U-Tools: Unique Tools for Windows System Administrators
U-Move Help

FSMO Roles

Active Directory is a multi-master distributed database. This means that any DC can assume the role of a master for some task. These roles are called Flexible Single Master Operation roles, or FSMO (“fizz-moh”) roles.

FSMO roles are required for certain critical operations, such as a new domain name or modifying the AD design schema (changing the database design). Such changes must be carefully coordinated across all DCs. One single DC is always designated as the “master” for all such critical operations, and all the other DCs must defer to the DC that holds the master role.

If your AD contains only a single domain, then usually the PDC will hold all of the FSMO roles. This is the most common case.

The Seven FSMO Roles

There are seven FSMO roles defined in Active Directory:

  1. The Primary Domain Controller (PDC) emulator role, one per domain. The DC with this role coordinates changes to user passwords and secrets.
  2. The Relative Identifier (RID) Master role, one per domain. The DC with this role allocates RIDs for newly created users and groups.
  3. The Schema Master role, one per forest. The DC with this role coordinates adding new object classes to the AD design schema.
  4. The Domain Naming Master role, one per forest. The DC with this role coordinates adding or deleting domains and renaming domains.
  5. The Infrastructure Master role, one per domain. The DC with this role updates cross-domain references to renamed objects. (The Infrastructure Master role has special rules -- see below.)
  6. The Domain DNS Zone Master role, one per domain. The DC with this role coordinates adding or deleting any AD-integrated DNS zones on the DCs with DNS servers that host the domain.
  7. The Forest DNS Zone Master role, one per forest. The DC with this role coordinates adding or deleting the forest-wide records on the DNS servers that host the top-level DNS zone. These records contain the names of the Global Catalog (GC) servers.

Windows Server 2008-2016: To view which DCs have the FSMO roles, type the console command netdom query fsmo.

Windows Server 2003: To view which DCs have the FSMO roles see “How to view and transfer FSMO roles in Windows Server 2003” (KB324801).

Verify that the DCs in your test network have the FSMO roles listed above and that at least one DC has the Global Catalog (GC).

Undocumented: The DNS Zone Master roles

Many AD books and websites describe five FSMO roles. There are actually seven. The two extra hidden roles are the Domain DNS Zone Master role and the Forest DNS Zone Master role. These two roles are not well documented, and there is no way to display or transfer them without using advanced tools such as ADSIEdit.

U-Move will automatically display the ownership of these hidden roles, and it will offer to move them along with the other well-documented roles when you migrate AD to a new computer.

The Infrastructure Master role is special

The Infrastructure Master role has special rules that must be considered when moving the role to another DC. (Don't worry if you do not understand this section. U-Move will automatically check the rules for you during the migration and advise you on how to proceed.)

The Infrastructure role should be held by a DC that is not a GC in the same domain. This is because the GC holds a partial replica of every object in the forest. The Infrastructure Master role must be held by a DC that is not a GC in the same domain so that it can identify and fix discrepancies between the GC and its own domain objects (See KB197132).

General Exception: You can safely ignore the Infrastructure Master role in the following common case: If all of the DCs in the domain are also GCs (which is a common configuration for the DCs in the forest root domain), or if none of the DCs in the domain are GCs (which is a common configuration for the DCs in other domains), then the Infrastructure Master role does not matter (see KB197132).

The all/none rule applies only to the DCs actually running. If you are testing in your lab, then typically you only clone one DC per domain (the PDC). If your test lab has only one cloned DC for each domain being tested (for example, if you are cloning only PDCs as recommended) then the Infrastructure Master role does not matter.

If you are migrating AD, U-Move will automatically warn you if the Infrastructure Master role is not assigned correctly. The warning message will appear in the Replication Test Report.

For more information

For more information about FSMO roles see Understanding FSMO Roles in Active Directory (petri.co.il).