Active Directory is a centralized system that facilitates authentication and authorization services for the organization. This Microsoft-powered system is the central repository where all your authorization and employees’ privileges are stored.
Active Directory is often the target of attackers, as that’s where you control all domain-related operations. The Domain Controllers keep a written copy of all changes within the domain, and once these are approved, all DCs are updated with the latest changes. The concept is called multi-master replication.
This process facilitates smooth workflow across all domain controllers. The replication concept applies to most operations, except for the sensitive procedures that require a separate DC. That’s where the single-master model comes into play.
In this post, we will walk you through the five main roles of Active Directory, but before that, let’s understand FSMO roles in brief.
What are FSMO Roles?
The main difference between the single-master and multi-master concepts lies in the level of authority assigned to the domain controllers.
The former involves a single DC controlling all major domain operations, while the multi-master system allows changes across all domain controllers.
These changes are copied to other servers within the domain. While that model is quite effective and flexible, it can sometimes lead to replication conflicts.
Organizations implement the single-master model to prevent such conflicts. They assign a single DC the authority to manage, update, and control objects in the domain.
For sensitive procedures that are highly likely to create conflicts after the changes in the DC, the organization assigns FSMO roles. This ensures that only primary domain controllers that are authorized to update the Active Directory make changes to the domain structure, objects, and other elements.
These changes are then replicated in the rest of the Domain Controllers. Not only does it prevent chaos in AD management, but it strengthens your network security.
5 FSMO Roles in Active Directory
Domain Controller can be assigned one or multiple roles, depending on the number of domains in the forest. As mentioned earlier, these roles can be transferred to another DC within the Active Directory if required.
These are further classified into forest-level and domain-level roles. Each domain within the forest has its own RID master, Infrastructure master, and PDC emulator.
The domain controller is assigned these three roles whenever there’s any change in the domain function in an AD. The forest, on the other hand, has a single Schema Master and Domain Naming Master.
Whether it’s a single-domain or multi-domain forest, the forest-level roles remain unchanged. Here’s a brief on each FSMO role.
1. Schema Master
The Schema Master is responsible for making any forest-level upgrades to the directory schema.
Once they have made the changes, these are replicated to all the DCs within the Active Directory. For instance, the Schema Master can change the AD’s operating system, add a new application, or change functions.
Although it’s a very sensitive role, the Schema Master has little impact on the organizational workflow. Even if the DC managing directory schema goes offline for a while, its effect won’t be noticed unless an upgrade is required in the schema.
2. Domain Naming Master
Another forest-level role in an Active Directory is the Domain Naming Master. As the name implies, this FSBO role is assigned to the DC that handles domain management functions. Only an active Domain Naming Master can add, remove, and update domains within AD.
Like a Schema Master, this role is assigned to a single DC. Since changes to the domain don’t occur frequently, your network won’t be affected if this DC goes inactive. They are only needed when the company is adding new domains to the existing forest or deleting the dormant ones.
3. RID Master
The DC assigned this role is responsible for transferring objects within the forest across different domains. They also provide a unique ID to different components in the domain.
Basically, the domain controllers of each domain request RID masters to provide RIDs that can be assigned to the objects in the domain. Once the DC has used all its available RIDs, it can request more from the RID master. Usually, these are assigned in groups of 500.
If the RID master is inactive, you won’t be able to create or upgrade objects in any domain, as adding new objects require a unique ID.
Although it may seem like the inactivity of the DC assigned this role can disrupt the organizational function, it doesn’t really have a significant impact. Businesses that don’t create new objects in the AD frequently will hardly face any problems if the RID master is offline.
4. PDC Emulator
Of all the FSMO roles mentioned above, the PDC Emulator is the most critical. Here’s what they do:
- Update Passwords: Any change in the password across any domain controller will automatically be updated in the PDC emulator immediately. Later, the password change is replicated to other domains within Active Directory. If an unauthorized user tries to access the DC with a wrong password, the failed password attempt message is delivered to the PDC Emulator.
- Lock User’s Accounts: If a user attempts the wrong passwords several times, the PDC Emulator holds the authority to block their accounts permanently. This information is replicated across all domain controllers immediately to prevent users from trying authentication for a different DC.
The PDC emulator is also responsible for time synchronization and domain-level security operations.
5. Infrastructure Master
The Infrastructure Master handles the object references throughout the Active Directory. They use RIDs (the unique IDs assigned to each object) to keep up-to-date with the references and replicate this information to all domains. Although their role is crucial, they don’t affect the routine workflow if they go inactive for a prolonged period.
The main purpose of launching FSMO (flexible single-master operation) is to avoid a single point of failure. The FSMO roles are not confined to a single DC. They can be transferred as and when required, offering flexible operations. This reduces the clutter and facilitates the smooth management of objects in different domain controllers.