Windows 2003 Active Directory FSMO roles

**Luis234** · 17-07-2009

The Microsoft Windows 2003 Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multi-master enabled database, capable of storing millions of objects. Because it is multi-master, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network.

The Windows 2003 Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role.

There are five different FSMO roles in making Active Directory work:

Schema master - maintains the authoritative copy of the Active Directory database schema.
Domain naming master - maintains the list of domains within the forest.
Relative Identifier (RID) master - responsible for ensuring that every Active Directory object at a domain receives a unique security identifier.
Primary Domain Controller (PDC) emulator - acts as the Primary Domain Controller in domains containing domain controllers running Windows NT.
Infrastructure daemon - responsible for updating an object’s security identifier and distinguished name in a cross domain object reference.

**Luis234** · 17-07-2009

Schema Master FSMO Role

There is only one schema master per directory. The schema master FSMO role holder is the DC responsible for performing updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. The Schema Master roles are forest-specific and are found only in the forest root domain. Since the schema of Active Directory is rarely changed however, the Schema Master role will rarely do any work.

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. He controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

Relative Identifier (RID) Master FSMO Role

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. The purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the domain and prevent this pool from becoming exhausted. It is also responsible for removing an object from its domain and putting it in another domain during an object move. Every domain in your forest has exactly one domain controller holding the RID Master role. When a domain controller creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This Security ID consists of a domain SID, and a relative ID that is unique for each security principal Security ID created in a domain. So if you run out of RIDS, you won't be able to create any new user or computer accounts, and to prevent this from happening the RID Master monitors the RID pool and generates new RIDs to replenish it when it falls beneath a certain level.

**Luis234** · 17-07-2009

Primary Domain Controller (PDC) Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. It's critically important that computer clocks are synchronized across your forest because if they're out by too much then Kerberos authentication can fail and users won't be able to log on to the network. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows 2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

Infrastructure daemon FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID, and the DN of the object being referenced. Its purpose is to ensure that cross-domain object references are correctly handled. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. If your Active Directory involves only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed.

**Luis234** · 17-07-2009

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:

Active Directory Schema snap-in
Active Directory Domains and Trusts snap-in
Active Directory Users and Computers snap-in

Transfer the Schema Master Role

Click Start, click Run, type mmc in the Open box, and then click OK.
On the File, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema, click Add, click Close, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
Do one of the following:
- In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
  -or-
- In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
Do one of the following:
- In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
  -or-
- In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
Click OK to confirm that you want to transfer the role, and then click Close.