny Murphy by   03.25.2019   General

Active Directory (AD) is pretty much the go to domain authentication services for enterprises all over the world and has been since its inception in Windows Server 2000.

Back then, AD was pretty unsecured and had some flaws that made it particularly difficult to use. For example, if you had multiple domain controllers (DCs), they would compete over permissions to make changes. This meant that you could be making changes and sometimes they simply wouldn’t go through.

Over the last few decades, Microsoft have introduced numerous enhancements, patches and updates that have drastically improved AD functionality, reliability and security. One such change was to head towards a “single Master Model” for AD where one DC could make changes to the domain. The other DCs fulfilled automation requests.

However, people quickly realized that if the master DC goes down, no changes could be made at all until it was back up again.

So, Microsoft had to rethink.

The solution they came up with was to separate the responsibilities of the DC into numerous roles. That way, if one of the DCs goes down, another can take over the missing role. This is known as Flexible Single Master Operation (FSMO).

What Are the Five FMSO Roles?

A full Active Directory system is split into five separate FSMO roles. Those 5 FSMO roles are as follows:

  1. Relative ID (RID) Master
  2. Primary Domain Controller (PDC) Emulator
  3. Infrastructure Master
  4. Domain Naming Master
  5. Schema Master

Schema Masters and Domain Naming Masters are limited to one per forest, whereas the rest are limited to one per domain.

What Do the FSMO Roles Do?

Relative ID (RID) Master – If you want to create a security principle you are probably going to want to add access permissions to it. You can’t grant these permissions based on the name of a user or group because that can change. Instead, you associate them with a unique security ID (SID). Part of that unique identifier is known as the relative ID (RID). To prevent two objects having the same SID, a RID Master processes RID pool requests from DCs within a single domain and ensures that each SID is unique.

Primary Domain Controller (PDC) Emulator – This is the most authoritative DC in the domain. The role of this DC is to respond to authentication requests, managed password changes and manages Group Policy Objects (GPO). Users cannot even change their passwords without the approval of the PDC Emulator. It’s a powerful position!

Infrastructure Master – This controller understands the overall IT infrastructure in the organization, including what objects are present. The infrastructure master updates object references at a local level and also makes sure that it is up to date in the copies of other domains. It does this through unique identifiers, such as SIDs.

Domain Naming Master – This DC simply ensures that you are not able to create a second domain in the same forest with the same name.

Schema Master – This DC holds a read-write copy of your AD schema. Schema is essentially all the attributes associated with an object (passwords, roles, designations etc.). So, if you need to change a role on a user object, you’ll have to do it through the Schema Master.

It’s absolutely vital that you are proactively and continuously monitoring Active Directory security in order to prevent insider threats, privilege abuse and brute force attacks. Unsure about how to do this? Get in touch with us today and see how Lepide helps monitor and secure AD.

If you liked this, you might also like...