FSMO stands for Flexible Single Master Operations. Therefore an FSMO Role, is a Flexible Single Master Operations Role. There are 5 of these in Active Directory 2003, and in this article I will explain the purpose of each one, and what it does.
Flexible means that the roles can be swapped around, and the administrator can decide which DC holds which role(s).
Single means that only one DC can hold each role. This can apply to each domain, or to the entire forest. I will go into more detail about this later.
The five roles are as follows:
PDC Emulator
- Synchronises time over the domain, ensuring all clients have the same time - which is required for kerberos authentication (logons) to work properly.
- Manages password changes made in the domain
- Incorrect logons are forwarded to the PDC before the error is shown to the user - to check the password is in fact incorrect
- Account lockouts are processed on the PDC emulator
- Group policy management is always made on the PDC emulator, unless specified by the administrator
- Emulates the PDC (Primary Domain Controller) for NT4 clients in the domain.
Notes: There is one PDC Emulator per domain, but the PDC Emulator for the forest root domain is authoratative for all others in the forest.
RID Master
The RID Master is responsible for handing out pools of RID's (Relative ID's). Each DC in a domain is allocated a pool of RID's, that it uses for new security principal objects that are created such as security groups. When a DC starts to run out of RIDs, it issues a request for more to the RID Master. There is one RID Master per domain in the forest.
Notes: There must only ever be ONE RID Master in a domain. If an administrator siezes the RID Master role from to another server because the original role holder is offline, the original role holder must be formatted and reinstalled. This is due to the risk or probability of having identical RIDs in a domain if more than one server holds the role. This would render the affected objects invalid, and cause endless problems on the domain.
Infrastructure Master
This role is most important when the forest contains more than one domain. The Infrastructure Master is responsible for updating an object's SID (Security ID) and DN (Distinguished Name) in a query that references objects from another domain.
Notes: There is one Infrastructure Master per domain.
Domain Naming Master
The Domain Nameing Master controls the addition and removal of domains to and from the forest. It makes sure that no two domains have the same name, and is the only Domain Controller in the entire forest that can add or remove a domain.
Notes: There is only one Domain Naming Master in the entire forest.
Schema Master
The Schema Master controls all updates and modifications to the schema. Once the update has completed it is replicated to all other Domain Controllers in the forest, but it must be performed on the Schema Master first.
Notes: There is only one Schema Master in the entire forest.
Related Articles: