Blog Blog Posts Business Management Process Analysis

What is FSMO roles (Flexible Single Master Operations)?

Let’s first understand:

What is Active Directory?

Microsoft’s proprietary directory service is Active Directory (AD). It runs on Windows Server and allows administrators to manage network rights and access.

Data in Active Directory is stored as objects. A single element, such as a person, group, application, or device like a printer, is referred to as an object. Usually, objects are described as either resource, such as printers or computers, or security principles, such as people or groups.

Wanna Learn Cybersecurity from the Scarth, here’s a video for you

Alright! So, let’s get started with FSMO Roles

Table of Contents:

What are FSMO Roles?

FSMO Fullform Flexible single master operation. It is a Microsoft Active Directory capability that serves as a customized domain controller job when regular data transport and update methods are insufficient.

Tasks that do not adapt themselves to multi-master replication can only be performed as flexible single-master processes.

A single master controls several operators in multi-master setups. This issue is overcome by performing several actions on a single domain controller.

 A single domain controller takes on the function of a particular operation and serves as the sole master for that activity. These activities are known as flexible single-master operations.

Wanna start a career in CyberSecurity, here’s an opportunity for you Intellipaat’s CyberSecurity Course!!

How do FSMO Roles work in Active Directory?

Active Directory was officially unveiled in February 2000 with the Windows 2000 server edition. It is an identity management service that stores all of the information and data related to a network and its objects.

Active Directory objects include users, computers, groups, and printers. Each of these objects has a unique set of properties ascribed to it.

Active Directory has a hierarchical structure that includes domains, trees, and a forest.

The administrator in Active Directory has the authority to give rights to various objects and provide them network access.

One of the roles of an administrator is to protect the network against malicious assaults and to keep the company safe from any incursion. The security protocols of Active Directory have evolved.

The Purpose of FSMO Roles


Despite several improvements and upgrades, Active Directory has problems. The main problem is there was an overlap in managing changes when there were numerous domain controllers, as DCs fought over who got to make changes. This meant that modification requests were likely to be disregarded.

Microsoft’s solution:

To address this, Microsoft introduced the “Single Master Model,” in which one domain controller had the authority to make changes while the other domain controllers handled authentication requests.

Despite being a big improvement, there were still issues. No modifications can be performed while the master domain controller was unavailable.

Microsoft developed Flexible Single Master Operation (FSMO) Roles for domain controllers in 2003 to address these difficulties. Responsibilities are divided among the domain controllers.

No role is assigned to a single domain controller. If a domain controller fails, another DC steps in to fill the void.

Preparing for the CyberSecurity Interviews, here’s a Golden Opportunity for you Top CyberSecurity Interview Questions!!

Types of FSMO Roles

There are Five FSMO Roles, they are listed below:

Types of FSMO Roles
  1. Schema Master FSMO Role
  2. Domain Naming Master FSMO Role
  3. Relative ID (RID) Master FSMO Role
  4. Primary Domain Controller (PDC) Emulator FSMO Role
  5. Infrastructure Master FSMO Role

The first two roles are Schema Master and Domain Naming Master at the forest level while the last three functions(RID Master, PDC Emulator, and Infrastructure Master) are at the Domain level.

Schema Master FSMO Role

The Schema Master FSMO role is in charge of upgrading the Active Directory schema. The AD schema is a collection of characteristics for use with directory objects.

The schema includes characteristics (such as employee ID, phone number, and group owner) as well as classes (like group, person, or msPKI-Key-RecoveryAgent).

Only a DC with the Schema Master fsmo role can process directory schema modifications. The Schema Master replicates the changed schema to all other DCs in the directory. There is only one Schema Master in a forest.

You can use the Schema Master fsmo role to expand the Active Directory schema to raise a forest’s functional level or install Exchange.

Check out this CyberSecurity Tutorial!!

Domain Naming Master FSMO Role

The Domain Naming Master fsmo role is in charge of adding and removing domains from Active Directory. This role restricts you from establishing domains with the same name in a forest.

This guarantees that each domain name is distinct. Domains cannot be created or withdrawn from Active Directory in the absence of this role.

This role can also create and delete domain cross-references from external directories.

Relative ID Master FSMO Role

A Relative ID Master Fsmo role is in charge of assigning a pool of relative identifiers (RIDs) to each domain controller. When a DC establishes an item, such as a user or a group, it assigns it a unique ID called SID (Security Identification). The following is the format of a SID:


A SID is similar to a person’s national identifying number. It is one-of-a-kind and cannot be replicated. The permissions and rights granted to an item are linked to the SID allocated to it.

PDC Emulator FSMO Role

The PDC Emulator FSMO Role can perform the following functions:

PDC Emulator FSMO Role Functions

Time synchronization:

It synchronizes the time in an organization. The domain controller with the PDC Emulator role syncs the clocks of all the DCs in the domain. DCS hosting the PDC Emulator role in a multi-domain AD forest synchronize their time with the PDC Emulator in the parent domain.

Password Changes Performed Using DCs:

Password updates made by other domain controllers are copied to the PDC Emulator. When a DC fails to authenticate because of an invalid password, the failure is sent to the PDC Emulator fsmo role, which validates the request against the most recent password.

Account Lockout is replicated to other DCs:

In the event of locked accounts, the PDC Emulator also plays a role. Through the replicate single object’ method, account lockouts are instantaneously reproduced to the other DCs. This prevents a locked-out account from logging on to another DC.

Controls Group Policy:

The Group Policy Management Console (GPMC) utility is in charge of managing group policy. To make changes in Active Directory, GPMC connects to the DC using the PDC Emulator role by default. If the PDC Emulator is unavailable, GPMC will prompt you to select an alternative DC.

Infrastructure Master FSMO Role

An object in one domain is linked to another by its:

The Infrastructure Master is in charge of updating the SID and distinguishing the name of an object in a cross-domain object reference. This role also converts GUIDs, SIDs, and DNS between forest domains.

Career Transition


FSMO ensures that your domain will be able to carry out its core duty of authenticating users and permissions without interruption (with standard caveats, like the network staying up).

AD FSMO responsibilities are crucial for ensuring AD continues to work as intended. Although you don’t need to worry about FSMO roles most of the time, it’s still crucial to grasp how they work when the time comes!

You are doubts get resolved on Intellipaat’s CyberSecurity Community Page!!

The post What is FSMO roles (Flexible Single Master Operations)? appeared first on Intellipaat Blog.

Blog: Intellipaat - Blog

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples