Flexible Single-Master Operation (FSMO) roles,manage an
aspect of the domain or forest, to prevent conflicts

1.Domain Naming Master, If you want to add a domain to a
forest, the domain?s name must be verifiably unique. The
forest?s Domain Naming Master FSMOs authorize the domain
name operation. 

2.Infrastructure Master, When a user and group are in
different domains, a lag can exist between changes to the
user (e.g., a name change) and the user?s display in the
group. The Infrastructure Master of the group?s domain fixes
the group-to-user reference to reflect the change. The
Infrastructure Master performs its fixes locally and relies
on replication to bring all other replicas of the domain up
to date.

3.PDC Emulator,For backward compatibility, one DC in each
Win2K domain must emulate a PDC for the benefit of Windows
NT 4.0 and NT 3.5 DCs and clients.

4.RID Master,The RID Master must be available for you to use
the Microsoft Windows 2000 Resource Kit?s Movetree utility
to move objects between domains.

5.Schema Master,At the heart of Active Directory (AD) is the
schema, which is like a blueprint of all objects and
containers. Because the schema must be the same throughout
the forest, only one machine can authorize schema modifications.

FSMO ROLES MEANS FLIXIBLE SINGAL MASTER OPREATION. MEANS 
ALL THESE MASTER ROLE CAN BE SHIFTT OR CHANGE.THER ARE FIVE 
ROLES.WHEN U INSTALLED THE FIRST DOMAIN IN THE FOREST THEY 
ALL FIVE ROLES ARE INSTALLED ON THAT, BUT DUE TO EVERY 
ROLES HAS ITS OWN RESPONSIBLEITIES SO THAT THER IS A RISK 
TO SLOWE DOWN THE SERVER IN ALL THAT FIVE ROLES FIRST TWO 
ROLES ARE CALLED FOREST WIDE ROLES THAT ARE 1. SCHEMA 
MASTER ROLE. 2. IS DOMAIN NAMING MASTER ROLE. THESE ROLES 
SHOULD BE ON THE FIRST DOMAIN OF THE FOREST.

1.SCHEMA MASTER ROLE: THIS ROLES HAS ALL THE SCHEMA 
INFORMATION OF THE FOREST.

2. DOMAIN NAMING MASTER: THIS ROLES HAS THE INFORMATION OF 
ALL THE DOMAIN IN THE FOREST. SO WHEN U INSTALL THE NEW 
DOMAIN IN THE FOREST SO THAT IT FIRST CONTECT TO THE DOMAIN 
NAMING MASTER TO AVOID THE CONFILECTS.

ANOTHER THREE ROLES KNOWN AS DOMAIN WIDE ROLES. 3.PDC 
EMULATOR. 4.RID MASTER. 5. INFRASTRUTURE MASTER.
THESE ROLES ARE FIND IN EVERY DOMAIN IN THE FOREST. 

3.PDC EMULATOR ROLE : THIS IS RESPONSIBLE FOR THE 
AUTHENTICATION OF THE NT 4 CLIENTS. 

4.RID MASTER: THIS ROLES GIVE THE RID'S TO THE DOMAINS AND 
RESPOSIBLE TIME SYNCORNISATION WITH THE DOMAIN IN THE 
FOREST.

5. INFRSTRUTURE MASTER: THIS ROLE REPLICATE ALL THE 
INFORMATIONTO GLOBAL CATLOG TO MANAGE OBJECT FOR INTER 
DOMAIN INTEROPRABILITY.

For certain types of changes, Windows 2000/2003 
incorporates methods to prevent conflicting Active 
Directory updates from occurring. 

Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the 
Active Directory performs updates to certain objects in a 
single-master fashion. 

In a single-master model, only one DC in the entire 
directory is allowed to process updates. This is similar to 
the role given to a primary domain controller (PDC) in 
earlier versions of Windows (such as Microsoft Windows NT 
4.0), in which the PDC is responsible for processing all 
updates in a given domain. 

In a forest, there are five FSMO roles that are assigned to 
one or more domain controllers. The five FSMO roles are:

Schema Master: 

The schema master domain controller controls all updates 
and modifications to the schema. Once the Schema update is 
complete, it is replicated from the schema master to all 
other DCs in the directory. To update the schema of a 
forest, you must have access to the schema master. There 
can be only one schema master in the whole forest. 

Domain naming master: 

The domain naming master domain controller controls the 
addition or removal of domains in the forest. This DC is 
the only one that can add or remove a domain from the 
directory. It can also add or remove cross references to 
domains in external directories. There can be only one 
domain naming master in the whole forest. 

Infrastructure Master: 

When an object in one domain is referenced by another 
object in another domain, it represents the reference by 
the GUID, the SID (for references to security principals), 
and the DN of the object being referenced. The 
infrastructure FSMO role holder is the DC responsible for 
updating an object's SID and distinguished name in a cross-
domain object reference. At any one time, there can be only 
one domain controller acting as the infrastructure master 
in each domain. 

Note: The Infrastructure Master (IM) role should be held by 
a domain controller that is not a Global Catalog server 
(GC). If the Infrastructure Master runs on a Global Catalog 
server it will stop updating object information because it 
does not contain any references to objects that it does not 
hold. This is because a Global Catalog server holds a 
partial replica of every object in the forest. As a result, 
cross-domain object references in that domain will not be 
updated and a warning to that effect will be logged on that 
DC's event log. If all the domain controllers in a domain 
also host the global catalog, all the domain controllers 
have the current data, and it is not important which domain 
controller holds the infrastructure master role.

Relative ID (RID) Master: 

The RID master is responsible for processing RID pool 
requests from all domain controllers in a particular 
domain. When a DC creates a security principal object such 
as a user or group, it attaches a unique Security ID (SID) 
to the object. This SID consists of a domain SID (the same 
for all SIDs created in a domain), and a relative ID (RID) 
that is unique for each security principal SID created in a 
domain.  Each DC in a domain is allocated a pool of RIDs 
that it is allowed to assign to the security principals it 
creates. When a DC's allocated RID pool falls below a 
threshold, that DC issues a request for additional RIDs to 
the domain's RID master. The domain RID master responds to 
the request by retrieving RIDs from the domain's 
unallocated RID pool and assigns them to the pool of the 
requesting DC. At any one time, there can be only one 
domain controller acting as the RID master in the domain. 

PDC Emulator: 

The PDC emulator is necessary to synchronize time in an 
enterprise. Windows 2000/2003 includes the W32Time (Windows 
Time) time service that is required by the Kerberos 
authentication protocol. All Windows 2000/2003-based 
computers within an enterprise use a common time. The 
purpose of the time service is to ensure that the Windows 
Time service uses a hierarchical relationship that controls 
authority and does not permit loops to ensure appropriate 
common time usage.

The PDC emulator of a domain is authoritative for the 
domain. The PDC emulator at the root of the forest becomes 
authoritative for the enterprise, and should be configured 
to gather the time from an external source. All PDC FSMO 
role holders follow the hierarchy of domains in the 
selection of their in-bound time partner. 

In a Windows 2000/2003 domain, the PDC emulator role holder 
retains the following functions: 

Password changes performed by other DCs in the domain are 
replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a 
domain because of an incorrect password are forwarded to 
the PDC emulator before a bad password failure message is 
reported to the user. 

Account lockout is processed on the PDC emulator. 

Editing or creation of Group Policy Objects (GPO) is always 
done from the GPO copy found in the PDC Emulator's SYSVOL 
share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a 
Microsoft Windows NT 4.0 Server-based PDC or earlier PDC 
performs for Windows NT 4.0-based or earlier clients. 

This part of the PDC emulator role becomes unnecessary when 
all workstations, member servers, and domain controllers 
that are running Windows NT 4.0 or earlier are all upgraded 
to Windows 2000/2003. The PDC emulator still performs the 
other functions as described in a Windows 2000/2003 
environment. 

At any one time, there can be only one domain controller 
acting as the PDC emulator master in each domain in the 
forest.

FSMO - Stands for Flexible Single Master Operation.


The purpose of this FSMO is to avoid the conflicts through
out the forest . Conflicts will be like domain names,
Objects, Fields ..etc. 

Usually FSMO broadly divided into 5 Roles.

1. Schma Master Role
2. Domain Naming Master Role

3. RID - Relative Identifier.
4. PDC Emulator.
5. Infrastructure.

You can easily  differentiate the first one and two will be
Forest wide and the rest 3,4 and 5 will be domain wide.

Schma Master :- Operations that involve expanding user
properties e.g. Exchange 2003 / forestprep which adds
mailbox properties to users.  Rather like the Domain naming
master, changing the schema is a rare event.  However if you
have a team of Schema Administrators all experimenting with
object properties, you would not want there to be a mistake
which crippled your forest.  So its a case of Microsoft know
best, the Schema Master should be a Single Master Operation
and thus a FSMO role.

Domain Naming Master - Ensures that each child domain has a
unique name.  How often do child domains get added to the
forest?  Not very often I suggest, so the fact that this is
a FSMO does not impact on normal domain activity.  My point
is it's worth the price to confine joining and leaving the
domain operations to one machine, and save the tiny risk of
getting duplicate names or orphaned domains.

# PDC Emulator - Most famous for backwards compatibility
with NT 4.0 BDC's.  However, there are two other FSMO roles
which operate even in Windows 2003 Native Domains,
synchronizing the W32Time service and creating group
policies.  I admit that it is confusing that these two jobs
have little to do with PDCs and BDCs. 

RID Master - Each object must have a globally unique number
(GUID).  The RID master makes sure each domain controller
issues unique numbers when you create objects such as users
or computers.  For example DC one is given RIDs 1-4999 and
DC two is given RIDs 5000 - 9999.
Infrastructure Master - Responsible for checking objects in
other other domains.  Universal group membership is the most
important example.  To me, it seems as though the operating
system is paranoid that, a) You are a member of a Universal
Group in another domain and b) that group has been assigned
Deny permissions.  So if the Infrastructure master could not
check your Universal Groups there could be a security breach.

1. Schma Master Role
2. Domain Naming Master Role

3. RID - Relative Identifier.
4. PDC Emulator.
5. Infrastructure