Active Directory

Flexible Single Master Operations Roles (FSMO)

There are 5 roles that exists in a forest and these roles can be assigned to a Domain Controller or multiple domain controllers.

In a forest, there can be only one Schema Master and one Domain Naming Master. These are the Forest roles.

In a domain, there can be only one RID Master, one PDC Emulator, and one Infrastructure Master. These are the Domain roles.

Schema Master: It holds the only read-write copy of the Active Directory Schema.

Domain Naming Master: It verifies the domain names in your forest and makes sure, the domain name you create does not exists in that forest. We need this role to add additional domains in our forest.

RIP Master: It makes sure you have uniques SIDs. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.


PDC (Primary Domain Controller) Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Also password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.

Infrastructure Master: It updates the memberships. For example when you add a user to a user group, Infrastructure Master updates and let everybody know about this group membership If that group is a Universal group, it should be added global catalog.

The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.

How To Find Out the holder of FSMO roles:

You can run the following command on a domain controller

NetDOM /query FSMO

Post Comment