Main Contents

So really, what are FSMO roles ?

February 29, 2008

FSMO (pronounced - fiz-mo) roles are essentially domain controllers with higher power than their peer DCs hence the name Flexible Single Master Operation, the word flexible is perhaps in there since you do have the flexibility to move these roles around (the word floationg has been referenced at some places as well). From the name you really have to focus on the Single Master Operation part to understand that these roles have a single role attached to them that only one DC can have.

There are total of 5 FSMO roles with two at the Forest level and three at Domain level. And here is what they are.

Forest Level FSMO roles:

  1. Domain Naming Master - Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it’s worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
  2. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.

Domain level FSMO roles: 

  1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC’s.  However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. 
  2. RID Master - Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
  3. Infrastructure Master - Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.

You can see your Domain level FSMOs from the ADUC (Active Directory Users & Computers) right click on the domain name and click on Operations Roles, from there you have the ability transfer these roles as well. Of Forest level FSMOs, Domain Naming Master can be looked up from the Active Directory Domains and Trusts, you have to right click on the Domains and Trusts at the top in the left pane and click on Operation Roles. And for Schema Master look up you have to register a DLL and add in an snap-in (see here).

As windows system admin you should know the importance of the FSMO roles and have good knowledge of what each one does and how to transfer and sieze them when necessary.

For more detailed reading see this great article, as you may not find a lot of FSMO information in general MS press books targeted towards MS certification (at least for Windows Server 2003 track).

Filed under: Active Directory, Windows |

Leave a comment

« Updating Schema for Windows Server 2008 A quick way to tell where your FSMOs are »