Modern Network Architecture

Sep 14 2011   12:51AM GMT

Flexibility Schema Operations Master (FSMO) Roles

James Murray James Murray Profile: James Murray

Over the years working as a Seattle IT consultant I’ve spent time in many different network infrastructure environments.  After more technical interview that I can remember there are certain questions that are usually always asked.  The most common question is, “What are the five FSMO roles.”  I do remember one interview in particular where I interviewed 5 separate network administrators and the network architect.  Each administrator asked me the same question.  What are the 5 FSMO roles in an Windows AD network.  The architect told me later that he had planned to ask me the same question. 

After questioning his system admins on the questions they had asked he realized how many times I’d been asked the same question.  He started the interview telling me that he would not be asking me what the five active directory FSMO roles were.  In this article on modern network architecture I’d like to ask you if you can name the five FSMO roles and what they do?

In case you had to go look them up, let’s go over them real quickly.

Active directory is a database of network objects organized by AD components.  Those components are sites, forests, domains and organizational units.  From windows 2000 to windows 2008 the definitions for each of these have changed.  The domain was once a security boundary with it’s own security system.  The Forest was just a way to manage and maintain the “shares” between the domains.  Now the Forest is the security boundary using Kerberos to manage domain security as well as shares between the domains and manages connections between forests as well.

There are 2 forest FISMO roles and 3 Domain FISMO roles.  For every active directory domain these roles are duplication within each domain.  Meaning that while there are only two forest roles in any forest there are three domain roles in every domain in the forest.

Forest Roles

Schema Master – Remember that Active directory (AD) is a database of all the objects in the network.  A schema is a description of the fields in the database.  The schema master is the only role that can add or change fields and field descriptions in active directory.

Domain Naming Master – Unique names are essential across the forest.  When two objects have the same name, then AD has no idea what object to make assignments to.  Unique naming starts with the domain.  The domain naming master’s job is to ensure that each domain name, and hence every forest object is named uniquely. (All domains within the domain include the domain name in their object name. As long as the domain name is unique everything else in the name can be the same, yet in the forest the name is still unique.  Hence unique domain names keep all names inside the forest unique.)


Domain roles

Infrastructure Master – The infrastructure master tracks and maintains a list of the security principals from other domains that are members of groups within its own domain.

RID Master – Each object within the domain requires a unique Relative-ID (RID).  The RID must be known across the forest.  RID masters in coordination with other RID Masters across the forest build a list of RIDs (a RID Pool) for the domain.  As objects are created, RIDs are assigned from the RID pool by the RID Master.

PDC emulator – The primary domain controller (PDC) emulator operations master processes all password updates.


The interesting thing is that unless a system administrator uses these roles they are seldom very familiar with the roles.  Since Windows 2000 the roles have changed, so often the System Administrator asking the question doesn’t always know the real answer.  When they contradict you it’s important to understand that you may be right, but you need this guy to save face to get the job.  Rather than either of you losing face, say something like, “I’ll have to check that again, I was pretty sure that role changed with 2008.  I’ll have to go back and check that.”  Often they’ll back down and go check themselves.

Understanding the role does make a difference when the network starts failing.  If suddenly you can’t create new objects in a specific domain, probably the RID Master has run out of RIDs and is unable to create another RID Pool.  Without a RID, no new objects can be created in the domain.  When a role fails will stop working.  Knowing what will fail is a good way to remember what each role does.  Walking through the troubleshooting scenarios will help you understand each role much more accurately.

So next time you are part of the interview process, whether the interviewer or interviewee consider boning up on the FSMO roles for active directory.

Oh by the way, here’s an interesting question, what AD object is used to manage slow network connections?

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: