The Flexible Single-Master Operation (FSMO) roles are a combination of roles that are held by a single domain controller (DC) in a given Active Directory (AD) forest or domain. There are five distinct FSMO roles: Schema Master, Domain Naming Master, Relative Identifier (RID) Master, Infrastructure Master, and Primary Domain Controller (PDC) Emulator. Frequently, we find that customers host FSMO roles on a single DC. In many situations, this won’t pose an issue and is an ideal design. However, sometimes this design isn’t ideal. The size and complexity of the organization are critical factors when determining how and where to host FSMO roles.
What are the FSMO Roles?
Each role in your AD environment has an operational or performance impact on DC resources. In addition, each role will have a different effect during an outage, depending on the length of outage. In the event of an outage or a change, all FSMO roles should be restored as soon as possible—but there are some roles that do not have an immediate operational effect.
The following table summarizes the five FSMO roles:
FSMO Role | Description | Quantity | Operational Cost | Impact of Outage | Required For |
---|---|---|---|---|---|
Schema Master | This role is authoritative for all schema changes that are made within the AD forest. You can only perform schema changes while connected to the Schema Master. | 1 per forest | Low | Low | Performing schema modifications |
Domain Naming Master | This role is authoritative for additions and removals of domains and application partitions in a forest. | 1 per forest | Low | Low | Creating new domains or application partitions |
Relative Identifier (RID) Master | This role is responsible for generating RID pools, which are used to assign security identifiers (SIDs) to new objects. There will be a noticeable impact when a RID pool is depleted because there will be no SIDs available for the creation of new objects. All DCs need to be able to communicate with the RID Master to retrieve new RID pools. | 1 per domain | Low | Medium | Issuing new RID pools |
Infrastructure Master | This role is responsible for maintaining the reference, or phantom, objects that represent objects from another domain in the same forest. If this role is unavailable, it won’t prevent existing memberships and access control lists (ACLs) from functioning. | 1 per domain | Low | Low | Cross-domain identity/reference resolution |
Primary Domain Controller (PDC) Emulator | This role performs critical services for the domain, and any downtime will be noticed quickly. All DCs need to be able to communicate with the PDC Emulator. | 1 per domain | High | Medium | Authentication, time synchronization, some directory changes, and Group Policy changes |
More information on FSMO roles can be found on Microsoft’s site:
Where to Host the FSMO Roles
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
In smaller organizations, or those with less complexity (single forest/single domain), it’s unlikely that you’ll run into issues hosting all FSMO roles on a single DC. From a backup and recovery standpoint, hosting all of the FSMO roles on one DC can be ideal, too. The only time a forest should be restored from backup is when no other domain replicas exist in the environment. All FSMO roles can be monitored together and, as an added benefit, there can be a reduction of resource requirements, such as backup and storage space, when backing up a single DC.
In larger, more complex organizations, it may be more ideal to diversify the placement of FSMO roles. In these organizations it’s common to have a number of trusted and trusting domains, which can play a key part in where roles are located. Most FSMO roles play a part in trust creation but will not affect trust operation—the exception to this rule is the PDC Emulator role. This particular FSMO role is required in the trusting domain when the trust password is established and updated. Unlike other FSMO roles, the PDC Emulator role should be available in the trusting domain.
The RID Master role is responsible for generating RID pools, which are used to assign SIDs to new objects. Due to the criticality of the RID Master and PDC Emulator roles, it’s recommended to host them on the same DC. The PDC Emulator role will be the most taxing; therefore, you’ll want to monitor resources and add more where necessary. DC capacity planning can be found on Microsoft’s site. According to Microsoft’s documentation, the Schema Master should be on the PDC of the forest root domain and the Domain Naming Master should be on the forest root PDC. As noted above, the Infrastructure Master role can be on any DC if all DCs are Global Catalog servers. That being said, if one DC is not a Global Catalog server, the Infrastructure Master role must be hosted on that particular server. If the Recycle Bin is enabled in a domain, the Infrastructure Master’s tasks are performed on each DC.
In Summary
There is nothing incorrect about hosting all FSMO roles on a single DC, regardless of the size and complexity of the organization you support. However, there may be performance reasons to separate certain FSMO roles. Even among veteran AD admins, where to host FSMO roles is still a common topic of conversation.
Need help managing your Active Directory environment? Ravenswood Technology Group is here for you! Contact us today.