FSMO Roles

Introduction

In a Windows 2000 domain environment, all of the domain controllers are piers. There are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000 domain controllers contain a writable replica (or copy) of the Active Directory Database, and unlike the hierarchical server structure in a Windows NT domain (the PDC with subordinate BDCs), all domain controllers are equal.

The ability of all domain controllers in a Windows 2000 domain to update Active Directory, and then replicate it out to the other DCs, is referred to as Multimaster Replication. Compare that to a Windows NT domain which uses Single Master replication - the PDC has the only writable copy of the SAM and all updates can only happen at the PDC.

(The SAM, Security Accounts Database, is replaced by the Active Directory Database in Windows 2000.)

So why are there FSMO server roles? Since each DC in a Windows 2000 domain can update the Active Directory, which then gets replicated to all othe DCs, what happens if more than one person is making the same change to Active Directory at the same time? There are certain rules that are followed to prevent conflicts in updating the AD database, but some changes are to important to the domain to be left to these rules. Because of this, Microsoft came up with the idea of the Flexible Single Master Operations server roles. The servers that hold these FSMO roles are responsible for updating certain aspects of Active Directory. By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates.

In a Windows 2000 Domain environment, there are 5 server roles that are necessary for the proper functioning of the forest/domain (or Active Directory). These 5 server roles are collectively known as the Flexible Single Master Operations Roles or FSMO roles. All FSMO server roles exist on Domain Controllers. They do not exist on member servers. Two of the server roles exist at the Forest level and 3 server roles exist at the Domain level.

For example: If your Active Directory contains one forest and 1 domain, you would have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise, for an AD with one forest and 3 domains, you would have 11 server roles - two at the forest level and 3 for each domain.


FSMO Roles

The 5 FSMO server roles:

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forest

PDC Emulator Domain Level One per domain

RID Master Domain Level One per domain

Infrastructure Master Domain Level One per domain



1. Schema Master (Forest level)

The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.

2. Domain Naming Master (Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest.

3. PDC Emulator (Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Time synchronization for the domain.

Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.

4. RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.

There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.