U-Tools: Unique Tools for Windows System Administrators
U-Move Help

FSMO Roles

Active Directory is a multi-master distributed database. This means that any DC can assume the role of a master for some task. These roles are called Flexible Single Master Operation roles or FSMO (“fizz-moh”) roles.

FSMO roles are required for certain critical operations such changing a domain name or modifying the AD design schema. Such changes must be carefully coordinated across all DCs. One DC is designated as the “master” for all such critical operations, and all the other DCs must defer to the DC that holds the master role.

If your AD contains only a single domain then the Primary Domain Controller (PDC) will typically hold all of the FSMO roles. This is the most common case.

The Seven FSMO Roles

There are seven FSMO roles defined in Active Directory:

  1. The Primary Domain Controller (PDC) emulator role, one per domain. The DC with this role coordinates changes to user passwords and secrets.
  2. The Relative Identifier (RID) Master role, one per domain. The DC with this role allocates RIDs for newly created users and groups.
  3. The Schema Master role, one per forest. The DC with this role coordinates adding new object classes to the AD design schema.
  4. The Domain Naming Master role, one per forest. The DC with this role coordinates adding or deleting domains and renaming domains.
  5. The Infrastructure Master role, one per domain. The DC with this role updates cross-domain references to renamed objects. (The Infrastructure Master role has special rules -- see below.)
  6. The Domain DNS Zone Master role, one per domain. The DC with this role coordinates adding or deleting any AD-integrated DNS zones on the DCs with DNS servers that host the domain.
  7. The Forest DNS Zone Master role, one per forest. The DC with this role coordinates adding or deleting the forest-wide records on the DNS servers that host the top-level DNS zone. These records contain the names of the Global Catalog (GC) servers.

To view which DCs own the FSMO roles, type the console command netdom query fsmo.