Skip navigation

Masters of Your Domain

Let's review the five Flexible Single-Master Operation (FSMO) roles in an Active Directory (AD) domain. AD relies on FSMO to prevent conflicts.

Forest Masters

  • Schema master—You must make all changes to an AD schema on the schema master machine. The schema constitutes the design of the AD database, defining both objects (such as users and groups) and their attributes (e.g., phone numbers, group members). Because one schema exists for the entire forest, the schema master ensures that two different administrators don't make conflicting changes to the schema.
  • Domain naming master—Are you creating or deleting a domain? You'll be dealing with this machine, which ensures that you won't encounter name conflicts in the process.

Domain Masters

  • Infrastructure master—The domain controller (DC) with this job ensures the consistency of the infrastructure—the groups and their members, in particular. For example, if you rename a user account, the infrastructure master makes sure that any groups containing that user account reflect the change. The infrastructure master shouldn't be a Global Catalog (GC) server—but by default, in the root domain, it is. Change this default as soon as you have a second DC in the forest root by transferring this role to the other machine.
  • Relative ID master—The relative ID master generates unique numeric values in each domain; these values will be handed out to the DCs to be assigned to each domain object. The relative ID, combined with the domain SID, makes up the object's globally unique identifier (GUID), which is AD's version of the earlier Windows NT 4.0 SID. Having only one machine in each domain generating RIDs ensures that each domain object gets a unique identifier.
  • PDC emulator—This machine emulates an NT 4.0 PDC so that NT 4.0 BDCs can update their SAM databases (as long as you're in mixed mode). However, even if you switch to native mode, the PDC emulator performs several other important functions, such as resolving password discrepancies (e.g., a user changes a password on one DC, but the same user is authenticated by a DC that hasn't received that change). Group Policy changes also occur on the PDC emulator to avoid conflicts. The PDC emulator also functions as a master time server for its domain. Basically, any odd AD job requiring a master server got tossed to the PDC emulator. If the DC with this job fails, you'll miss it, and soon.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.