Thursday, February 26, 2015

Active Directory FSMO Roles Explained

Ace here again. I’ve updated this blog to just clean it up a bit, but as for the technical information about FSMOs, not much as changed. If you see anything that you feel is inaccurate, by all means please contact me.


This blog contains some quoted material from the Microsoft Official Curriculum (MOC) 6425B Course
Course 6425C: Configuring and Troubleshooting Windows Server 2008 R2 Active Directory Domain Services
If interested in taking this course, please see the following link to find a training center near you:

Key Points

In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion.
Active Directory is no exception. A limited number of operations are not permitted to
occur at different places at the same time and must be the responsibility of only
one domain controller in a domain or forest. These operations, and the domain
controllers that perform them, are referred to by a variety of terms:
• Operations masters
• Operations master roles
• Single master roles
• Operations tokens
• Flexible single master operations (FSMOs)
Regardless of the term used, the idea is the same. One domain controller performs
a function, and while it does, no other domain controller performs that function.
All Active Directory domain controllers are capable of performing single master
operations. The domain controller that actually performs a single master operation is the
domain controller that currently holds the operation’s token, or the “role holder.”.
An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.
To reduce the risk of single points of failure, the operations tokens can be
distributed among multiple DCs.
AD DS contains five operations master roles. Two roles are performed for the
entire forest, and two roles are performed by three roles for each domain.

Forest Roles (two roles):

  • Domain naming
  • Schema

Domain Roles (three roles):

  • Relative identifier (RID)
  • Infrastructure
  • PDC Emulator
In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.

Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest.
Each role is performed by only one domain controller in the entire forest.

Domain Naming Master Role:

The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must beaccessible, or the operation will fail.

Schema Master Role:

The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

Domain-Wide Operations Master Roles

Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator. Each role is performed by only one domain controller in the domain.

RID Master Role

The RID master plays an integral part in the generation of security identifiers
(SIDs) for security principals such as users, groups, and computers. The SID of a
security principal must be unique. Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs
by assigning a unique RID to the domain SID. The RID master for the domain
allocates pools of unique RIDs to each domain controller in the domain. Thus,
each domain controller can be confident that the SIDs it generates are unique.


The RID master role is like DHCP for SIDs. If you are familiar with the concept that
you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs.

Infrastructure Master Role

In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain.
Its multivalued member attribute contains the distinguished names of each
member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.
Note: The infrastructure master. You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.
Also note: This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose. One way to eliminate any issues with the Infrastructure Master Role & GC conflict is to simply make all DCs a GC. More info on this can be found in the following link:

PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:
• Emulates a Primary Domain Controller (PDC) for backward compatibilityIn the days of Windows NT® 4.0 domains, only the PDC could make changes
to the directory. Previous tools, utilities, and clients written to support
Windows NT 4.0 are unaware that all Active Directory domain controllers can
write to the directory, so such tools request a connection to the PDC. The
domain controller with the PDC emulator role registers itself as a PDC so that
down-level applications can locate a writable domain controller. Such
applications are less common now that Active Directory is nearly 10 years old,
and if your enterprise includes such applications, work to upgrade them for
full Active Directory compatibility.
• Participates in special password update handling for the domainWhen a user’s password is reset or changed, the domain controller that makes
the change replicates the change immediately to the PDC emulator. This
special replication ensures that the domain controllers know about the new
password as quickly as possible. If a user attempts to log on immediately after
changing passwords, the domain controller responding to the user’s logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request. This function means that any
time a user enters an incorrect password, the authentication is forwarded to
the PDC emulator for a second opinion. The PDC emulator, therefore, should
be highly accessible to all clients in the domain. It should be a well-connected,
high-performance DC.
• Manages Group Policy updates within a domainIf a Group Policy object (GPO) is modified on two DCs at approximately the
same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator
acts as the focal point for all Group Policy changes. When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.
• Provides a master time source for the domainActive Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.
Note: Change the time service only one way. It is highly recommended to allow Windows to maintain its native, default time synchronization mechanisms. The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source. If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do so. See the following link and the articles it refers to, for more information.
Configure the Windows Time service on the PDC emulator in the Forest Root Domain
Configuring the Windows Time Service – A step by step with a Contingency Plan – This is a procedure I put together for an enterprise.
Configuring the Windows Time Service for Windows Server, explanation of the time service hierarchy, and more
• Acts as the domain master browserWhen you open Network in Windows, you see a list of workgroups and
domains, and when you open a workgroup or domain, you see a list of
computers. These two lists, called browse lists, are created by the Browser
service. In each network segment, a master browser creates the browse list: the
lists of workgroups, domains, and servers in that segment. The domain master
browser serves to merge the lists of each master browser so that browse clients
can retrieve a comprehensive browse list.

What happens when a FSMO Role Fails

PDC Emulator failure

The PDC Emulator is the operations master that will have the most immediate
impact on normal operations and on users if it becomes unavailable. Fortunately,
the PDC Emulator role can be seized to another domain controller and then
transferred back to the original role holder when the system comes back online.

Infrastructure master failure

A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.

RID master failure

A failed RID master will eventually prevent domain controllers from creating new
SIDs and, therefore, will prevent you from creating new accounts for users, groups,
or computers. However, domain controllers receive a sizable pool of RIDs from the
RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing
this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role
cannot be brought back online.

Schema master failure

The schema master role is necessary only when schema modifications are being
made, either directly by an administrator or by installing an Active Directory
integrated application that changes the schema. At other times, the role is not
necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the
schema master role has been seized, the domain controller that had been
performing the role cannot be brought back online.

Domain naming master failure

The domain naming master role is necessary only when you add a domain to the
forest or remove a domain from a forest. Until such changes are required to your
domain infrastructure, the domain naming master role can remain offline for an
indefinite period of time. Seizing this role to another domain controller is a
significant action. After the domain naming master role has been seized, the
domain controller that had been performing the role cannot be brought back

Recovering from FSMO Role Failures

There are a number of steps that must be performed if any of the FSMO roles fail, and keep in mind, it’s not just based
on the FSMO role failure itself, rather you must also take into account the DC, too, because it usually means the DC itself
has failed, therefore the DC failure must be addressed.
If a DC fails, then you must address the DC failure as a whole, and not just the FSMO roles. This is because the DC’s account is referenced in the AD database by other DCs, and it expects it to be there to contribute and work with replication, among other AD functions. Therefore you must clean out the DC’s reference from the AD database, which also includes seizing the roles it held to other DCs.
This also includes the services a specific FSMO role held, such as the Time Service. This service runs on the PDC Emulator and must be moved to the new PDC Emulator you are seizing the role to.
For more information, with a complete and specific step by step, including any services the DC held which was FSMO role specific, please see the following article for more information:

Monitoring DCs for failures

Microsoft Monitoring Products

There are a number of tools to monitor your domain controllers from native Windows event logs, to using SCOM.
System Center Operations Manager 2007 (SCOM) – Platform MonitoringOct 6, 2010 … Take advantage of System Center Operations Manager 2007 for cross-platform monitoring, beta software and management packs.
To learn how to use SCOM, Microsoft has a specific course just for this product. For more information on the course, please see:
Microsoft Official Curriculum Course 50028B:
Installing and Configuring System Center Operations Manager 2007

Third Party Monitoring Tools

There are also numerous third party monitoring utilities available such as the following list:
Quest – Windows Management Solutions – Trust the Experts for Simplified Windows Management
Network Monitor Software and Windows Development ToolsNetwork Monitor Tool site – Network Monitoring Tools for Windows, Linux, Unix and Novell.
NetVision Audit for Active Directory – Monitoring Active Directory – Active Directory Reports – Easy Audit Reporting and Real-Time Monitoring
Windows Monitoring, Windows Server Monitoring, Windows Application …Download Windows monitoring tool for Windows server monitoring, IIS Server, . … Monitor Windows CPU, disk, process monitoring, memory and ensure high …
Windows Server Monitoring and Windows Event Log Management SoftwareDevelopers of Windows administration tools that monitor in real-time system performance, security logs, and event logs, and send automated, user-defined …
Nagios Core – Monitoring Windows Machines:
Network Management Software | Server Monitoring | WhatsUp GoldWhatsUp Gold is an award-winning network monitoring software, managing over 100000 networks worldwide. Download trials & free tools now!

Comments, suggestions and corrections are welcomed!



I hope this helps!
Original Publication Date: 11/1/2011
Updated 11/4/2014
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services