Currently in Windows 2000 and Windows Server 2003 there are Five FSMO roles, which are owned by the First Domain Controller installed into the Forest, any new domain installed under the forest will have Three (Domain-Level) FSMO Roles. These roles break down into Two Forest-Level roles and Three domain-level roles.
- The schema master, which governs changes to the schema, controls all updates and modifications to the Active Directory Schema. To update the schema of a forest, you must have access to the Schema Master; therefore you need to be member of Schema Admins Group in Active Directory. There can be only one schema master in the whole forest.
- The domain naming master, which adds domains to and removes domains from the forest, controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. You need to be member of Enterprise Admins Group in order to gain access on the Domain Naming Master Role Functionality.
The three domain-level roles for Active Directory domain controllers are:
- The primary domain controller (PDC) emulator, which processes any replication requests from Microsoft Windows NT 4.0 backup domain controllers (BDCs) and processes all password updates from clients not running the Active Directory client software. In addition, the PDC emulator is checked on an authentication failure to see if a password has been changed but has not had a chance to replicate to all the domain controllers at that point in time.
- The Relative Identifier (RID) master, which allocates RIDs to all domain controllers to ensure that all security principles are unique.
- The infrastructure master for a given domain, which maintains a list of the security principals from other domains that are members of groups within its domain