Where to Host Active Directory FSMO Roles

The Flexible Single-Master Operation (FSMO) roles are a combination of roles that are held by a single domain controller (DC) in a given Active Directory (AD) forest or domain. There are five distinct FSMO roles: Schema Master, Domain Naming Master, Relative Identifier (RID) Master, Infrastructure Master, and Primary Domain Controller (PDC) Emulator. Frequently, we find that customers host FSMO roles on a single DC. In many situations, this won’t pose an issue and is an ideal design. However, sometimes this design isn’t ideal. The size and complexity of the organization are critical factors when determining how and where to host FSMO roles.

What are the FSMO Roles?

Each role in your AD environment has an operational or performance impact on DC resources. In addition, each role will have a different effect during an outage, depending on the length of outage. In the event of an outage or a change, all FSMO roles should be restored as soon as possible—but there are some roles that do not have an immediate operational effect. 

The following table summarizes the five FSMO roles: 

FSMO RoleDescriptionQuantityOperational CostImpact of OutageRequired For
Schema MasterThis role is authoritative for all schema changes that are made within the AD forest. You can only perform schema changes while connected to the Schema Master. 1 per forestLowLowPerforming schema modifications 
Domain Naming MasterThis role is authoritative for additions and removals of domains and application partitions in a forest.1 per forestLowLowCreating new domains or application partitions
Relative Identifier (RID) MasterThis role is responsible for generating RID pools, which are used to assign security identifiers (SIDs) to new objects. There will be a noticeable impact when a RID pool is depleted because there will be no SIDs available for the creation of new objects. All DCs need to be able to communicate with the RID Master to retrieve new RID pools. 1 per domainLowMediumIssuing new RID pools
Infrastructure MasterThis role is responsible for maintaining the reference, or phantom, objects that represent objects from another domain in the same forest. If this role is unavailable, it won’t prevent existing memberships and access control lists (ACLs) from functioning. 1 per domainLowLowCross-domain identity/reference resolution
Primary Domain Controller (PDC) EmulatorThis role performs critical services for the domain, and any downtime will be noticed quickly. All DCs need to be able to communicate with the PDC Emulator. 1 per domainHighMediumAuthentication, time synchronization, some directory changes, and Group Policy changes 

More information on FSMO roles can be found on Microsoft’s site: 

Where to Host the FSMO Roles

In smaller organizations, or those with less complexity (single forest/single domain), it’s unlikely that you’ll run into issues hosting all FSMO roles on a single DC. From a backup and recovery standpoint, hosting all of the FSMO roles on one DC can be ideal, too. The only time a forest should be restored from backup is when no other domain replicas exist in the environment. All FSMO roles can be monitored together and, as an added benefit, there can be a reduction of resource requirements, such as backup and storage space, when backing up a single DC. 

In larger, more complex organizations, it may be more ideal to diversify the placement of FSMO roles. In these organizations it’s common to have a number of trusted and trusting domains, which can play a key part in where roles are located. Most FSMO roles play a part in trust creation but will not affect trust operation—the exception to this rule is the PDC Emulator role. This particular FSMO role is required in the trusting domain when the trust password is established and updated. Unlike other FSMO roles, the PDC Emulator role should be available in the trusting domain. 

The RID Master role is responsible for generating RID pools, which are used to assign SIDs to new objects. Due to the criticality of the RID Master and PDC Emulator roles, it’s recommended to host them on the same DC. The PDC Emulator role will be the most taxing; therefore, you’ll want to monitor resources and add more where necessary. DC capacity planning can be found on Microsoft’s site. According to Microsoft’s documentation, the Schema Master should be on the PDC of the forest root domain and the Domain Naming Master should be on the forest root PDC. As noted above, the Infrastructure Master role can be on any DC if all DCs are Global Catalog servers. That being said, if one DC is not a Global Catalog server, the Infrastructure Master role must be hosted on that particular server. If the Recycle Bin is enabled in a domain, the Infrastructure Master’s tasks are performed on each DC.

In Summary

There is nothing incorrect about hosting all FSMO roles on a single DC, regardless of the size and complexity of the organization you support. However, there may be performance reasons to separate certain FSMO roles. Even among veteran AD admins, where to host FSMO roles is still a common topic of conversation. 

Need help managing your Active Directory environment? Ravenswood Technology Group is here for you! Contact us today. 

[RELEVANT BLOG CONTENT]

6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Migrating to Windows LAPS

Windows Local Administrator Password Solution (LAPS), now integrated into the OS, is the replacement for Microsoft LAPS, which was a separate installation. Windows LAPS is

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.