In general, all domain controllers in an Active Directory domain are created equal. That is, they all have the ability to both read from and write to the Active Directory database and are essentially interchangeable. However, certain operations within a domain and forest must be centrally coordinated from a single authoritative source. These operations are handled by only one domain controller within the domain and are divided into five distinct operational categories. These categories are referred to as Flexible Single Master Operations (FSMOs).
The term flexible refers to the fact that no particular domain controller must handle these operations. Instead, the five FSMO roles can be held by any one domain controller; in fact, all five roles can be held by a single domain controller if you desire. When you install the first Active Directory domain in a new forest, the first domain controller you create automatically holds all five roles, and will continue to do so unless you manually move one or more of the roles to another domain controller.
The FSMO Roles
The five FSMO roles are as follows:
- Schema master. This role is held by only one domain controller per forest. This role coordinates all changes to the Active Directory schema, and is required in order to process any schema updates. Only the schema master is permitted to replicate schema changes to other domain controllers in a forest.
- Domain naming master. This role is held by only one domain controller per forest. This role handles all changes to the forest-wide domain namespace, and is the only role that can process the addition or removal of a domain to or from the forest.
- RID master. This role is held by only one domain controller per domain. This role manages the relative identifier (RID) pool for the domain (for more information about RIDs, see the sidebar "Relative Identifiers in a Domain"). This role is also responsible for moving objects from one domain to another within a forest.
- PDC emulator. This role is held by only one domain controller per domain. This role is the central authority for time synchronization within a domain, and emulates the functionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT Backup Domain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre-Windows 2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact the PDC emulator to change user and computer passwords. The PDC emulator is also responsible for processing account lockouts. Finally, any failed logon attempts are first forwarded to the PDC emulator before returning a bad logon message to the client. The PDC emulator is the one FSMO role that your domain cannot live without for very long. This role should be placed on a robust server computer, and you should monitor that computer closely to ensure that the PDC emulator is functioning correctly. Because the PDC emulator processes account lockout, it is a key piece of Active Directory's security infrastructure.
- Infrastructure master. This role is held by only one domain controller per domain. This role updates object security identifiers (SIDs) and distinguished names (DNs) in crossdomain object references.
Relative Identifiers in a Domain
All security principals, such as users and computers, in a domain have a unique SID that identifies the principal on access control lists (ACLs) in the domain. SIDs consist of two major portions: the domain SID, which is the same for all SIDs within a domain, and a RID, which is unique for each security principal within a domain. The combination of the domain SID and the RID make the resulting SID completely unique across domains, even though different domains can issue the same RIDs.
The RID master allocates small pools of unique RIDs to each domain controller in a domain. Domain controllers use this pool to assign RIDs when creating new security principals. When a domain controller runs out of available RIDs, the domain controller contacts the RID master to obtain a new pool. Because all RIDs originate from a single source, the RIDS are guaranteed to be unique within the domain.
You might sometimes see references to a sixth FSMO role, the Global Catalog (GC). Although the GC is an extra function that can be assigned to a domain controller, it is not a FSMO. Domains and forests can contain multiple domain controllers acting as a GC server, whereas FSMOs are be definition held by one, and only one, domain controller at a time.
For more information about the FSMO roles, refer to the Microsoft article "Windows 2000 Active Directory FSMO Roles."
The following list provides some best practices for placing FSMOs:
- In a multiple-domain forest, never place the infrastructure master role on a domain controller that is also a GC server. The infrastructure master's job is to update crossdomain references, and it does so by looking for references it does not itself possess. Because a GC contains a reference to every object in the entire forest, the infrastructure master will never be without a reference, and will therefore fail to perform its job properly.
- Because the PDC emulator holds such a crucial, central role in Active Directory, you should place the PCD emulator on a domain controller that has the best possible connectivity to other domain controllers in the domain. The PDC emulator in the forest root domain synchronizes time for all other PDC emulators in the forest, and should have a reliable network connection to the domain controllers holding the role in each domain.
- You should place the schema master on a domain controller that is physically collocated with the administrators responsible for maintaining the forest's schema. This placement will ensure that the administrators have a reliable connection when performing schema updates.
Active Directory does not provide automatic failover for the FSMO roles. Some of the roles, such as the schema master, aren't required for Active Directory's day-to-day operations, so automatic failover isn't strictly necessary. However, some roles, such as the PDC emulator, control critical domain operations, and you'll notice pretty quickly if the domain controller containing the role fails. In those cases, you'll have to manually relocate the FSMO role to another domain controller.