Created: June 4th 2015
Updated: 8/23/20
Windows Domain Controller Operations Masters Placement
Active Directory Domain Services (AD DS) supports multimaster replication of directory data, which means any domain controller can accept directory changes and replicate the changes to all other domain controllers. However, certain changes, such as schema modifications, are impractical to perform in a multimaster fashion. For this reason certain domain controllers, known as operations masters, hold roles responsible for accepting requests for certain specific changes.
Three operations master roles (also known as flexible single master operations or FSMO) exist in each domain:
PDC:
- Manages password changes for computer and user accounts on replica domain controller
- Controls password requests for authentication services
- Target DC for Group Policy Updates
- Time keeper for the domain
- Target DC for legacy application that perform writable operations and for some admin tools
- Must be online and accessible at all times
- Generally placed on on high performance infrastructure that is centralized to other domain controllers
RID:
- Allocates active and standby RID pools to DC in the domain
- Must be online for newly-promoted DC to obtain a local RID pool or when existing DC must update their current or standby RID pool allocation – (a RID is a superset of a SID)
- ensure all security principals on the domain have a unique identifier
Infrastructure:
- Updates cross-domain references and phantom/tombstones from the global catalog
- A separate infrastructure master is created for each application partition including the default forest-wide and domain-wide application partitions
- In a single domain forest, the infra master can be placed on any DC
- In a multi-domain forest, the infra master is generally placed on a DC that is not a GC
- Except in the case where all DC’s in the forest are GC’s. In this case, the infra master can be placed on any DC
In addition to the three domain-level operations master roles, two operations master roles exist in each forest:
Schema:
- Performed update to the AD Schema
- Updates such as adprep /forestprep, & Exchange
- Must be online for schema changes
Domain Naming:
- Add & remove domains & applications to and from the forest
- Must be online when domains and application partitions in a forest are added or removed
Place the domain controllers hosting these operations master roles in areas where network reliability is high, and ensure that the PDC emulator and the RID master are consistently available.
Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain.
Typically I’ve found you want the RDC, RID Pool Manager, and Infrastructure Master on the Primary Domain Controller. You then want the last two, Schema Master and Domain Naming Master on a Secondary Domain Controller.
In order to verify Operation Master easily instead of going to each MMC module individually you can go to command prompt and type the following command:
“netdom query fsmo” and press enter.
It will show you where all of the Operation Masters are located. Might come in handy for someone when you remove a 2003 DC from a forest that was raised to 2008 so you can verify that there is no operations masters on the old 2003 DC.