Active Directory FSMO Roles Best Practices

Flexible Single Master Operations (FSMO) is a special type of operation performed by Active Directory domain controllers that requires a DC server to be unique in a domain or forest. Various FSMO roles can be performed on the same or multiple domain controllers. A domain controller with any FSMO roles is called an Operations Master DC.

You can perform most of the operations in Active Directory on any of the domain controllers. The AD Replication service synchronizes changes with other domain controllers, ensuring that the AD database is identical across all the DCs in the domain. AD conflict resolution works as follows: if two DCs try to change the attributes of one AD object at the same time, the automatic conflict resolution system keeps track of which change was made last.

However, there are several actions (such as changing the AD schema) where multi-master update conflicts are not allowed. Avoiding such conflicts is the primary task of the domain controllers that hold the FSMO roles. Thus, each FSMO role can only run on one of the domain controllers. And if necessary, you can transfer the FSMO role to another domain controller at any time.

What Are the 5 FSMO Roles in Active Directory?

There are 5 FSMO roles: 2 unique roles for Active Directory forest and 3 for every domain.

• Schema Master — responsible for making changes to the Active Directory schema on available domain controllers. There can be only one role owner for the entire domain forest.
• Domain Naming Master — responsible for the unique name for a domain and application partitions in the forest. Used to add and remove domains to the forest. There can be only one for the entire domain forest.
• Infrastructure Master — stores information about users from other domains, that are added to domain local security groups of your domain. Responsible for updating the SID of a specific object and updating the full name of the object reference between different domains. There can be one for each domain in the forest.
• RID pool manager — responsible for assigning the unique relative ID (RID), required when creating new domain objects (user and computer accounts, groups, contacts, etc.). There can be one for each domain in the forest.
• PDC (Primary Domain Controller) Emulator — responsible for compatibility with NT4 domain and pre-Windows 2000 clients, for the domain time synchronization in the forest, creating Group Policy Objects (GPO) in AD, user password changes, and managing AD user lockout events when users enter incorrect passwords. If the PDC Emulator owner becomes unavailable, this will have the most immediate impact on normal operations and users.

Hint. There is a sixth, unofficial FSMO domain controller role in AD called the Global Catalog.

Best Recommended Practices for FSMO Roles Placement

When you install a new Active Directory domain, all FSMO roles are placed on a single server (on the first promoted domain controller in the domain). According to Microsoft’s recommendation, the Best Practice is to split the FSMO roles between the different domain controllers.

The forest-wide FSMO roles should be placed on one DC, and the domain-wide roles on another. If you have only one domain controller, it is recommended to deploy an additional DC. Thus, in an AD domain with a minimum configuration (2 DCs), you need to place the FSMO role as follows:

Place the following domain roles on a DC1:

• RID Master;
• Infrastructure Master;
• PDC Emulator.

Place the forest roles on a DC2:

• Schema Master;
• Domain Master.

Consider other best practices for placing operations master roles in a domain:

1. In multi-domain environments, place both forest-wide roles on the PDC of the forest root domain, which is also a Global Catalog server;
2. Place all domain-wide roles on one server with sufficient performance;
3. Run the PDC Emulator and RID master roles on the same DC;
4. If all DCs in the domain have the Global Catalog role (today this is the configuration recommended by Microsoft), you can place the Infrastructure Master role on any domain controller. If not, move the Infrastructure Master role to a domain controller that doesn’t have the Global Catalog role enabled;
5. Do not move FSMO roles across the domain too often. It is a bad idea to force domain clients to rediscover the PDC on a regular basis;
6. If you are using virtualized domain controllers, disable time synchronization of virtual machines with FSMO roles with the host hypervisor;
7. Do not use the domain controllers for any tasks other than ADDS, its monitoring and Active Directory backup;
8. Place the Primary Domain Controller (PDC) role on your best hardware in a reliable hub site.

Hint. If your domain has the AD Recycle Bin enabled, each DC is responsible for updating its cross-domain object references. In this case, the Infrastructure FSMO role isn’t actually needed, and it doesn’t matter where you place it.

Run the following command to get the current FSMO roles owners:

netdom query fsmo

In this case, the FSMO roles are split between the two DCs.

You can also find FSMO role owners using PowerShell cmdlets. To get the domain-wide FSMO owner, run:

Get-ADDomain | Select-Object -Property RIDMaster, PDCEmulator, InfrastructureMaster | fl

For forest-wide roles, use:

Get-ADForest | Select-Object -Property SchemaMaster, DomainNamingMaster

Or use the PowerShell one-liner to list all FSMO owners:

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}

What Happens if FSMO Role Owner Fails?

Forest-wide roles are the least critical to AD functioning. What happens if you leave the FSMO role offline for an extended period of time?

• Schema Master — cannot change the AD schema. However, this procedure is performed not often (once or twice in several years) when adding controllers with a new version of Windows Server to the domain or when installing some server products (Exchange, Lync / S4B). In practice, you may not notice the missing schema master for years.
• Domain Master — it is impossible to add or remove a domain (subdomain). Also not a frequent task

Domain-wide roles exist in every domain and are more important to the overall functioning of AD.

• Infrastructure Master — if there are multiple domains on DCs that are not hosting Global Catalogs, membership in local domain groups may be broken;
• RID Master — after a while it will be impossible to create a new object in AD. The time depends on the remaining number of available SIDs, which are issued in blocks of 500 RIDs. If your AD has a small number of objects and you don’t add new ones every day, then the absence of the RID master will go unnoticed for a long time.
• PDC Emulator — the most critical FSMO role. If it is not available, the domain time synchronization will stop and some password lockout policies won’t work.

Keep in mind, that there is no FSMO role which failure would result in a significant loss of Active Directory functionality. Even if all FSMO role holders fail, the domain infrastructure can operate normally within a few days, weeks, or even months. Therefore, if you are going to maintain a DC with one or all FSMO roles, there is no need to move roles to the other DC.

In the table below, we have listed various symptoms that can help you understand when some FSMO role holders are offline or not working properly:

Failure of a DCs with FSMO roles does not lead to malfunction of a domain. However, it makes it impossible to perform many operations, actually shifting the domain to the “read-only” mode. In case of failure of a domain controller with the FSMO roles, you can use the procedure of seizing FSMO roles from a failed DC.

Note. If you need to move the FSMO role to a different DC and the current role holder is online, you should transfer (not seize) the role to the new DC. FSMO roles should only be seized when the current role holder is unavailable. After seizing the FSMO role, the previous holder host should never come back online in your network, as this can break your AD.

How to Check FSMO Roles Health in Active Directory Forest?

You can use the dcdiag tool to quickly check the health of FSMO role holders in Active Directory. Run the following command using the Enterprise Admin credentials:

dcdiag.exe /Test:FSMOCheck

Or you can check only the specific FSMO owner in the domain:

Dcdiag.exe /TEST:RidManager /v

Starting test: RidManager

* Available RID Pool for the Domain is 1600 to 1073741823

* dc02.theitbros.com is the RID Master

* DsBind with RID Master was successful

* rIDAllocationPool is 1100 to 1599

* rIDPreviousAllocationPool is 1100 to 1599

* rIDNextRID: 1130

......................... DC02 passed test RidManager

Occasionally check if all FSMO roles are available, or write a script to do this automatically using the Task Scheduler.

Admin Tools to Manage FSMO roles

To manage and transfer FSMO roles in Active Directory domain you can use the ntdsutil.exe command line tool, or the graphical user interface MMC snap-ins:

• Active Directory Domains and Trusts — Domain Naming Master role;
• Active Directory Users and Computers — Relative ID Master,  Infrastructure Master and Primary Domain Controller Emulator roles;
• Active Directory Schema — Schema Master role.

In addition, you can move the FSMO roles with PowerShell:

Move-ADDirectoryServerOperationMasterRole -Identity "dc02" –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster

You can move all the FSMO roles or only certain ones. In this example, all 5 FSMO roles are transferred from the current owner (wherever they are) to host dc02.

That’s all. Hopefully this has helped to clarify the situation with the FSMO role a bit. In future articles, we will take a closer look at each of the FSMO roles and its features.