Setting User Rights for Designating FSMO Roles in an Enterprise

ID: Q228776

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SUMMARY

User rights for designating Flexible Single Master Operation (FSMO) roles can be set for groups or users in an enterprise. This functionality gives administrators the ability to limit or add to the group of default users that can change FSMO role owners in an enterprise or domain.


MORE INFORMATION

Schema Master

By default, the only group of users with privileges to change the Schema Master FSMO role is the Schema Administrators group. This right can be changed in one of the following two places:
  • Open the Schema Manager snap-in, right-click Active Directory Schema Manager, and then click Permissions. Use the Change Schema Master permission to designate rights.


  • Using the Adsiedit tool from the Windows 2000 Resource Kit, you can change the rights by right-clicking Schema Naming Context and then clicking Properties. Use the Change Schema Master permission to designate rights.


Domain Naming Master

By default, the only group of users with privileges to change the Domain Naming Master is the Enterprise Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Resource Kit. Change the rights by right-clicking CN=Partitions under Configuratin Context and then clicking Properties. Use the Change Domain Master permission to designate rights.

PDC Emulator

By default, the only group of users with privileges to change the primary domain controller (PDC) Emulator is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Resource Kit. Change the rights by right-clicking DC=north,DC=microsoft,DC=com (for north.microsoft.com) under the Domain context and then clicking Properties. Use the Change PDC permission to designate rights.

Infrastructure Master

By default, the only group of users with privileges to change the Infrastructure Master is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Resource Kit. Change the rights by right-clicking CN=Infrastructure for the folder under the Domain context and then clicking Properties. Use the Change Infrastructure Master permission to designate rights.

RID Master

By default, the only group of users with privileges to change the RID Master is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Resource Kit. Change the rights by right-clicking CN=RID Manager$ in the CN=System folder under the Domain context, and then clicking Properties. Use the Change RID Master permission to designate rights.

You can also change the RID Master, PDC Emulator, and Infrastructure Master in the Active Directory Users and Computers snap-in by right-clicking the domain item, and then clicking Operations Master.

LDAP Representations

The following items are Lightweight Directory Access Protocol (LDAP) representations indicating where the permissions reside in Active Directory:
  • Primary Domain Controller (PDC) FSMO:
    LDAP://DC=MICROSOFT,DC=COM


  • RID Master FSMO:
    LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM


  • Schema Master FSMO:
    LDAP://CN=Schema,CN=Configuration,DC=MICROSOFT,DC=COM


  • Infrastructure Master FSMO:
    LDAP://CN=Infrastructure,DC=MICROSOFT,DC=COM


  • Domain Naming Master FSMO:
    LDAP://CN=Partitions,CN=Configuration,DC=MICROSOFT,DC=COM


Additional query words:

Keywords : kbenv ntdomain
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.