What are Flexible Single Master Operation (FSMO) Roles in Active Directory?

Flexible single master operation (FSMO) roles are special Active Directory operations that are responsible for performing certain Active Directory tasks. Active directory depends on five special roles for smooth working of its multi-master model.

Schema Master:

Schema master domain controller is responsible for all modifications and updates to the schema. After the Schema is updated, it is replicated from schema master server to all the domain controllers in the Active Directory. There is only one Schema Master in a forest. In order to update forest schema, you must have a schema master server to replicate changes across other AD servers.

A schema update scenario is when you upgrade Windows 2000 domain controller to Windows 2003, in this situation Active Directory schema changes are replicated throughout the AD by the schema master.

Domain Naming Master:

Domain naming master domain controller is responsible for addition and removal of domains in the Active Directory forest. This is the only Domain Controller which can add or remove a domain from Active Directory. It is also responsible for adding or removing cross references to external domain directories. In a forest, there is only one domain naming master.

Infrastructure Master:

Infrastructure master FSMO keeps updated reference of the domain objects across other domains by matching its data with Global Catalog (GC). When objects are updated across domains they are referenced by GUID, SID (security principal reference) and DN (Distinguished Name) of the object being referenced. Each domain has only one infrastructure master role and this Domain Controller is responsible for updating an objects SID and distinguished name reference in a cross-domain environment.

Domain controller that holds the Infrastructure Master (IM) role should not be the Global Catalog server. If both Global Catalog and Infrastructure master roles exist on the same Domain Controller, object information will not be updated as it does not hold any object references to the objects it does not contain. As you may know that the Global Catalog server keeps a partial replica of all objects in a forest and if IM role is on the same server the cross-domain references will not be updated in that domain and a warning will be recorded in the event log of the DC.

Relative ID (RID) Master:

The RID master allots the series of relative IDs (RIDs) to all domain controllers in its corresponding domain. At any given time there could only be one RID master server in a domain or forest.

Whenever a domain Controller creates a user, group or computer object, RID master assigns a unique Security ID (SID) to the object. This SID consists of two IDs, one is the domain SID (same for each object created in the domain) and the other is relative ID (RID) which is unique for each security object created in the domain.

Every domain controller holds a pool of RIDs which are assigned to every new security object created in the domain. Whenever the RID pool on a DC falls below a certain threshold, the DC generates a request to the RID master for additional RIDs.

You can move objects within domains by movetree.exe. You should initiate the move process on the RID master that contains the domain object.

PDC Emulator:

The PDC emulator server is authoritative for the domain and has the responsibility of time synchronization in the enterprise. At any given time there could only be one PDC emulator master server in a domain or forest.

PDC emulator holds following responsibilities:

Any password change on a Domain Controller is replicated to the PDC emulator.
Password authentication failures recorded on a Domain Controller are reported to the PDC emulator before user gets the password failure message.
PDC emulator is responsible for account lockout process.
PDC emulator keeps a GPO copy in its SYSVOL share and GPO creation or editing is performed using that GPO copy.

How to Transfer FSMO Roles:

In order to transfer the FSMO roles from come DC to another, you can use two different options. First is the transfer option which is the recommended options as well, for this method both computers should be online. Second method is when FSMO role holder is offline, for this method you have to use Ntdsutil.exe tool to seize the FSMO roles.

Related topics

How Can I Disable UAC (User Account Control) in Windows 7?
How to use MS Outlook inbox Repair tool to repair your PST file?
Why should I use PowerShell to Manage my Server?
How to backup and restore Windows Server 2008 Domain Controller?

Go Back to Technology for more.

Edited by: Rajesh Bihani ( Find me on Google+ )

Disclaimer: The suggestions in the article(wherever applicable) are for informational purposes only. They are not intended as medical or any other type of advice