What are the five FSMO roles?

Reading Time: 3 minutes

This is a common question asked when going for an IT related job interview ­čÖé

The five FSMO roles are:

Schema master
Domain Naming master
RID master (Relative Identifier)
PDC Emulator master
Infrastructure master

Two of the roles are forest wide and three are domain wide roles. The Forest wide FSMO roles are common for the entire forest, and by default are held on the first Domain Controller within the forest root domain.

The Forest Wide roles are:
Schema master
Domain Naming master

The other three domain wide roles are:
RID master (Relative Identifier)
PDC Emulator master
Infrastructure master

About the roles:

Schema master
The schema master controls all updates and modifications to the schema. It’s shared between every tree and domain in a forest and must be consistent between all objects. If the server holding the schema role failed, in most cases the loss of this role will not affect network users but will affect admins if modifications to the schema were required.

Domain Naming
When a new domain is added to a forest the name must be unique within the forest and the domain naming master must be available when adding or removing a domain within a forest. Temporary loss of this role holder will not be noticeable to network users. Domain admins will only notice the loss if a domain is required to be added or removed within the forest.

RID master (Relative Identifier)
This role is in charge of allocating RIDs to DCs within a Domain. When objects such as a computer, user or group is created in AD (Active Directory) it is given a SID. The SID will consist of a domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

If this role fell over, the chances are good that the existing DCs will have enough unused RIDs to last some time, unless you are building hundreds of users or computer objects per week. Ddomain admins will notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs).

PDC Emulator master
The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC. It is also responsible for time synchronising within a domain. Any password changes are replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request. This role will affect users if it was to go down.

Infrastructure master
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains. Any change to user group references are updated by the infrastructure master. For example, if you rename or move a group member and the member is in a different domain from the group, the group will temporarily appear not to contain that member.

Temporary loss of the Infrastructure master role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts. Group memberships may be incomplete. If you only have one domain, then there should be no impact.

NOTE: In the event you need to seize the Infrastructure master role, do not seize it to a DC which is a global catalogue server, unless all DCs are global catalogue servers.