How to determine the fsmo role holder (fsmoRoleOwner attribute)

This article describes how to find the servers that hold the Flexible Single Master Operation (FSMO) roles in a forest.

Active Directory defines five FSMO roles:

Per-forest roles, one per forest:

  • Schema master
  • Domain naming master

Per-domain roles, one per domain:

  • RID master
  • PDC master
  • Infrastructure master

 

To determine the master for a partition, query the fSMORoleOwner attribute on the corresponding object under the naming context root in question:

Schema Master:
LDAP://cn=Schema,cn=Configuration,dc=contoso,dc=com

Domain Naming Master:
LDAP://cn=Partitions,cn=Configuration,dc=contoso,dc=com

PDC Role Owner:
LDAP://dc=concorp,dc=contoso,dc=com

Infrastructure Master:
LDAP://cn=Infrastructure, dc=concorp,dc=contoso,dc=com

RID Master:
LDAP://cn=RID Manager$,cn=System, dc=concorp,dc=contoso,dc=com

You can use tools such as ldifde to perform queries to get FSMO role holders:

ldifde -f Infrafsmo.ldf -d "CN=Infrastructure,DC=concorp,DC=contoso,DC=com" -l fSMORoleOwner

This query returns the infrastructure master role owner for the DC=concorp,DC=contoso,DC=com partition to the Infrafsmo.ldf file.

The information in the attribute is stored as a DN, representing the NTDS Settings object of the DC that is the role owner. Example:

CN=NTDS Settings,CN=DC1,CN=Servers,CN=SITE1,CN=Sites,CN=Configuration,DC=contoso,DC=com

The following c# code returns the PDC role owner:

static void Main(string[] args)
{
  DirectoryEntry DomDn = new DirectoryEntry("LDAP://dc=concorp,dc=contoso,dc=com");
  DirectoryEntry PDCfsmo = new DirectoryEntry("LDAP://" + DomDn.Properties["fsmoRoleOwner"].Value.ToString());

  Console.WriteLine (PDCfsmo.Parent.Properties["dnsHostName"].Value.ToString());

  PDCfsmo.Close();
  DomDn.Close();
}

Same as previoulsy, the following VBscript code returns the PDC role owner:

Set objDomDn = GetObject("LDAP://dc=concorp,dc=contoso,dc=com")
strfsmoRoleOwner = objDomDn.Get("fsmoRoleOwner")

Set objPDCfsmo = GetObject("LDAP://" &  strfsmoRoleOwner)
Set objPDCfsmoParent = GetObject(objPDCfsmo.Parent)
 
Wscript.Echo  objPDCfsmoParent.Get("dnsHostName")