Several Active Directory operations are sensitive, such as updating the schema, and therefore need to be done on a single domain controller. Active Directory cannot guarantee the proper execution of these functions in a situation where they may be invoked from more than one DC. The FSMO mechanism is used to limit these functions to a single DC.
There are five designated FSMO roles that correspond to these sensitive functions. A FSMO role can apply either to an entire forest or to a specific domain. Each role is stored in the fSMORoleOwner attribute on various objects in Active Directory depending on the role.
|
Role |
Description |
fSMORoleOwner location |
Domain- or forest-wide? |
|---|---|---|---|
|
Schema |
Processes schema updates |
CN=Schema,CN=Configuration, <ForestDN> |
Forest |
|
Domain Naming |
Processes the addition, removal, and renaming of domains |
CN=Partitions,CN=Configuration, <ForestDN> |
Forest |
|
Infrastructure |
Maintains references to objects in other domains |
CN=Infrastructure,<DomainDN> |
Domain |
|
RID |
Handles RID pool allocation for the domain controllers in a domain |
CN=RidManager$, CN=System,<DomainDN> |
Domain |
|
PDC Emulator |
Acts as the domain master browser and as the PDC for downlevel clients and Backup Domain Controllers (BDCs) |
<DomainDN> |
Domain |
Using a graphical user interface
For the Schema Master:
- Open the Active Directory Schema snap-in.
- Right-click on Active Directory Schema in the left pane and select Operations Master.
For the Domain Naming Master:
- Open the Active Directory Domains and Trusts snap-in.
- Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.
For the PDC Emulator, RID Master, and Infrastructure Master:
- Open the Active Directory Users and Computers snap-in.
- Make sure you’ve targeted the correct domain.
- Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
- There are individual tabs for the PDC, RID, and Infrastructure roles.
Using a command-line interface
In the following command, you can leave out the /Domain option to query the domain in which you are currently logged on:
> netdom query fsmo /Domain:
You can also use the dsquery server command to list the FSMO role owners as shown here where can be schema, name, infr, pdc, or rid:
> dsquery server -hasfsmo
Using VBScript
' This code prints the FSMO role owners for the specified domain.
' ------ SCRIPT CONFIGURATION ------
strDomain = "" ' e.g., emea.rallencorp.com
' ------ END CONFIGURATION ---------
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
strDomainDN = objRootDSE.Get("defaultNamingContext")
strSchemaDN = objRootDSE.Get("schemaNamingContext")
strConfigDN = objRootDSE.Get("configurationNamingContext")
' PDC Emulator
set objPDCFsmo = GetObject("LDAP://" & strDomainDN)
Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner
' RID Master
set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN)
Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner
' Schema Master
set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN)
Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner
' Infrastructure Master
set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN)
Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner
' Domain Naming Master
set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN)
Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner