FSMO Roles

FSMO WHY DO WE REQUIRED?

Microsoft split the responsibilities of a DC into 5 separate roles that together make a full AD system.

FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000). Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.

One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain, while the other DCs would only complete authentication requests.

This model created a single point of failure, which means if the master or primary domain controller goes down, there is no way to make changes to the domain until the master DC is back up.

To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers, and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.

This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.

FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000).
Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.

One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain,
while the other DCs would only complete authentication requests.

This model created a single point of failure, which means if the master or primary domain controller goes down,
there is no way to make changes to the domain until the master DC is back up.

To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers,
and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.

This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.

FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and
permissions without interruption (with standard caveats, like the network staying up).

FSMO Role Scope
Schema Master Forest
Domain Naming Master Forest
Primary Domain Controller Emulator Domain
RID Master Domain
Infrastructure Master Domain

Schema Master
The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes –
things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master
The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another.
It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles,
this one is most likely to live on the same DC with another role.

RID Master
The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects.
Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID,
the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator
The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests,
changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Infrastructure Master
The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains.
If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them.
If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).

//

Flexible Single Master Operation (also known as FSMO or FSMO Roles).

Primary Server FSMO Roles

Netdom query fsmo

Secondary server will also getting same roles but secondary server not having complete authority like Primary DC

If Primary Server having issues need to seize the fsmo roles after that Backup DC will retain complete authority

So, here I used to power off Primary Server

Primary DC is not active (Server Down)

Now type in PowerShell

But still, I will get all 5 FSMO roles

In secondary server I am getting all 5 Roles

Type

In Backup DC

Ntdsutil

PS C:\Users\administrator.VRE> ntdsutil

Just type only roles  and press enter

Type connections

Now need to connect to in backup Domain Controller like—

Connect to server bdc.vre.local

Now quit from connection press type q and enter

Here we need to seize all fsmo roles from primary server

Primary server is not running but fsmo roles with primary server need to seize the roles and allocate to secondary server

netdom query fsmo

fsmo maintenance: Seize infrastructure master

And press

Yes

fsmo maintenance: Seize naming master

fsmo maintenance:  Seize PDC

Seize RID master

Seize schema master

Now type quit

And quite from fsmo maintenance

So, after seize all 5 roles from Primary DC and assign to Secondary dc

If you can check after seize all roles

Now Backup domain having all fsmo roles

netdom query fsmo

Go to Active Directory users and computers

Right click on domain and click on operation masters

Now, check there

PDC

Infrastructure

Leave a Reply

Your email address will not be published. Required fields are marked *