FSMO (Flexible Single Master Operation) roles are special Active Directory responsibilities held by specific domain controllers. Only one DC at a time holds each role, preventing conflicts for operations that must happen in one place. Knowing which DC holds which role — and what to do if a role holder fails — is essential knowledge for anyone managing an AD environment.
The Five FSMO Roles
There are five FSMO roles across two scopes:
Forest-wide (one per forest):
- Schema Master: controls all updates and modifications to the Active Directory schema (adding new attributes or object classes). Only needed when extending the schema — Office 365, Exchange, and SCCM all extend the schema during installation.
- Domain Naming Master: controls adding and removing domains to/from the forest. Needed when creating new child domains or trusts.
Domain-wide (one per domain):
- PDC Emulator: the most active FSMO role in day-to-day operation. Handles password changes (receives immediate replication of changes), account lockout processing, Group Policy updates, and is the authoritative time source for the domain. If the PDC Emulator is unavailable, password changes and lockout resets may be delayed.
- RID Master: issues blocks of Relative Identifiers (RIDs) to other DCs. RIDs are used when creating new objects (users, computers, groups) in AD. If the RID Master is unavailable, eventually DCs run out of RIDs and cannot create new objects.
- Infrastructure Master: updates references to objects in other domains. Less impactful in single-domain forests — should not be on the same DC as the Global Catalog in a multi-domain forest (unless all DCs are Global Catalogs).
Check FSMO Role Holders via PowerShell
# Forest-wide roles
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
# Domain-wide roles
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMasterCheck FSMO Roles via netdom
netdom query fsmoThis returns all five role holders in a compact table — the quickest way to get the full picture at a glance.
Check FSMO Roles via GUI
Each role can be viewed from its relevant management tool:
- Schema Master: register the Schema snap-in (regsvr32 schmmgmt.dll), then open MMC → Schema → right-click → Change Domain Controller
- Domain Naming Master: Active Directory Domains and Trusts → right-click the root → Operations Master
- PDC, RID, Infrastructure: Active Directory Users and Computers → right-click the domain → Operations Masters → tabs for each role
Transfer FSMO Roles (Planned Move)
When decommissioning a DC or redistributing roles, transfer them while both DCs are online:
# Transfer PDC Emulator to DC02
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole PDCEmulator
# Transfer multiple roles at once
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster
# Transfer forest-wide roles
Move-ADDirectoryServerOperationMasterRole -Identity DC02 -OperationMasterRole SchemaMaster, DomainNamingMasterSeize FSMO Roles (Emergency — Role Holder Has Failed)
If the DC holding a FSMO role has failed permanently and cannot be recovered, you must seize the role rather than transfer it:
# Seize roles using ntdsutil (classic method)
ntdsutil
roles
connections
connect to server DC02
quit
seize PDC
seize RID master
seize infrastructure master
quit
quitImportant: only seize a role if the original role holder will never come back online. If you seize a role and then bring the original holder back online, you will have a conflict. After seizing, the failed DC should be forcibly removed from the domain (not just turned off).
FSMO Roles and Domain Controller Failure
Not all roles are equally critical in the short term:
- PDC Emulator down: users may experience delays with password changes and account lockout resets — impact is immediate and noticeable. Transfer or seize within hours.
- RID Master down: no impact until DCs run out of their current RID block (can take days or weeks). Less urgent.
- Infrastructure Master / Schema Master / Domain Naming Master down: generally no day-to-day impact unless you need to extend the schema or add a domain. Can wait for recovery.
