Home

FSMO

FSMO, or Flexible Single Master Operations, refers to a set of five special roles in Active Directory that are assigned to specific domain controllers. The purpose of FSMO is to prevent conflicts during multi-master replication by designating authoritative sources for particular directory-wide operations.

Two FSMO roles are forest-wide: Schema Master and Domain Naming Master. The remaining three roles are domain-wide:

Schema Master controls updates to the AD schema, ensuring that changes are applied consistently across the

Administrators can identify current FSMO holders by using utilities such as netdom query fsmo or by querying

Proper FSMO management is important for forest stability. Plan role placement on reliable servers, monitor role

RID
Master,
PDC
Emulator,
and
Infrastructure
Master.
At
any
time
a
single
domain
controller
holds
each
FSMO
role,
and
the
holder
may
be
located
on
any
domain
controller
within
the
appropriate
scope.
forest.
The
Domain
Naming
Master
prevents
duplicate
domain
names
by
enforcing
unique
domain
identifiers
when
domains
are
added
or
removed
from
the
forest.
The
RID
Master
allocates
blocks
of
relative
IDs
to
domain
controllers
to
guarantee
unique
SIDs
for
new
objects.
The
PDC
Emulator
serves
as
a
primary
domain
controller
for
backward
compatibility
with
older
clients,
acts
as
the
domain’s
time
source,
and
handles
password
changes
and
account
lockouts
in
some
scenarios.
The
Infrastructure
Master
updates
cross-domain
references
when
objects
in
other
domains
change.
AD
with
PowerShell,
e.g.,
Get-ADForest
and
Get-ADDomain,
which
expose
the
Forest
and
Domain
FSMO
owners.
Roles
can
be
transferred
gracefully
to
another
domain
controller;
if
the
holder
is
unavailable,
roles
can
be
seized
after
proper
precautions.
holders,
and
avoid
unnecessary
role
migration.
In
the
event
of
permanent
failure,
seize
the
role
to
maintain
directory
functionality.