Welcome to The Tips and Tricks Guide to Active Directory Troubleshooting!

Q.1: What do the FSMO roles do?

A: In general, all domain controllers in an Active Directory domain are created equal. That is,

they all have the ability to both read from and write to the Active Directory database and are

essentially interchangeable. However, certain operations within a domain and forest must be

centrally coordinated from a single authoritative source. These operations are handled by only

one domain controller within the domain and are divided into five distinct operational categories.

These categories are referred to as Flexible Single Master Operations (FSMOs).

The term flexible refers to the fact that no particular domain controller must handle these

operations. Instead, the five FSMO roles can be held by any one domain controller; in fact, all

five roles can be held by a single domain controller if you desire. When you install the first

Active Directory domain in a new forest, the first domain controller you create automatically

holds all five roles, and will continue to do so unless you manually move one or more of the

roles to another domain controller.

The FSMO Roles

The five FSMO roles are as follows:

• Schema master. This role is held by only one domain controller per forest. This role

coordinates all changes to the Active Directory schema, and is required in order to

process any schema updates. Only the schema master is permitted to replicate schema

changes to other domain controllers in a forest.

• Domain naming master. This role is held by only one domain controller per forest. This

role handles all changes to the forest-wide domain namespace, and is the only role that

can process the addition or removal of a domain to or from the forest.

• RID master. This role is held by only one domain controller per domain. This role

manages the relative identifier (RID) pool for the domain (for more information about

RIDs, see the sidebar “Relative Identifiers in a Domain”). This role is also responsible for

moving objects from one domain to another within a forest.

• PDC emulator. This role is held by only one domain controller per domain. This role is

the central authority for time synchronization within a domain, and emulates the

functionality of a Windows NT 4.0 Primary Domain Controller (PDC). Any NT Backup

Domain Controllers (BDCs) in a domain replicate from the PDC emulator. Pre-Windows

2000 (Win2K) clients without the Microsoft Directory Services Client (DSClient) contact

the PDC emulator to change user and computer passwords. The PDC emulator is also

responsible for processing account lockouts. Finally, any failed logon attempts are first

forwarded to the PDC emulator before returning a bad logon message to the client.

􀀄 The PDC emulator is the one FSMO role that your domain cannot live without for very long. This role

should be placed on a robust server computer, and you should monitor that computer closely to

ensure that the PDC emulator is functioning correctly. Because the PDC emulator processes account

lockout, it is a key piece of Active Directory’s security infrastructure.

The Tips and Tricks Guide to Active Directory Troubleshooting

2

• Infrastructure master. This role is held by only one domain controller per domain. This

role updates object security identifiers (SIDs) and distinguished names (DNs) in crossdomain

object references.

Relative Identifiers in a Domain

All security principals, such as users and computers, in a domain have a unique SID that identifies the

principal on access control lists (ACLs) in the domain. SIDs consist of two major portions: the domain

SID, which is the same for all SIDs within a domain, and a RID, which is unique for each security principal

within a domain. The combination of the domain SID and the RID make the resulting SID completely

unique across domains, even though different domains can issue the same RIDs.

The RID master allocates small pools of unique RIDs to each domain controller in a domain. Domain

controllers use this pool to assign RIDs when creating new security principals. When a domain controller

runs out of available RIDs, the domain controller contacts the RID master to obtain a new pool. Because

all RIDs originate from a single source, the RIDS are guaranteed to be unique within the domain.

􀀄 You might sometimes see references to a sixth FSMO role, the Global Catalog (GC). Although the

GC is an extra function that can be assigned to a domain controller, it is not a FSMO. Domains and

forests can contain multiple domain controllers acting as a GC server, whereas FSMOs are be

definition held by one, and only one, domain controller at a time.

􀀉 For more information about the FSMO roles, refer to the Microsoft article “Windows 2000 Active

Directory FSMO Roles.”

The following list provides some best practices for placing FSMOs:

• In a multiple-domain forest, never place the infrastructure master role on a domain

controller that is also a GC server. The infrastructure master’s job is to update crossdomain

references, and it does so by looking for references it does not itself possess.

Because a GC contains a reference to every object in the entire forest, the infrastructure

master will never be without a reference, and will therefore fail to perform its job

properly.

• Because the PDC emulator holds such a crucial, central role in Active Directory, you

should place the PCD emulator on a domain controller that has the best possible

connectivity to other domain controllers in the domain. The PDC emulator in the forest

root domain synchronizes time for all other PDC emulators in the forest, and should have

a reliable network connection to the domain controllers holding the role in each domain.

• You should place the schema master on a domain controller that is physically collocated

with the administrators responsible for maintaining the forest’s schema. This placement

will ensure that the administrators have a reliable connection when performing schema

updates.

The Tips and Tricks Guide to Active Directory Troubleshooting

3

FSMO Failover

Active Directory does not provide automatic failover for the FSMO roles. Some of the roles,

such as the schema master, aren’t required for Active Directory’s day-to-day operations, so

automatic failover isn’t strictly necessary. However, some roles, such as the PDC emulator,

control critical domain operations, and you’ll notice pretty quickly if the domain controller

containing the role fails. In those cases, you’ll have to manually relocate the FSMO role to

another domain controller.