Active Directory

FSMO Role Holders

One thing that every support person who manages and supports active directory should know is the FSMO role holders, or operational masters as they are sometimes called, what they do and the effects of them being offline due to any kind of disaster/failure. These role holders are possibly one of the most important servers in your AD infrastructure.

There are 5 of them in total:

  • Schema Master (One per forest)
  • Domain Naming Master (One per forest)
  • RID Master (One per domain)
  • PDC Emulator Master (One per domain)
  • Infrastructure Master (One per domain)

So what exactly functions do these perform and what are the effects of them being unavailable?

Schema Master:  This server manages and validates all Schema updates that are performed in the forest. If you apply schema updates you will need to log onto this server to perform them. If the server is unavailable then you will not be able to make any changes to the Active Directory Schema

Domain Naming Master: This server controls the addition and removal of domains to the AD forest. Whilst this server us unavailable you will not be able to add or remove domains.

RID Master: Each object in AD (user, group or computer) contains a unique SID. The SID also contains a unique RID. The RID master is responsible for tracking all the RID’s in the Domain and making sure they are unique. They get handed out in blocks of 500 and then when they get down to 50% the DC makes a request to the RID Master for more for its pool. So if the RID Master is unavailable for a long period of time you may not be able to create new objects.

PDC Emulator: This role holder is responsible for keeping the forest time in sync, acting as a BDC and also processing password change requests.

Infrastructure Master: The infrastructure master is the domain controller responsible for updating an object’s SID and distinguished name in a cross-domain object reference. The server that it is hosted on cannot be a global catalogue because then it will not be able to know what the changes are. However, this rule does not apply if every DC in your forest is a GC. More info about that here (http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/37975.aspx)

Should I transfer or seize FSMO roles?

If the current FSMO servers are available then you should always transfer the fsmo roles using ntdsutil or the relevant GUI’s. You should only seize roles when the current FSMO holder is not available. Also if you do seize a FSMO role you should never ever ever ever bring the existing server online otherwise it will cause big problems.

More information about FSMO roles can found here:

Be Sociable, Share!