/ Technical

FSMO Confusion in multiple domains

When I teach classes on Active Directory I will cover various domain models including the empty root domain model, this model has several security,delegation and political based benefits that I will cover in a future article suffice to say it uses two domains and the child domain is the production domain and the empty root just contains certain FSMO roles and forest-wide groups.

When I teach this model I will always ask the class to tell me how many FSMO roles there are and if the class is awake I will generally get the correct answer of five. I will then point to the empty root domain model and ask the class where the 8 FSMO roles should be placed, invariably I will get a look of confusion because there are only five.....

What a lot people forget is the minimum number of FSMO roles you can have in a domain is three and the maximum is five. Lets look at that empty root domain again - The empty root is just a windows domain that just happens to be the first in the domain to be created and as such will hold five FSMO roles. The roles are Schema Master, Domain Naming Master, PDC Emulator, RID Master and Infrastructure Master. The first two are forest wide so will only ever exist in one domain of the tree whereas the other three are domain wide and will exist in each and every domain created and this seems to be where the confusion comes in.
Your very first domain (the empty root in this example) will have FIVE FSMO roles, the child domain will hold THREE. Five+three equals eight which explains how you can have eight FSMO roles across two domains.

Gary Williams

Gary Williams

IT Person | Veeam Vanguard | VMware vExpert | Windows admin | Docker fan | Spiceworks moderator | keeper of 3 cats | Avid Tea fan

Read More