3.4.4.6.2.3.2 Seizing a FSMO Role
The OperationMasterRole element contains a string as specified in section 2.2.5.3. To seize a role, the server writes the distinguishedName of the nTDSDSA object of the new role owner. The fsmoRoleOwner attribute to write, by role, is indicated in the following table, along with which types of DCs/instances support which roles.
Not all DCs/instances support all FSMO roles.
Role |
Object |
Object!attribute |
(AD DS DC)/(AD DS RODC)/(AD LDS) |
---|---|---|---|
Domain Naming Master FSMO |
Config NC root |
crossRefContainer!fsmoRoleOwner |
Yes/No/Yes |
Infrastructure Master FSMO |
Infrastructure container in Domain NC |
infrastructureUpdate!fsmoRoleOwner |
Yes/No/No |
PDC Emulator FSMO |
Domain NC root |
domainDNS!fsmoRoleOwner |
Yes/No/No |
RID Master FSMO |
Domain NC!rIDManagerReference |
rIDManager!fsmoRoleOwner |
Yes/No/No |
Schema Master FSMO |
Schema NC root |
dMD!fsmoRoleOwner |
Yes/No/Yes |
Additional constraints, such as control access rights, apply to AD DS and AD LDS. See [MS-ADTS] sections 3.1.1.5.3.1.2 and 3.1.1.5.3.2.