Monday, October 15, 2007

What is FSMO (Flexible Single-Master Operation) Roles?

The Microsoft Windows Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multi-master enabled database, capable of storing millions of objects. Because it is multi-master, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) Role.

Currently in Windows 2000 and Windows Server 2003 there are Five FSMO roles, which are owned by the First Domain Controller installed into the Forest, any new domain installed under the forest will have Three (Domain-Level) FSMO Roles. These roles break down into Two Forest-Level roles and Three domain-level roles.
The two forest-level roles are:
  • The schema master, which governs changes to the schema, controls all updates and modifications to the Active Directory Schema. To update the schema of a forest, you must have access to the Schema Master; therefore you need to be member of Schema Admins Group in Active Directory. There can be only one schema master in the whole forest.
  • The domain naming master, which adds domains to and removes domains from the forest, controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. You need to be member of Enterprise Admins Group in order to gain access on the Domain Naming Master Role Functionality.

The three domain-level roles for Active Directory domain controllers are:

  • The primary domain controller (PDC) emulator, which processes any replication requests from Microsoft Windows NT 4.0 backup domain controllers (BDCs) and processes all password updates from clients not running the Active Directory client software. In addition, the PDC emulator is checked on an authentication failure to see if a password has been changed but has not had a chance to replicate to all the domain controllers at that point in time.
  • The Relative Identifier (RID) master, which allocates RIDs to all domain controllers to ensure that all security principles are unique.
  • The infrastructure master for a given domain, which maintains a list of the security principals from other domains that are members of groups within its domain