FSMO WHY DO WE REQUIRED?
Microsoft split the responsibilities of a DC into 5 separate roles that together make a full AD system.
FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000). Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.
One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain, while the other DCs would only complete authentication requests.
This model created a single point of failure, which means if the master or primary domain controller goes down, there is no way to make changes to the domain until the master DC is back up.
To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers, and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.
This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.
FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000).
Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.
One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain,
while the other DCs would only complete authentication requests.
This model created a single point of failure, which means if the master or primary domain controller goes down,
there is no way to make changes to the domain until the master DC is back up.
To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers,
and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.
This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.
FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and
permissions without interruption (with standard caveats, like the network staying up).
FSMO Role Scope
Schema Master Forest
Domain Naming Master Forest
Primary Domain Controller Emulator Domain
RID Master Domain
Infrastructure Master Domain
Schema Master
The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes –
things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.
Domain Naming Master
The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another.
It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles,
this one is most likely to live on the same DC with another role.
RID Master
The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects.
Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID,
the RID Master grants each DC the privilege of assigning certain SIDs.
PDC Emulator
The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests,
changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.
Infrastructure Master
The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains.
If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them.
If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).
//
Flexible Single Master Operation (also known as FSMO or FSMO Roles).
Primary Server FSMO Roles
Netdom query fsmo
Secondary server will also getting same roles but secondary server not having complete authority like Primary DC
If Primary Server having issues need to seize the fsmo roles after that Backup DC will retain complete authority
So, here I used to power off Primary Server
Primary DC is not active (Server Down)
Now type in PowerShell
But still, I will get all 5 FSMO roles
In secondary server I am getting all 5 Roles
Type
In Backup DC
Ntdsutil
PS C:\Users\administrator.VRE> ntdsutil
Just type only roles and press enter
Type connections
Now need to connect to in backup Domain Controller like—
Connect to server bdc.vre.local
Now quit from connection press type q and enter
Here we need to seize all fsmo roles from primary server
Primary server is not running but fsmo roles with primary server need to seize the roles and allocate to secondary server
netdom query fsmo
fsmo maintenance: Seize infrastructure master
And press
Yes
fsmo maintenance: Seize naming master
fsmo maintenance: Seize PDC
Seize RID master
Seize schema master
Now type quit
And quite from fsmo maintenance
So, after seize all 5 roles from Primary DC and assign to Secondary dc
If you can check after seize all roles
Now Backup domain having all fsmo roles
netdom query fsmo
Go to Active Directory users and computers
Right click on domain and click on operation masters
Now, check there
PDC
Infrastructure
