Till now we have understood the concept of Forest and Domain and also we know that we have five (5) FSMO Roles in total. Now let see how those roles are placed in an Active Directory Infrastructure.
Out of five roles, two roles are Forest level roles and three are Domain level roles. It means, we have three mandatory roles in every domain and no matter how many domains we have in a forest, we can have only two roles in the entire forest. Also don’t forget that only Domain Controllers (servers with Active Directory Domain Service roles) can hold the FSMO roles. So when I say FSMO role holder, I actually mean the domain controller who is holding that role.
Forest level roles are:
- Schema Master
- Domain Naming Master
Domain level roles are:
- Infrastructure Master
- RID (Relative Identifier) Master
- PDC (Primary Domain Controller) Emulator
In nutshell, if you have 1 forest with multiple domains, Schema Master and Domain Naming Master will be only in one domain but RID Master, Infrastructure Master and PDC will be separate in all different domains.
In a Forest, either a single Domain Controller can hold all the roles or we can split it in different DCs to avoid single point of failure. So in all, minimum one and maximum five Domain Controllers can hold each task in any Active Directory Infrastructure, regardless how big your infrastructure is.
If you are going for an Active Directory Interview, interviewer may confuse you giving weird numbers like: “If we have 3 Forest and 39 Domains with 1467 Domain Controllers in total, how many Schema Master roles we will have?” Never get confuse with these numbers. The simple logic will be:
- Number of Forest = number of Schema Master and Domain Naming Master
- Number of Domains = number of RID Master, PDC Emulator and Infrastructure Master
Really, it’s as simple as that! In this case, we will have 3 Schema Masters and 3 Domain Naming Masters and 39 RID Masters, Infrastructure Masters and PDC Emulators. In this calculation, number of domain controllers doesn’t matter.
For example, let’s assume that we have one forest with four domains (one root domain and three child domains):
- DevOpsAge.local – Forest and Root Domain
- IN.DevOpsAge.local – Child Domain 1
- US.DevOpsAge.local – Child Domain 2
- UK.DevOpsAge.local – Child Domain 3
In this case, we will have only one Schema and Domain Naming Master, which can be placed in either one or maximum two domain controllers in any of these four domains. However we will have separate RID, Infrastructure Master and PDC in DevOpsAge.local, IN.DevOpsAge.local, US.DevOpsAge.local and UK.DevOpsAge.local. Means DevOpsAge.local will have all 5 roles (forest and domain wide) but IN.DevOpsAge.local, US.DevOpsAge.local and UK.DevOpsAge.local will have only 3-3 domain wide roles only, as forest role can be only one in entire forest.
In next topic, we will understand the working of all the FSMO Roles individually and the consequences if any of the roles are down. In the meanwhile, your feedback is welcome.