Active directory is a multi-master enabled database. It provides the flexibility to allow changes to occur at any of the domain controllers. Flexibility comes with added responsibility. There is a need to prevent conflicting updates from being made across multiple domain controllers.

This is made possible with the Flexible Single Master Operations roles (FSMO). Vital updates like schema updates, inclusion of new domains can be done only at a particular domain controller. There are 5 FSMO roles with 3 having domain level application and 2 having forest level application.


  • Schema master– It controls all the schema updates and modifications. The changes made to this domain controller are then replicated to other domain controllers. The first server in the forest is the Schema master.


  • Domain Naming master– It controls the addition and removal of domains. The first domain controller is the Domain Naming master.


  • Infrastructure master– It is responsible for updating the SID during cross referencing of objects. It updates the SID by comparing its data against the Global Catalog data which is always up to date. This role should not be installed on a global catalog server.


  • Relative ID (RID) Master– The security identifier for an object consists of a domain SID and a relative ID (RID). The RID is unique for each object inside a domain. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.


  • PDC Emulator– While migrating from NT4 domains to Windows 2000 domains, this Domain controller behaves like a NT4 domain. It is also responsible for keeping the time synchronized across all DCs.

So how does Active Directory confirm the identity of the user requesting for access to a resource? How does a client query a server for a particular resource? The answers to these questions are through the support of standard interfaces and protocols like Domain Name System (DNS), Kerberos, and Lightweight Directory Access Protocol (LDAP).

FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).


Aliyu Garba

The author Aliyu Garba

Leave a Response