Finding the FSMO Role Holders

Several Active Directory operations are sensitive, such as updating the schema, and therefore need to be done on a single domain controller. Active Directory cannot guarantee the proper execution of these functions in a situation where they may be invoked from more than one DC. The FSMO mechanism is used to limit these functions to a single DC.

More...

There are five designated FSMO roles that correspond to these sensitive functions. A FSMO role can apply either to an entire forest or to a specific domain. Each role is stored in the fSMORoleOwner attribute on various objects in Active Directory depending on the role.

Role

Description

fSMORoleOwner location

Domain- or forest-wide?

Schema

Processes schema updates

CN=Schema,CN=Configuration, <ForestDN>

Forest

Domain Naming

Processes the addition, removal, and renaming of domains

CN=Partitions,CN=Configuration, <ForestDN>

Forest

Infrastructure

Maintains references to objects in other domains

CN=Infrastructure,<DomainDN>

Domain

RID

Handles RID pool allocation for the domain controllers in a domain

CN=RidManager$, CN=System,<DomainDN>

Domain

PDC Emulator

Acts as the domain master browser and as the PDC for downlevel clients and Backup Domain Controllers (BDCs)

<DomainDN>

Domain

Using a graphical user interface

For the Schema Master:

  1. Open the Active Directory Schema snap-in.
  2. Right-click on Active Directory Schema in the left pane and select Operations Master.

For the Domain Naming Master:

  1. Open the Active Directory Domains and Trusts snap-in.
  2. Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.

For the PDC Emulator, RID Master, and Infrastructure Master:

  1. Open the Active Directory Users and Computers snap-in.
  2. Make sure you’ve targeted the correct domain.
  3. Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
  4. There are individual tabs for the PDC, RID, and Infrastructure roles.

Using a command-line interface

In the following command, you can leave out the /Domain option to query the domain in which you are currently logged on:

> netdom query fsmo /Domain:

You can also use the dsquery server command to list the FSMO role owners as shown here where can be schema, name, infr, pdc, or rid:

> dsquery server -hasfsmo 

Using VBScript

' This code prints the FSMO role owners for the specified domain.
' ------ SCRIPT CONFIGURATION ------
strDomain = ""  ' e.g., emea.rallencorp.com
 ' ------ END CONFIGURATION ---------
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
strDomainDN = objRootDSE.Get("defaultNamingContext")
strSchemaDN = objRootDSE.Get("schemaNamingContext")
strConfigDN = objRootDSE.Get("configurationNamingContext")
' PDC Emulator
set objPDCFsmo = GetObject("LDAP://" & strDomainDN)
Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner
' RID Master
set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN)
Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner
' Schema Master
set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN)
Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner
' Infrastructure Master
set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN)
Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner
' Domain Naming Master
set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN)
Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner