This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

DC and FSMO Roles

Domain Controllers (DCs)

Domain Controllers are Windows servers that host a writable copy of the Active Directory database and provide authentication services to the network.

Core Functions:

  • Authentication Services: Verify user credentials and issue security tokens

  • Directory Database Storage: Maintain synchronized copies of AD data

  • Group Policy Distribution: Deliver policy settings to client computers

  • DNS Services: Provide name resolution for AD-dependent services

  • Time Synchronization: Maintain consistent time across the network

Types of Domain Controllers:

Read-Write Domain Controllers (RWDC):

  • Standard DCs that can accept changes to the directory

  • Process authentication requests and directory modifications

  • Participate in multi-master replication

Read-Only Domain Controllers (RODC):

  • Hold read-only copies of the directory database

  • Cache credentials for local authentication

  • Designed for branch offices with limited physical security

  • Don't replicate sensitive data like passwords

FSMO Roles (Flexible Single Master Operations)

While Active Directory uses multi-master replication, certain operations require a single authoritative source to prevent conflicts.

Forest-Wide FSMO Roles (One per Forest):

Schema Master:

  • Only DC authorized to modify the Active Directory schema

  • Controls object class and attribute definitions

  • Changes replicate to all DCs in the forest

  • Critical for schema extensions and upgrades

Domain Naming Master:

  • Controls addition and removal of domains from the forest

  • Ensures unique domain names across the forest

  • Maintains references to all domains

  • Required for domain creation/deletion operations

Domain-Wide FSMO Roles (One per Domain):

PDC Emulator:

  • Handles password changes and account lockouts

  • Provides time synchronization for the domain

  • Maintains compatibility with legacy systems

  • Processes urgent replication events

RID Master:

  • Allocates relative identifier (RID) pools to other DCs

  • Ensures unique security identifiers (SIDs) for new objects

  • Prevents SID duplication across the domain

  • Critical for object creation operations

Infrastructure Master:

  • Updates references to objects in other domains

  • Maintains cross-domain group membership information

  • Handles phantom object cleanup

  • Should not be a Global Catalog server (unless all DCs are GCs)

Global Catalog Servers

Global Catalog (GC) servers maintain a searchable catalog of all objects in the forest:

  • Complete Local Information: Full details for objects in their own domain

  • Partial Remote Information: Subset of attributes for objects in other domains

  • Universal Group Memberships: Forest-wide group membership data

  • Logon Processing: Required for user logon in multi-domain environments

PreviousAD ArchitectureNextForests, Domains, and Organizational Units

Last updated

Was this helpful?