Sunday, August 23, 2015

FSMO Roles

FSMO roles

There are five FSMO roles. Two of them are Forest-wide and three of them are Domain-wide roles.

The Forest-wide FSMO roles are common for entire forest and by default are there on the first Domain Controller within forest-root domain.

The Domain-wide roles are separate for each domain within the forest.

Forest-wide FSMO roles:

Schema master
The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest. Schema contains the attributes or properties of each object of an Active Directory object.

Domain Naming master
The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.

Domain-wide roles are:

Relative Identifier (RID) master
The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.

PDC Emulator master
The PDC emulator role is domain-wide and there is one for each domain. PDC is the core and most important role for any domain. PDC is used to sync time between Domain Controllers and between Domain Controllers and other Computers.
It is used to keep track of wrong password entered by user and also receives an update of user and computer password changed on another Domain Controller.

Infrastructure master
The Infrastructure master role is domain-wide and there is one for each domain. This role is responsible for updating group membership updates and other references of objects from one domain to another domain. It is required for multi domain environment and not for single domain environment. And to update SID attributes and distinguished name attributes for objects that are referenced across domains.


Note: It is not recommended to have Global Catalogue and Infrastructure role on the same Domain Controller in Multi Domain Controller, which is an exception if all the Domain Controllers are Global Catalogue. Global Catalogue has partial information of all the objects of other domain therefore it does not allow updates of cross domain.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)