Michael Olig Comments 0 Comment Active Directory allows object creations, updates, and deletions to be committed to any authoritative domain controller. After a change has been committed, it is replicated automatically to other domain controllers through a process called multi-master replication. This behavior allows most operations to be processed reliably by multiple domain controllers and provides for high levels of redundancy, availability, and accessibility within Active Directory. An exception to this behavior applies to certain Active Directory operations that are sensitive enough that their execution is restricted to a specific domain controller. Active Directory addresses these situations through a special set of roles. The following commands can be used to identify FSMO role owners.

Author:Gojar Fejora
Language:English (Spanish)
Published (Last):10 February 2011
PDF File Size:2.22 Mb
ePub File Size:18.26 Mb
Price:Free* [*Free Regsitration Required]

PDC emulator Infrastructure master Out of these, the first two FSMO roles are available at the forest level while the remaining three are necessary for every domain. By default, the first controller you install in your forest will be the schema master.

RID master Every time you create a security principle, be it a user account, group account, or a master account, you want to add access permissions to it.

Essentially, RID is the value that ensures uniqueness between different objects in the active directory. A SID will look like this: S But this can lead to conflicts, too. To avoid this conflict, the RID master assigns blocks of to each domain controller.

PDC emulator PDC stands for Primary Domain Controller and it comes from a time when there was only one domain controller that had a read-write copy of the schema. The remaining domain controllers were a backup for this PDC. Today, there are no more PDCs.

But a few of its roles like time synchronization and password management are taken over by a domain controller called PDC emulator.

A PDC emulator avoids these confusions by being the controller for password resets. So, my client will contact the PDC emulator when a login fails, to check if there was a password change. Also, all account lockouts due to wrong passwords are processed on this PDC emulator. Other than password management, PDC emulator syncs the time in an enterprise system. This is an important functionality because AD authentication uses a protocol called kerberos for security.

So, when there is a difference of five minutes or more between a server clock and your system during the authentication process, kerberos thinks this is an attack and will not authenticate you. Well, your local system syncs its time with the domain controller, and the domain controller, in turn, syncs its time with the PDC emulator.

This way, the PDC emulator is the master clock for all the domain controllers in your domain. Microsoft When this controller is down, your security goes down a few notches and makes passwords vulnerable to attacks. Infrastructure master The core functionality of an infrastructure master is to reference all local users and references within a domain.

This controller understands the overall infrastructure of the domain including what objects are present it. It is responsible for updating object references locally and also ensures that it is up to date in the copies of other domains. It handles this update process through a unique identifier, possibly a SID. This GC is like an index that knows where everything is, inside an active directory.

The infrastructure master, on the other hand, is a smaller version of GC, as it is restricted within a single domain. Now, why is it important to know about GC here? Because GC and infrastructure master should not be placed in the same domain controller.

If you happen to do that, the infrastructure master will stop working as the GC gets precedence. But, if you have a large forest with multiple domain controllers, the presence of both GC and infrastructure master will cause problems. We have multiple domains that look up to a GC server.

Inside one domain, we make a change to the group membership and the infrastructure master knows about this change. Summary As you can see. FSMO roles prevent conflicts in an active directory and, at the same time, give you the flexibility to handle different operations within the active directory. They can be broadly divided into five roles, out of which, the first two are for the entire forest while the remaining three pertain to a particular domain.

Have you implemented FSMO roles in your organization? Please share your thoughts with us. Photo credit: Wikimedia.


Active Directory FSMO roles in Windows

General Active Directory AD is pretty much the go to domain authentication services for enterprises all over the world and has been since its inception in Windows Server Back then, AD was pretty unsecured and had some flaws that made it particularly difficult to use. For example, if you had multiple domain controllers DCs , they would compete over permissions to make changes. Over the last few decades, Microsoft have introduced numerous enhancements, patches and updates that have drastically improved AD functionality, reliability and security. The other DCs fulfilled automation requests.


Flexible single master operation

There have been several enhancements and updates since then to make it the stable and secure authentication system in use today. In its infancy, AD had some rather glaring flaws. One DC that could make changes to the domain, while the rest simply fulfilled authentication requests. To resolve that fundamental flaw, Microsoft separated the responsibilities of a DC into multiple roles.

Related Articles