Active Directory FSMO

The operations master roles, also known as flexible single master operations (FSMO) roles, perform specific tasks within a domain.


The five FSMO roles are:

  • Schema Master
  • Domain naming Master
  • Infrastructure Master
  • Relative ID (RID) Master
  • PDC Emulator

In every forest, there is a single 

  • Schema and
  • Domain naming Master 

In each domain, there is 

  • 1 Infrastructure Master, 
  • 1 RID Master,
  • and 1 PDC Emulator.

At any given time, there can only be one DC performing the functions of each role.

to understand how FSMO are deployed , please look at Pioneers forest diagram 

FSMO distribution

Pioneers.lab forest view > For Better View : Open Image in different TAB

Pioneers.lab has

  • one Forest 
  • two trees [pioneers.lab] & [Leaders.lab]
  • 7 domains 
  • 15 domain controllers 

now back to FSMO : 

in the whole forest pioneers.lab there is  only ONE role [schema master] which installed on DC101 

in the whole forest pioneers.lab there is  only ONE role [Domain Naming master ] which installed on DC101 

each domain should have one and ONLY one role [ Infrastructure Master,] installed in any DC inside domain 


each domain should have one and ONLY one role [ RID Master,] installed in any DC inside domain 

each domain should have one and ONLY one role [ PDC Emulator Master,] installed in any DC inside domain 


please note : that Roles could be installed on same or different Domain controller ] > for example in domain leader.lab Roles are installed in different DC ] 

what does each FSMO do ?

Schema Master: The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master: The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.

RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).

FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).

Determining FSMO Role Holders

simply run command [ netdom query fsmo ] 

open cmd.exe > netdom query fsmo
open active directory user and computer > select operation masters
we can check three FSMO roles for each domain level : RID , PDC , Infrastructure
open active directory domain and trust > select operation masters
we can check role : domain naming
console schema is hidden by default > open cmd to register this console > run command > regsvr32 schmmgmt.dll
nowconsole active directory schema displayed > just open mmc.exe > and import it
open console active directory schema > select operation masters to seewhich server holding this Role

Transfer FSMO

sometimes you have to shutdown domain controller for some reason [ maintenance , upgrade , moving DC , or any other reason 

if this domain controller hold any ony of FSMO > then you have to transfer his Role to another live domain controller before shutdown [please note that transfer FSMO means that both DC are running ] 

we can transfer FSMO buy any one methods below : 

  • power-shell command 

    Move-ADDirectoryServerOperationMasterRole -Identity <Target DC>  -OperationMasterRole pdcemulator ,ridmaster, infrastructuremaster, schemamaster, domainnamingmaster

  • graphically using AD console 
  • NTDSUtil tool


currently ALL FSMO roles run on DC101.pioneers.lab as you see above 

for example we will transfer RID role from DC101 to DC102 using powershell command

and also we we will transfer PDCemulator role from DC101 to DC102 using console

moving Role PDC to DC102 > For Better View > Open Image in different TAB
command netdom query fsmo > to see that DC102 now running PDC Role
change RID role using console >
RID transferred
PDC & RID Roles has ben transferred successfully using different methods 🙂

Seizing FSMO

transferring FSMO used when one DC about to be shutdown manually , so we transfer FSMO from DC to another DC 

but what if one DC [that run some or ALL FSMO ] accidentally down for any reason [power shortage , Hardware failure , etc. ] 

in this case we use [FSMO seizing ] 

so lets to get the following scenario:

now we have 5 FSMO distributed as the following 

check which servrs running FSMO
now we have shutdown server DC102
use ntdsitl.exe to seize role
follow commands in Red
confirm seizing role
seizing process
now check fsmo role > PDC role has been seized > still RID ramain
follow command in red to seize RID role also
seizing process started
check FSMO roles > ALL 5 Role now running by DC101
DC102 back online again > also check FSMO role from DC102
