Understanding FSMO Roles – 1: Initial things

By | May 6, 2020

I remember when I started working as Windows Admin several years ago, FSMO (Flexible Single Master Operations) was a kind of nightmare for me. I Googled hundred times to find out what exactly it is, but found too theoretical/non-practical information. Now when I actually know what exactly it is, I find it very clear and simple. So I will try to explain it in a absolute layman language, hope it will help many engineers like me. Also instead of explaining it in one shot, we will discuss one role at a time for better understanding.

Before I start, I hope everyone is aware of Forest and Domain concept in Active Directory. If not, I strongly recommend you to read Active Directory in Nutshell to understand the basic structure of Active Directory. Domain is just a logical boundary which represents it’s reach and limitation. For example, DevOpsAge.com is an Active Directory domain which represents reach and limitation of all employee within the organisation. We can’t go beyond DevOpsAge.com and no one from outside can come from outside, unless they are authorised.

If we have group of Domains which belong to a single organisation or infrastructure, it’s called a Forest and it’s identified by the root domain. For example, DevOpsAge.com, US.DevOpsAge.com, AU.DevOpsAge.com, all are different domains but belong to a single forest DevOpsAge. A forest must have at-least two or more domains.

If we have only one domain in our infrastructure, by default that will also be the forest, however we generally call it as Domain only. This structure is called as “Single Forest Single Domain” structure. Earlier we had a concept of Tree, which is no longer in use. Now we have something called Child and Tree domains.

  • Child Domain: Any domain which is part of same forest and shares the extension of the root domain called as Child Domain. In above example, US.DevOpsAge.com, AU.DevOpsAge.com are the child domains for root domain DevOpsAge.com.
  • Tree Domain: Any domain which is part part of the same forest but don’t share the extension of root domain is called as Tree Domain. For example, if we have another Active Directory domain called DevOpsAgeOnline.com, which is part of DevOpsAge.com forest, but since it’s not sharing the extension of it’s root domain, it will be called a Tree Domain.

In next post, we will discuss why we need FSMO roles, how many are they and how they can actually placed within the organisation. In the meanwhile, your feedback and questions are welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *