3.1.1.5.3.1.2 FSMO Changes
If a write to the fSMORoleOwner attribute is performed, and the objectClass of the object being modified is one of the following classes, then the requester is required to have an additional control access right on the object. The following control access rights are checked, depending on the objectClass of the object being modified:
infrastructureUpdate (domain infrastructure master FSMO, in AD DS only): Change-Infrastructure-Master
dMD (schema FSMO): Change-Schema-Master
rIDManager (domain RID FSMO, in AD DS only): Change-Rid-Master
crossRefContainer (domain naming FSMO): Change-Domain-Master