University of Chicago Active Directory
Flexible Single Master Operation (FSMO) Roles in UCAD
Each Windows 2003 domain has a minimum of three FSMO roles. The first domain in each Forest will have five Flexible Single Master Operations (FSMOs). The five FSMO roles are:Schema Master (one per forest)
The Schema Master role holder is the Domain Controller (DC) responsible for performing updates to the directory schema. This schema is the repository for the objects and their attributes that exist within the forest.
Domain Naming Master (one per forest)
The Domain Naming Master role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. When someone adds or deletes a domain, this FSMO role holder is responsible for the changes.
PDC Emulator (one per domain)
The PDC Emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2003 domain, the PDC emulator role holder retains the following functions:
- Password changes performed by other DC's in the domain are replicated preferentially to the PDC emulator.
- Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
- Account lockout is processed on the PDC emulator.
- The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. (This role is unnecessary if there is no Windows NT 4.0 Server or client machines.)
Infrastructure Master (one per domain)
The Infrastructure Master role holder is the DC responsible for updating an object's Security ID (SID) and distinguished name in a cross-domain object reference. When an object in one domain is referenced by an object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. This role should not reside on the same machine as a DC acting as a Global Catalog server.
RID Master (one per domain)
The RID Master role holder is the single DC responsible for processing Relative ID (RID) Pool requests from all DC's within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID that is unique for each security principal SID created in a domain. When a DCs allocated RID pool falls below a certain threshold, the DC issues a request for additional RIDs to the domain's RID master.
Return to Support for System Administrators
Last updated: 6/6/07