FSMO stands for Flexible Single Master Operation. Active directory database follows multiple master model which means changes in active directory database get replicated to all the Domain Controllers in the domain. If there are any conflicts in the data replication active directory uses a conflict resolution algorithm which resolves the conflict by allowing the changes on the last DC which means the last writer wins. Sometimes these conflicts are too big to resolve in which case we need to prevent the conflict rather than resolving it.
The Single Master operation in windows Server prevents these conflicts. There are some critical operations in any forect/domain which should be handled by only one DC in forest/domain. So windows Server has 5 Single Master Operation roles which are flexible. Flexible means these roles can be transferred to any other DC in a forest/domain. So these roles are called Flexible Single Master Operation. These roles are:
- Schema master
- Domain naming master
- RID master
- PDC emulator
- Infrastructure master
The first 2 roles i.e Schema Master and Domain Naming Master are forest wide roles which means there can be only one DC in entire forest that can have these roles assigned.These roles can be on same DC as well but no two DCs should have same roles.
Schema Master : Schema master controls the Schema changes in any active directory forest. Active directory Schema is the combination of attributes of AD objects. So all the tabs and the information you see when we open properties of AD object in ADUC is schema. Any changes to this schema are controlled by Schema Master. We can have only one DC in entire forest that can have schema master roles assigned.
Domain Naming Master: Domain Naming master controls addition or deletion of domains in a forest.
RID Pool Manager: Every AD object that we create gets an RID (Relative Identifier) number which defines which DC the AD object belongs to. If any DC runs out of these RID numbers it contacts the RID Pool Manager and get new pool of RIDs for further distribution.
PDC Emulator : The PDC emulator is necessary to synchronize time in an enterprise. As we know the active directory replication will not work if there is no proper time synchronization between Domain Controllers. PDC Emulator makes sure that time is synchronized between domain controllers in a domain. Also DC with the PDC emulator role is the DC that updates passwords for users and computers. When a user attempts to login, and enters a bad password, it’s the DC with the PDC emulator FSMO role that is consulted to determine if the password has been changed
Infrastructure Master : At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog.