Flexible Single Master Operations Roles (FSMO)
Start course
1h 3m

Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. At the core of Windows AD DS is the domain controller. The domain controller provides login services, group policies, domain naming services (DNS), and other identity management services for users and computers in a domain along with other enterprise management services.

In this course, we start by reviewing the Windows AD DS environment including forests and domains. Then we review considerations for deploying domain controllers in a virtualized environment, on-premises, and in Azure. Next, we look at use cases for deploying read-only domain controllers at locations where physical security cannot be guaranteed. Lastly, we examine flexible single master operations roles and how to locate and move them to support troubleshooting efforts.

Learning Objectives

  • Deploy and manage domain controllers on-premises
  • Deploy and manage domain controllers in Azure
  • Deploy read-only domain controllers (RODCs)
  • View, manage, and troubleshoot flexible single master operations (FSMO) roles

Intended Audience

  • System administrators with responsibilities for managing hybrid identities
  • Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
  • Anyone preparing for the Azure AZ-800 Administering Windows Server Hybrid Core Infrastructure exam



We've established that Windows Active Directory Domain Services uses a multi-master mode for database replication. This keeps multiple writable database copies in sync. The multi-master mode uses a last change wins approach to conflict resolution. There are times when that approach won't work. And for that, Active Directory Domain Services uses Flexible Single Master Operation Roles. In the Single Master Model, only a domain controller assigned the specific role is allowed to process certain types of updates.

The Single Master Model prevents conflicts for these types of updates in Active Directory. Although these roles are only active on one domain controller at a time, the roles are not bound to any one specific domain controller. The roles are flexible and they can be moved to other domain controllers as needed. The Flexible Single Master Operations or FSMO roles are the Schema master, Domain naming master, RID master, PDC emulator, and the Infrastructure master. Let's take a look at each of them next.

Databases, including the Active Directory Database, use a schema to define the types of objects available in the database. The schema in Active Directory is extendable, meaning it can be updated. To prevent conflicts, updates to the schema can only be performed on the schema master. There's only one schema master in a forest. Once the schema is updated, the changes are replicated to all domain controllers in the directory. The Domain Naming Master is responsible for making forest wide changes to the directory namespace.

The role owner is the only one that can add or remove domains in the forest. There's only one Domain Naming Master in the forest. We may reference objects in Azure by their name, but names may not always be unique. When a domain controller creates a security principal object, a user or computer for example, that object is giving a Domain Security Identifier or SID and a Relative ID or RID. The SID is unique to the domain. Each domain controller has a pool of RIDs. The RID is assigned to the security principal along with the SID to create an ID for the object.

Domain controllers are giving a pool of RIDs by the RID master in the domain. When the RID pool runs low on the domain controller, it requests a new pool of RIDs from the RID master. Each domain has a RID master. Prior to Windows Active Directory Domain Services, we had Windows NT domains. With the Windows NT domain, there was only one read write domain controller called the Primary Domain Controller or PDC. There were multiple read only copies of the directory on backup domain controllers. The PDC Emulator manages backwards compatibility with Windows NT by emulating all of the functionality of the Windows NT Primary Domain Controller.

Backwards compatibility is not a concern for most organizations. The PDC Emulator provides other important services relevant to the AD Domain. Time synchronization is one of them. Time synchronization is important to the Kerberos authentication protocol. The PDC at the root of the forest is authoritative for time services. That server should be configured to get time from a reliable source. Each PDC in the forest follows the hierarchy for time services, keeping time consistent across the forest.

Each domain has a PDC emulator. The Infrastructure Master is responsible for updating object SIDs and distinguish names when objects are referenced across domains. It compares data in the Global Catalog with information in the domain and updates or removes cross-domain objects as they change. Each domain has an Infrastructure Mmaster. Now that we understand what the FSMO roles are, let's look at how to view and move FSMO roles next.


About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.