Skip to main content

FSMO Role Function

758 words 4 min
Windows Server PowerShell Active Directory

FSMO (Flexible Single Master Operations) roles are critical roles in an Active Directory environment that are assigned to one or more domain controllers to ensure that certain administrative and replication tasks are handled centrally. There are five FSMO roles, each with a specific function in the operation of Active Directory. Below, I detail the purpose of each:

1. PDC Emulator

  • Main Function: This role is responsible for emulating the behavior of a Windows NT Domain Controller (PDC) and is primarily used in mixed environments with earlier versions of Windows Server (such as Windows NT 4.0).
  • Specific Functions:
    • Password Authentication: When a user changes their password, the PDC Emulator is responsible for updating the password database.
    • Time Synchronization: The PDC Emulator is the primary server for time synchronization in the domain, as it is assumed to be the time source for the entire domain.
    • Group Policies: It is responsible for managing certain types of group policies and password administration.
    • Master Password Change Copy: This is the only server authorized to receive password changes across the entire domain. This means that if other domain controllers experience replication issues, passwords will not be synchronized correctly.

2. RID Master

  • Main Function: The RID Master is responsible for assigning ranges of unique identifiers (RIDs) to domain controllers within the domain. RIDs are part of the unique identifier of an object in Active Directory (such as a user or group).
  • Specific Functions:
    • RID Assignment: Every object in Active Directory has a unique RID that is assigned when the object is created. The RID Master is the only one that can assign blocks of RIDs to other domain controllers.
    • If the RID Master is offline for a period of time, other domain controllers will not be able to create new objects in the directory because they will not be able to obtain new RIDs.

3. Infrastructure Master

  • Main Function: The Infrastructure Master is responsible for maintaining references to objects in other domains within Active Directory. This role is essential for trust relationships between domains.
  • Specific Functions:
    • Cross-domain references: If an object in one domain has a reference to an object in another domain (for example, if a user is in a group in another domain), the Infrastructure Master ensures that these references are up to date.
    • If the Infrastructure Master is in a domain that is also a Global Catalog Server, it will not be able to perform its job correctly, as the Global Catalog already manages object information for the entire forest.

4. Schema Master

  • Main Function: The Schema Master is responsible for managing changes to the Active Directory schema. The schema is the definition of all object types and attributes that can be stored in Active Directory.
  • Specific Functions:
    • Schema Modifications: If you want to add a new type of object or attribute to Active Directory (for example, a new account type or a new property for users), that change must be made through the Schema Master.
    • Schema Modifications: Only a domain controller with the Schema Master role can apply changes to the schema. Other domain controllers cannot.

5. Domain Naming Master

  • Main Function: The Domain Naming Master is responsible for managing domain name changes within the Active Directory forest.
  • Specific Functions:
    • Creating and Deleting Domains: If you need to add a new domain or delete one in the Active Directory forest, the Domain Naming Master is the role responsible for this process.
    • Domain Name Changes: Any attempt to change a domain name or domain structure within a forest is performed through the Domain Naming Master.

Summary of FSMO Role Functions

RoleMain Function
PDC EmulatorTime synchronization, password management, group policies, and PDC emulation in mixed environments.
RID MasterAssigns blocks of RIDs to domain controllers to create objects.
Infrastructure MasterMaintains object references across domains.
Schema MasterMakes modifications to the Active Directory schema (adding new attributes or object classes).
Domain Naming MasterManages the creation and deletion of domains in a forest.

How Many Domain Controllers Should Have These Roles?

  • Ideally, there should only be one domain controller with each of these roles within a domain or forest to avoid conflicts and ensure that operations are performed centrally.
  • However, in large or complex environments, FSMO roles can be moved to other domain controllers if necessary for availability or performance reasons. This is usually done using tools such as ntdsutil or PowerShell.

FSMO Role Verification

To verify which server is managing each FSMO role, you can use the following PowerShell command:

netdom query fsmo

To move roles, see Moving FSMO Roles