FSMO Roles

There are certain Directory Functions that required to be performed on some specific Domain
Controller, These functions are defined by Flexible Single Master Operations Roles, usually
known as FSMO Roles.

There are Five FSMO Roles:-

Forest Level FSMO Roles:

1. Schema Master
2. Domain Naming Master

Domain Level FSMO Roles:

1. PDC Emulator
2. RID Master
3. Infrastructure Master

1) Schema Master:-
The Schema Master Domain Controller controls all updates and modifications to the
schema. Once the schema updates is complete, it is replicated from the schema master to all
other DCs in the directory.

If Schema Master down:-

- Loss of Schema Master will be visible only if we are trying to modify the schema
or install an application that modifies the schema during installation.
- The schema cannot be extended, however in short term no one will notice a
missing schema master unless you plan a schema upgrade on that time.

2) Domain Naming Master:-

The Domain Naming Master is the only DC that can add or remove a domain from the
directory.

If Domain Naming Master down :-

- Loss of Domain Naming Master will be visible only if we trying to add or remove
a domain in a forest.
- We cannot RUN the DCPROMO command.

3) PDC Emulator Master :

PDC Emulator Master is the root time server for synchronizing the clock of all computers
in your forest. So it is very important that computer clocks are synchronized across the forest
because if they are out by too much then Kerberos Authentication can fail and user won’t able
to log on the network.
All password changes and account lockout issues are handled by PDC Emulator.
Every Domain has its own PDC Emulator role.

4) RID Master ;
RID Master is one of the operations master roles that must exist in each domain in a
forest. It provides a unique sequence of Relative IDs to each DC in a domain. When a DC creates
a new object, the object is assigned a unique security ID consisting of combination of a domain
SID and a RID. The domain SID is a constant ID, whereas the RID is assigned to each object by
the domain controller.

The domain controller receives the RIDs from the RID Master, when the domain controller has
used all the RIDs provided by the RID Master, it requires the RID Master to issue more RIDs for
creating additional objects in the domain.

If RID Master down:-

- Any new object in the domain cannot be created.

5) Infrastructure Master:
Infrastructure Master Role is to ensure that cross-domain object references are
correctly handled. If you add a user from one domain to a security group from a different
domain, the Infrastructure Master makes sure this is done properly.