Professional Documents
Culture Documents
The forest wide roles must appear once per forest, the domain wide roles must appear once per
domain.
The Roles
There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is
below.
Domain Naming
When a new Domain is added to a forest the name must be unique within the forest. The Domain
naming master must be available when adding or removing a Domain in a forest.
When moving objects between domains you must start the move on the DC which is the RID master
of the domain that currently holds the object.
PDC Emulator
The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a
BDC.
Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to objects
in other domains. The global catalogue is used to compare data as it receives regular updates for all
objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you
rename or move a group member and the member is in a different domain from the group the group
will temporarily appear not to contain that member.
Important Note :
Unless there is only one DC in a domain the Infrastructure role should not be on the DC that is hosting
the global catalogue. If they are on the same server the infrastructure master will not function, it will
never find data that is out of date and so will never replicate changes to other DCs in a domain.
If all DCs in a domain also host a global catalogue then it does not matter which DC has the
infrastructure master role as all DCs will be up to date due to the global catalogue.
Gui View
Schema Master
To view the schema you must first register the schema master dll with Windows. To do this enter the
following in the RUN dialog of the start menu.
regsvr32 schmmgmt.dll
Once you have done this the schema master mmc snap-in will be available.
To transfer a role using ntdsutil use the example below as a template for all the roles.
If a DC fails which is a role holder you can seize the role on another DC, but you should always try and
transfer the role first.
Before seizing a role you need to asses the duration of the outage of the DC which is holding the role.
If it is likely to be a short outage due to a temporary power or network issue then you would probably
want to wait rather than seize the role.
Note: A DC whose schema master role has been seized should never be brought back online
Note: A DC whose schema master role has been seized should never be brought back online
RID Master Failure
Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only
notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should
however only seize this role when the failure of the existing holder is considered permanent.
Note: A DC whose schema master role has been seized should never be brought back online
If you seize the role and return the original DC to the network you can transfer the role back.
If you are required to seize the role do not seize it to a DC which is a global catalogue server unless all
DCs are global catalogue servers.
If you seize the role and return the original DC to the network you can transfer the role back.