FSMO Roles Test

FSMO stands for Flexible Single Master Operations, and FSMO roles (also known as operations master roles) help you prevent conflicts in your Active Directory.

For most Active Directory objects, the task of updating can be performed by any Domain Controller except those Domain Controllers that are read-only. Updates such as computer object properties, renamed organizational units, and user account password resets can be handled by any writable domain controller.

After an object is changed on one domain controller, those changes are propagated to the other domain controllers through replication. During replication all of the Domain Controllers share their updates. So a user that has their password reset in one part of the domain may have to wait until those changes are replicated to the Domain Controller that they are signing in from.

This model works very well for most objects. In the case of any conflicts, such as a user's password being reset by both the central helpdesk as well as an administrator working at the user's site, then conflicts are resolved by whichever made the last change. However, there are some changes that are too important, and are not well suited to this model.

There are 5 specific types of updates to Active Directory that are very specific, and conflicts should be avoided. To help alleviate any potential conflicts, those updates are all performed on a single Domain Controller. And though each type of update must be performed on a single Domain Controller, they do not all have to be handled by the same Domain Controller.

These types of updates are handled by Domain Controllers Flexible Single Master Operations roles, or FSMO roles. Each of the five roles is assigned to only one domain controller.

There are five FSMO roles in every Active Directory forest. They are:

  • Schema Master
  • Domain Naming Master
  • Infrastructure Master
  • Relative ID (RID) Master
  • Primary Domain Controller (PDC) Emulator

Among these five FSMO roles, the following three FSMO roles are needed only once in every domain in the forest:

  • Infrastructure Master
  • Relative ID (RID) Master
  • Primary Domain Controller (PDC) Emulator

If a domain controller configured with a specific FSMO role is suddenly rendered unavailable or is unreachable, then that particular function cannot be performed. This in turn implies that the types of updates that will otherwise be handled by that domain controller can no longer be processed, thus creating a climate of conflict in the AD environment. With the help of the FSMO Roles test however, you can rapidly detect the unavailability of an FSMO domain controller over the network, isolate potential network connectivity issues and latencies, and spot real/probable delays in LDAP binding, so that such issues can be promptly remedied and conflicts prevented.

Target of the test : An Active Directory server or a Windows Domain Controller

Agent deploying the test : An internal agent

Outputs of the test : One set of results for each FSMO role

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.


The host for which this test is to be configured.


Refers to the port used by the Windows server.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

LDAP bind time

Indicates the time taken for the last successful LDAP bind.


In Active Directory Domain Services, the act of associating a programmatic object with a specific Active Directory Domain Services object is known as binding. When a programmatic object, such as an IADs (Interface Adapter Device) or DirectoryEntry object, is associated with a specific directory object, the programmatic object is considered to be bound to the directory object.

The method for programmatically binding to an Active Directory object will depend on the programming technology that is used.

All bind functions and methods require a binding string. The form of the binding string depends on the provider. Active Directory Domain Services are supported by two providers, LDAP and WinNT.

Beginning with Windows 2000, the LDAP provider is used to access Active Directory Domain Services. The LDAP binding string can take one of the following forms:

“LDAP://<host name>/<object name>” “GC://<host name>/<object name>”

Ideally, the value of this measure should be low. A high value for this measure could be a possible indication of network-related problems or of the hardware that needs to be upgraded immediately.

This measure will not be reported if the value of the Availability measure is 0.

Avg network delay

Indicates the average delay between transmission of packet to a target and receipt of the response to the packet at the source.


An increase in network latency could result from misconfiguration of the router(s) along the path, network congestion, retransmissions at the network, etc. The detailed diagnosis capability, if enabled, lists the hop-by-hop connectivity and delay.

This measure will not be reported if the value of the Availability measure is 0.

Minimum network delay

Indicates the minimum time between transmission of a packet and receipt of the response back.


A significant increase in the minimum round-trip time is often a sure sign of network congestion.

This measure will not be reported if the value of the Availability measure is 0.

Packet loss

Indicates the percentage of packets lost during transmission from source to target and back.


Packet loss is often caused by network buffer overflows at a network router or by packet corruptions over the network. The detailed diagnosis for this measure provides a listing of routers that are on the path from the external agent to target server, and the delays on each hop. This information can be used to diagnose the hop(s) that could be causing excessive packet loss/delays.

This measure will not be reported if the value of the Availability measure is 0.


Indicates whether/not this FSMO role is available over the network.


A value of 100 indicates that the FSMO role is available. The value 0 indicates that the FSMO role is not available.

Typically, the value 100 corresponds to a Pkt_loss_pct of 0.

If the FSMO role is not available over the network i.e., if this measure reports a value 0, all other measures applicable for this test will not be reported.

Has owner been changed?

Indicates whether/not the owner of this FSMO role has changed.


The table below indicates the values that this measure can report and their corresponding numeric equivalents:

Measure value Numeric Value
Yes 1
No 0


By default, this measure reports the above-mentioned Measure Values while indicating whether/not the owner of each FSMO role has changed. However, the graph of this measure will be represented using the corresponding numeric equivalents only i.e., 0 or 1.

The detailed diagnosis of this measure lists the name of the current owner and the name of the previous owner for each FSMO role.