FSMO roles - what do they do?

Flexible single-master operator (FSMO) roles are special roles assigned to Active Directory domain controllers (DCs). Each FSMO role can be assigned to only one DC at a time, and that DC is the only one permitted to process a particular type of critical change to Active Directory.

The name comes from two factors: The DC chosen to handle a particular type of update functions as the “single-master operator,” and the role is “flexible” because it can be assigned to any DC.

Note that Microsoft has switched to the term “Operation Master roles,” but “FSMO roles” remains in common use.

Understanding the purpose of Active Directory FSMO roles requires a brief history lesson. Early versions of Windows used a single-master model: One DC — the primary domain controller (PDC) — was responsible for processing all updates in a particular domain. While this model makes conflicts impossible, it has a key drawback: If the PDC is unavailable, it’s impossible to perform vital administrative tasks.

Today, Windows uses a multi-master model: Changes to AD can be processed by any domain controller and are then replicated to the other DCs. While this model eliminates the problem of having a single point of failure, it leads to a different issue: What if two or more DCs process conflicting updates?

In most cases, these conflicts are resolved by a simple algorithm: the last writer wins. Any earlier changes are discarded.

However, some changes are too important to be subject to this rule. In those cases, Windows prevents conflicts from occurring in the first place by permitting only one DC — the FSMO role owner — to process certain types of changes.

There are five Active Directory FSMO roles:

• Schema Master
• Domain Naming Master
• Relative ID (RID) Master
• Primary Domain Controller (PDC) Emulator
• Infrastructure Master (domain level)

The same DC can be assigned multiple FSMO roles, or even all five of them. The DC that is assigned a particular FSMO role is called the role owner.

In a given forest, only one domain controller has the Schema Master role.

This DC is responsible for processing updates to the directory schema, which are then replicated to all other DCs in the directory. The schema is the blueprint of an Active Directory, with formal definitions of every object class (such as user, computer and security group) that can be created in the AD forest, and every attribute that can exist in an AD object.

For instance, an AD schema might define the following object classes: user, computer, printer and security group. It might allow user objects to have the attributes first name, last name, password, and telephone number, and give printer objects a different set of attributes: model number, location and port.

Examples of actions that update the schema include adding a new custom attribute to an object (such as adding a passport number attribute to user objects), implementing an application that requires an extension of the schema and adding a DC with a new version of Windows Server.

In a given forest, only one DC has the Domain Naming Master role.

This DC is responsible for adding and removing domains in the forest. In particular, it ensures that each domain in the forest has a unique name. The Domain Naming Master can also add or remove cross references to domains in external directories.

In each domain, one domain controller is assigned the RID Master role.

This DC is responsible for processing RID pool requests from all DCs in the domain. Each user, group and other security principal is assigned a unique security identifier (SID) when it is created, one component of which is a unique RID. Therefore, each DC needs a pool of RIDs it can assign to the objects it creates. When it runs low, it requests another RID pool from the RID Master.

The RID Master is also responsible for removing an object from its domain and putting it in another domain during an object move.

In each domain, one DC is assigned the PDC Emulator role. This DC is responsible for synchronizing time, which is vital for the integrity of many processes, including Kerberos authentication.

The PDC Emulator of a domain is authoritative for that domain. The PDC Emulator for the domain at the root of the forest is authoritative for the enterprise; it should be configured to collect the time from an external source.

The PDC Emulator is particularly important for password changes and failed authentication events:

• Password changes processed by other DCs in the domain are replicated preferentially to the PDC Emulator.
• When an authentication attempt fails due to an incorrect password, the failure is sent to the PDC Emulator before the failure message is issued to the user.
• Account lockouts are processed on the PDC Emulator.

In each domain, one DC is assigned the Infrastructure Master role.

This DC is responsible for updating an object's SID and distinguished name in a cross-domain object reference. In particular, it makes sure that names, rather than cryptic SIDs, appear in your access control lists (ACLs).

The DC that owns an FSMO role needs to be available whenever updates it is responsible for need to be made. Some of those updates, such as change to the schema and the addition of new domains, are rare, while other types of changes are more frequent. In particular, the PDC Emulator needs to be accessible at all times.

Administrators can move an Active Directory FSMO role from one DC to another via transfer or seizure:

• Transfer — One reason to transfer a role to another DC is that you know that a particular FSMO role owner is going be offline when it will be needed. When the former role holder restarts, it will check inbound replication information, determine that it no longer holds the role and smoothly relinquish role ownership.
• Seizure — If a DC that owns an FSMO role crashes and cannot be restored, you can seize the FSMO role and assign it to another domain controller.

For more information about when and how to transfer or seize Active Directory FSMO roles, see the Microsoft guidance.

RID Master, PDC Master or Infrastructure Master role

To determine which DC holds the RID Master, PDC Master or Infrastructure Master role in a particular domain, take the following steps:

1. Run the command dsa.msc.
2. Right-click the selected domain object in the top left pane, and then click Operations Masters.
3. Click the appropriate tab: RID Pool, PDC or Infrastructure.

Schema Master role

To determine which DC holds the Schema Master role in the forest:

1. Run the command dsc.msc.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK.
3. In the top-left pane, right-click Active Directory Schema, and then click Operations Masters.

Domain Naming Master role

To determine which DC holds the Domain Naming Master role in the forest:

1. Run the command dsa.msc.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK.
3. In the left pane, click Active Directory Domains and Trusts.
4. Right-click Active Directory Domains and Trust, and then click Operations Master.

Quest offers extensive solutions for managing, securing and recovering your hybrid Active Directory environment. Here’s where you can learn more:

• Active Directory management
• Enterprise backup and recovery
• Cybersecurity risk management  
• Cyber resilience