Operations Master Roles (Flexible Single Master Operations - FSMO)

Operations master roles (also known as flexible single master operations, or FSMO) are special roles assigned to one or more domain controllers in an Active Directory domain.

Active Directory supports multi-master replication of the directory data store between all domain controllers in the domain. Hence all domain controllers in a domain are considered essentially peers. But, replication conflicts do occur during Active Directory replication. Some operations that occur on a Windows Server 2003 Active Directory could be harmful if conflicts were to occur. In the case of these operations, Windows 2003 reverts to using a single-master model. This means that a single Domain Controller on the network takes responsibility for performing a specific task and these Domain Controllers are called as the Operations Master.

There are five Operation Master Roles and two of them are Forest level roles and three of them are Domain Level roles. Following table lists the Operation Master Roles and their scope.

Operations Master


Schema Master

Forest wide

Domain Naming Master

Forest wide

Primary Domain Controller (PDC) Emulator

Domain wide

Relative Identifier (RID) Master

Domain wide

Infrastructure Master

Domain wide

Schema Master

Active Directory schema defines what can exist within the directory. Managing the process of updating it with new objects and attributes should be a closely monitored process. There is only a single read/write copy of the schema on your Windows Server 2003 network, stored on the Schema Master.

The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master.

There only a single Schema Master in the entire forest at any time.

Domain Naming Master

All objects within AD must be unique. We cannot create two objects in a container with the same name, and the distinguished names all of all objects must be unique. Domain Naming Master ensures that new domains added to your Windows Server 2003 forest have unique names.

There only a single Domain Naming Master in the entire forest at any time.

PDC (Primary Domain Controller) Emulator

The PDC emulator services network clients that do not have Active Directory client software installed, and it replicates directory changes to any Microsoft Windows NT backup domain controllers (BDCs) in the domain.

Even the domain is operating at Windows 2003 functional level, PDC Emulator is required to perform certain tasks.

The PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain.

If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.

There is only a single PDC Emulator per domain.

Relative ID (RID) Master

A Security Principal is an Active Directory object that can be assigned permissions within a Windows Server 2003 network. Examples for Security Principal objects are users, groups, and computers. Each Security Principal is assigned a Security Identifier (SID) so it can be identified.

A Security Identifier (SID) is made up of two components. The first component, the domain SID, is common to all security principals in a domain. The uniqueness in SID comes from the addition of a second number, the Relative Identifier (RID). The RID is assigned from a pool of RIDs stored at each Domain Controller. The RIDs in this pool are assigned to each Domain Controller by the RID Master.

The format of SID follows this pattern: S-R-IA-SA-SA-RID.

• S represents a SID identifier.

• R represents the Revision. All SIDs generated by Windows use a revision level of 1.

• IA represents the issuing authority.

• SA represents a sub-authority, and

• RID is the Relative ID

A typical user SID looks like this: S-1-5-21-1683771067-1221355100-624655392-1001.

RIDs are assigned to each DC in blocks of 500 RIDs. When the block of RIDs is exhausted, the DC requests another block from the RID Master. To ensure uniqueness, the RID Master keeps track of which RID blocks have been assigned.

If the RID pool on a DC is exhausted and the RID Master is not available, you will not be able to create Security Principals (Example: a user) on that server.

There is only a single RID Master per domain.

Infrastructure Master

The domain controller assigned the infrastructure master role is responsible for updating the group-to-user references whenever the members of groups are renamed or changed.

There is a single Infrastructure Master per domain.

Related Tutorials