Operations Master / FSMO Roles in
Active Directory :
Suhail Ashfaq Butt
Introduction
• In every forest, there are five operations master roles that are
assigned to one or more domain controllers.
•
Forest-wide operations master roles must appear only once
in every forest.
•
Domain-wide operations master roles must appear once in
every domain in the forest.
• The operations master roles are sometimes called flexible
single master operations (FSMO) roles.
• By default all roles are assigned to first domain controller.
Forest-wide Operations Master Roles
Every forest must have the following roles:
 Schema Master
 Domain Naming Master
Note : These roles must be unique in the forest. This
means that throughout the entire forest there can be
only one schema master and one domain naming master.
Domain-wide Operations Master Roles :
Domain-wide Operations Master Roles Every domain in the
forest must have the following roles:
 Relative Identifier (RID) Master
 PDC Emulator Master
Infrastructure Master
Note: These roles must be unique in each domain. This
means that each domain in the forest can have only one RID
master, PDC emulator master, and infrastructure master.
Schema Master
(Forest Wide)
• The schema master domain controller controls all updates
and modifications to the schema.
• Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory.
• To update the schema of a forest, you must have access to the
schema master.
• There can be only one schema master in the entire forest.
• In order to change or move the Schema Master role to
another Server, you must be a member of Schema
Administrators Group.
• By default, the first server in the forest has Schema Master
Role
Domain Naming Master
(Forest Wide)
• The domain controller holding the domain naming master role
controls the addition or removal of domains in the forest.
• There can be only one domain naming master in the entire
forest.
• By default, the first server in the forest has the domain
naming master role
• In order to change or move the Domain Naming Master role
to another Server, you must be a member of Enterprise
Administrators Group.
PDC Emulator
(Domain Wide)
• The PDC emulator role provides backwards compatibility for Windows
NT backup domain controllers (BDCs).
• The PDC emulator advertises itself as the primary domain controller for
the domain.
• It also acts as the domain master browser and maintains the latest
password for all users within the domain.
• The PDC emulator is necessary to synchronize time in an enterprise.
• It processes password changes from clients and replicates updates to
the BDCs.
• At any time, there can be only one domain controller acting as the PDC
emulator master in each domain in the forest.
• By default, the first server in the domain has PDC Emulator Master role.
• In order to change or move the PDC Emulator role to another Server,
you must be a member of Domain Administrators Group
PDC Emulator
Continued
In a Windows 2000/2003 domain, the PDC emulator role
holder retains the following functions:
 Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator.
 Authentication failures that occur at a given DC in a
domain because of an incorrect password are forwarded to
the PDC emulator before a bad password failure message
is reported to the user.
 Account lockout is processed on the PDC emulator.
 Editing or creation of Group Policy Objects (GPO) is always
done from the GPO copy found in the PDC Emulator's
SYSVOL share.
Infrastructure Master (Domain Wide)
The Infrastructure Manager role is responsible for updating references from
objects within its domain with objects in other domains.
• The infrastructure master compares its data with that of a global catalog.
• Global catalogs receive regular updates for objects in all domains through
replication, so the global catalog data will always be up to date.
• If the infrastructure master finds data that is out of date, it requests the
updated data from a global catalog. The infrastructure master then
replicates that updated data to the other domain controllers in the domain.
• There is one infrastructure operations master in every domain in a forest.
• By default, it is placed in the first domain controller in the domain.
• In order to change or move the Infrastructure Master role to another
Server, you must be a member of Domain Administrators Group.
RID Master
(Domain Wide)
• The RID Master manages the Security Identifier (SID) for every
object within the domain.
• The RID master allocates sequences of relative IDs (RIDs) to each of
the various domain controllers in its domain.
• Whenever a domain controller creates a user, group, or computer
object, it assigns the object a unique security ID (SID).
• The SID consists of a domain SID, which is the same for all SIDs
created in the domain, and a RID, which is unique for each SID
created in the domain.
• By default, the first server in the domain is the RID Operations
Master
• In order to change or move the RID Master role to another Server,
you must be a member of Domain Administrators Group
Role Transfer
• Used to move a FSMO role gracefully from one live
domain controller to another live domain controller.
• Transfer a FSMO role to other domain controllers in the
domain or forest to balance the load among domain
controllers or to accommodate domain controller
maintenance and hardware upgrades.
• NTDSUTIL Utility is used to perform this task
Role Seizure
Used only when you have experienced a failure of
a domain controller that holds FSMO role and you
forced an ungraceful transfer.
Seize a FSMO role assignment when a server
holding the role fails and you do not intend to
restore it.
• Seizing a FSMO role is a drastic step that should be
considered only if the current FSMO role holder will
never be available again.
NTDSUTIL Utility is used to perform this task