Home » Active Directory » Understanding FSMO Roles in Active Directory

Understanding FSMO Roles in Active Directory

Understanding FSMO Roles in Active Directory

Let’s discuss today the major part in Active Directory which FSMO

FSMO stands for Flexible Single Master Operations, and FSMO roles (also known as operations master roles) help you prevent conflicts in Active Directory.

There are 5 specific types of updates to Active Directory that are very specific & conflicts should be avoided. To avoid conflicts, those updates are all performed on a single Domain Controller. And though each type of update must be performed on a single Domain Controller, they do not all have to be handled by the same Domain Controller.

These types of updates are handled by Domain Controllers Flexible Single Master Operations roles, or FSMO roles.  Each of the five roles is assigned to only one domain controller.

There are five of these FSMO roles in every forest.  And out of five 3 are Domain level and 2 are Forest level.

They are:

Roles Levels
Schema Master Forest Level
Domain Naming Master Forest Level
Infrastructure Master Domain Level
Relative ID (RID) Master Domain Level
Primary Domain Controller (PDC) Emulator Domain Level

The partition for each FSMO role is in the following list:

FSMO role Partition
Schema CN=Schema,CN=configuration,DC=<forest root domain>
Domain Naming Master CN=configuration,DC=<forest root domain>
PDC DC=<domain>
RID DC=<domain>
Infrastructure DC=<domain>


Let’s discuss about Roles in detail: Even the Roles are assigned from Forest level to Domain Level, for better understanding let’s domain level.

PDC Emulator: The domain controller that has the PDC emulator FSMO role assigned to it has many duties and responsibilities in the domain.

For example:

The PDC emulator is necessary to synchronize time in an enterprise.

The DC with the PDC emulator role is the DC that updates passwords for users and computers.

When a user attempts to login, and enters a bad password, it’s the DC with the PDC emulator FSMO role that is consulted to determine if the password has been changed without the replica DC’s knowledge.

Note: Each domain in the forest needs its own PDC emulator.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain.

The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any given time, there can be only one domain controller acting as the RID master in the domain.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID for references to security principals, and the DN of the object being referenced.

The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog (GC) server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

Domain Naming Master

The domain naming master DC controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Schema Master

The schema master domain controller controls all updates and modifications to the schema. Once the schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.


Role name Scope Description
Schema Master 1 per forest Schema modifications
Domain Naming Master 1 per forest Addition and removal of domains if present in root domain
PDC Emulator 1 per domain Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the Security Descriptor Propagator (SDP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.
RID Master 1 per domain Allocates pools of unique identifiers to domain controllers for use when creating objects
Infrastructure Master 1 per domain/partition Synchronizes cross-domain group membership changes. The infrastructure master should not be run on a global catalog server (GCS) unless all DCs are also GCs, or the environment consists of a single domain.


For Morenfo :

Praveen Kumar


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: