← Go back to the Active Directory Security Glossary
Active Directory is a land of several monarchs. The first and best known of these is the domain administrator: the authority with full control over the configuration and management of users, groups, devices, and permissions for a given domain.
Having a single point of authority works well as long as you’re only talking about one domain. But what happens when you have two or more domains? In keeping with all the arboreal metaphors, Active Directory’s designers decided to call a group of domains a “forest” and to give this higher level of control its own ruler, the enterprise administrator.
Their power is great, but subtle. For example, domain administrators don’t notice that higher power exists until they try to do something within their domain that impacts other domains, such as changing Active Directory trusts, or adjusting the Active Directory schema. Only an enterprise admin can make these changes, which is why membership of this group is carefully guarded. These individuals use their immense power infrequently, but to great effect.
Read more: Privileged access management for Windows Active Directory domain
FSMO – Flexible Single Master Operation
Updating data on one AD domain controller sounds simple enough but what happens if an organization has several controllers? How do they avoid conflicts when replicating the same and without creating a single point of failure?
The answer is Active Directory’s equivalent of clustering, Flexible Single Master Operation (FSMO). This divides domain responsibilities into five roles across multiple DCs, each of which performs a different housekeeping function. Importantly, if one goes down, the others can assume the responsibilities of the missing controller.
Active Directory schema is often described as complex. In fact, it’s incredibly simple. Active Directory is a database, or directory, of network resources such as accounts, users, devices, applications, and logical entities such as groups used to organize them.
But all of these have their own attributes, and that requires a second database. This second database sets out the rules for how Active Directory defines information about each attribute.
This is the schema, and the accounts with the power to adjust this schema are called, unsurprisingly, schema administrators. Needless to say, fiddling with the schema is not something done often or at all. But when you do, you better have the super skills to know what in the hell you are doing.