Explained: How Active Directory FSMO Roles Work


VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

Active Directory is a database that stores information about user accounts, computers and other objects. The Active Directory service has one primary functional unit called the “Domain Naming Master” or DNM which manages how users connect to resources like shared printers on the network. This article will explain how this process works

The “what is fsmo roles and explain” is a question that I am asked quite often. The Active Directory FSMO Roles are used to manage the Domain Controllers in an Active Directory.

Explained: How Active Directory FSMO Roles Work

The directory service Active Directory (AD) offers central authentication and authorisation services. In a multi-master arrangement, organizations host AD on domain controllers (DCs) that replicate information across them. Flexible Single Master Operation (FSMO) responsibilities guarantee that data is consistent and trustworthy across all sources.

With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!

FSMO roles guarantee that AD replication runs properly, as well as many other key services. You’ll discover what FSMO roles are, how they affect AD, and how to manage them properly in an AD forest in this article.

You’ll have a better understanding of FSMO roles and how to manage them for a healthy AD environment at the Conclusion of this tutorial.

What are the different FSMO roles?

FSMO roles are services that are hosted on separate DCs in an AD forest. Each function has a distinct task, such as synchronizing time across devices or handling security identifiers (SIDs).

As seen below, FSMO responsibilities are scoped at the forest or domain level and are unique to that scope. For example, a forest with two domains will have one DC hosting the Master RID position in each domain (two total), but only one DC hosting the Master Schema role.

FSMO Role Scope
Master Schema Forest
Master of Domain Naming Forest
Emulator for the Primary Domain Controller Domain
Master RID Domain
Master of Infrastructure Domain

A DC can do numerous tasks at once.

Master Schema

The database is an important part of AD. The database, like all other databases, includes a schema that specifies its organization, including partitions and naming contexts. The AD schema is a database partition that stores AD object information. It includes classes such as person, group, and msPKI-Key-RecoveryAgent, as well as properties such as phone number, badPwdCount, and dNS-HostName.

The Active Directory schema is the database’s most “sensitive” segment.

AD needs a service to manage the schema thus the Master Schema role. The Master Schema role has the duty of controlling changes to the AD schema. If you’ve ever extended the AD schema to install products like Exchange or raising a forest functional level, you’ve worked with the Master Schema role.

You should perform any changes to the AD schema via the Master Schema role only under strict conditions on a single DC. You don’t want to make changes on two DCs and wait for replication to see which change “wins” via replication.

Master of Domain Naming

An AD database contains multiple partitions both at the forest and domain scope. AD occasionally makes changes to these partitions and needs a service to do that thus the Master of Domain Naming FSMO role.

When you make changes to the forest domain space (add partitions to the forest), the Master of Domain Naming writes these changes in Configuration\Partitions This activity happens when a domain controller is promoted or demoted, for example.

Emulator for the Primary Domain Controller (PDCe)

The PDCe is perhaps the most important FSMO position in AD. Password change synchronizations, account lockouts (and unlocks), time sync, and other activities are all handled by the PDCe role.

The Primary Domain Controller (PDC) was the sole writable DC in an AD domain in the early days of Active Directory (Windows NT). The remaining DCs were Backup Domain Controllers (BDCs), which were solely utilized for authentication requests.

Except for read-only domain controllers (RODCs), which were introduced in Windows Server 2008, all DCs become readable starting with Windows 2000. Because AD required the capability of the PDC even though it no longer had one, Microsoft created the PDC emulator (PDCe) role.

Legacy Application Redirection

One of the most fundamental functions of the PDCe role is to alert legacy applications that the DC on which it is hosted is where AD may write updates. If you’re unfortunate enough to still be dealing with a Windows NT service that doesn’t know where to make updates to the AD database, the PDCe will be contacted for help.

Synchronization of Time

It’s critical that all devices connected to a domain keep the same time. A maximum of five minutes must pass between a client and a DC or between DC replication partners when using Kerberos authentication (the default authentication mechanism).

In an AD forest, the PDCe role serves as the central time source for all other computers.

  1. All client computers synchronize their time with the DC to which they connect.
  2. All DCs in their domain synchronize time with the PDCe.
  3. DCs hosting the PDCe role in multi-domain AD forests synchronize their time with the PDCe on the parent domain.
  4. The root domain’s PDCe role then syncs with a trusted external time source.

Password Change Management

When an AD modification is made, it does not instantly replicate to all DCs; instead, it follows the AD replication schedule. Password updates, on the other hand, are handled differently. Password updates are always replicated from the originating DC to the PDCe DC, and then to the other DCs in the topology.

If a DC does not have the most recent password and a user tries to connect with it, the authenticating DC first contacts the DC with the PDCe role to request an updated password before rejecting authentication.

When users who have changed their password have trouble connecting to other DCs that have not yet replicated the new password, you’ll know there’s a problem with the PDCe.

Dealing with Account Lockouts

Account lockouts are likewise handled by the PDCe role. Account lockouts, unlike password changes, do not follow the usual replication intervals. Account lockouts are instantly duplicated to the other DCs via the replicate single object approach. This is a security feature that prevents a locked-out account from logging in to a DC that has not yet replicated.

The Group Policy Management Console’s default target (GPMC)

The Group Policy Management Console (GPMC) utility is used to manage Group Policy. The GPMC must be connected to a DC in order to make adjustments to AD. The GPMC will connect to the DC that has the PDCe role by default, even if it is in a different AD site. If the PDCe is unavailable, the GPMC will provide a warning that the PDCe role is unavailable and encourage you to choose a replacement DC.

The GPMC would much rather speak with the PDCE.The GPMC would much rather speak with the PDCE.

What is a Group Policy and How Does It Work? (In Detail)

Namespace Information for the Distributed File System (DFS)

The PDCe FSMO role also provides DFS namespace information to complete out its capability. DFS root servers will periodically request updated DFS namespace information from the PDCe, which is the source of authoritative DFS data.

In situations with a high number of DFS servers, you vary the default DFS namespace lookup behavior, which is typically not an overwhelming burden for the PDCe FSMO role.

Master RID

Every item in an AD domain must have a unique ID to distinguish it from other objects of the same kind. Every new item must have a unique ID, known as a security identifier or SID, assigned by AD.

S (for SID), the Revision number, I (the Identifier Authority), the domain ID, and the relative ID are all part of each SID. Each domain in a forest has its own domain ID. Each item in a domain has its own relative ID. The DomainId represents the domain ID, while the RelativeId represents the relative ID, as seen below.

S-Revision-I-DomainId-Rid S-1-5-12-7273811915-2261004348-033256673-515, for example This value is identified as a SID by the string. The string begins with the letter “S” and has a revision level of 1; the identifier authority value is 5 (NT Domain); the domain identifier is a four-part value, and the RID is 515. The RID value is fixed and will never change; it is hard-coded and will not be repeated. (This is the well-known SID for the Domain Computers security group in this case.)

The Relative ID (RID) Master role guarantees that each AD object’s SID is distinct.

Special accounts and well-known organizations have their own RIDs.

The first DC in the domain automatically becomes the Master RID, to keep RID issuance under control.

The DC holding the Master RID role comes into play primarily in three different events:

Promotion/Demotion in DC

Each time a new DC is promoted, the Master RID assigns it a block of 500 RIDs. These RIDs are then assigned (in incremental order) when a new account that needs a SID is created on that DC.

If the last block of RIDS allocated was from 5501 to…6000, the next DC in need (either a freshly promoted DC or a DC that has emptied its current block) will receive…6001 to…6500, and so on.

When a DC is removed from the AD database, the Master RID sees this and ensures not to assign any of the RIDs that DC had as a safety measure to prevent duplicate SIDs.

Exhaustion RID

When a DC reaches 50% RID capacity, it will go to the Master RID and request a new block of RIDs. DCs request new RIDs at 50% on the off chance the Master RID is offline which gives it plenty of buffer time to ensure its RID allocation isn’t exhausted.

Master RID Role Seizure

Administrators can move roles from one DC to another via FSMO role seizure or transfer. When an administrator moves the Master RID role from one DC to another, its next available RID # is incremented by 10000.

How to Transfer FSMO Roles is Related (GUI and PowerShell)

Incrementing the next available RID by 10000 is a safety mechanism put in place to avoid duplicate SIDs. If an administrator seizes the Master RID role, for example, and the old Master RID comes back online, it may begin issuing duplicate SIDs along with the new Master RID.

Master of Infrastructure

Every AD object has a SID assigned by the Master RID FSMO role. When you view users, groups and other AD information, we humans want to see a name and not a SID; this is where the Master of Infrastructure role comes in.

Each DC is set up as a global catalog by default (GC). A GC stores data from all of a forest’s domains. Configuring certain DCs to not be GCs was one technique to decrease replication traffic between locations.

If you were authenticated to a DC that was not a GC, the Master of Infrastructure was responsible for translating SIDs from other domains into human-friendly names.

A free read-only Password Auditor scan from Specops will check your Active Directory for 750M+ known leaked credentials.

For example, from a domain-joined computer, check the Security or Sharing tab of a folder in Windows Explorer with permissions set up for accounts in another domain. You’ll see the names of users, computers, and groups; not their SIDs. If your computer cannot find the Master of Infrastructure role in the domain, you’ll only the SIDs of accounts in other domains.

Other domain objects' SID to name translation The DC is not a GC on the left, and the IM job holder is not online. The DC on the right is a GC (or the IM role holder is reachable).Other domain objects’ SID to name translation The DC is not a GC on the left, and the IM job holder is not online. The DC on the right is a GC (or the IM role holder is reachable).

If you enable Active Directory Recycle Bin, all DCs technically behave like they hold the Master of Infrastructure role. The AD Recycle Bin renders the Master of Infrastructure role in Microsoft’s words not important.

How to Use the Active Directory Recycle Bin to Save Your Bacon


The AD FSMO responsibilities are essential for AD to continue to work as intended. Although you won’t need to worry about FSMO roles most of the time, it’s still crucial to know how they work when the time comes!

Active Directory is a directory service that provides authentication, authorization and account management services for Windows-based networks. Active Directory FSMO roles are the responsibilities of specific Domain Controllers in an Active Directory domain. The “Active Directory FSMO Role Domain Wide Scope” means that the role can be delegated to any DC in the domain, regardless of which OU it is located in. Reference: active directory fsmo roles domain wide scope.

Related Tags

  • fsmo roles transfer
  • fsmo roles command
  • fsmo roles in active directory interview questions
  • pdc emulator fsmo role
  • schema master fsmo role