Microsoft KB Archive/228776

= Setting User Rights for Designating FSMO Roles in an Enterprise =

Article ID: 228776

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q228776



SUMMARY
User rights for designating Flexible Single Master Operation (FSMO) roles can be set for groups or users in an enterprise. This functionality gives administrators the ability to limit or add to the group of default users that can change FSMO role owners in an enterprise or domain.



Schema Master
By default, the only group of users with privileges to change the Schema Master FSMO role is the Schema Administrators group. This right can be changed in one of the following two places:
 * Open the Schema Manager snap-in, right-click Active Directory Schema Manager, and then click Permissions. Use the Change Schema Master permission to designate rights.
 * Using the Adsiedit tool from the Windows 2000 Support Tools, you can change the rights by right-clicking Schema Naming Context and then clicking Properties. Use the Change Schema Master permission to designate rights.

Domain Naming Master
By default, the only group of users with privileges to change the Domain Naming Master is the Enterprise Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Support Tools. Change the rights by right-clicking CN=Partitions under Configuratin Context and then clicking Properties. Use the Change Domain Master permission to designate rights.

PDC Emulator
By default, the only group of users with privileges to change the primary domain controller (PDC) Emulator is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Support Tools. Change the rights by right-clicking DC=north,DC=microsoft,DC=com (for north.microsoft.com) under the Domain context and then clicking Properties. Use the Change PDC permission to designate rights.

Infrastructure Master
By default, the only group of users with privileges to change the Infrastructure Master is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Support Tools. Change the rights by right-clicking CN=Infrastructure for the folder under the Domain context and then clicking Properties. Use the Change Infrastructure Master permission to designate rights.

RID Master
By default, the only group of users with privileges to change the RID Master is the Domain Administrators group. This right can be changed by using the Adsiedit tool from the Windows 2000 Support Tools. Change the rights by right-clicking CN=RID Manager$ in the CN=System folder under the Domain context, and then clicking Properties. Use the Change RID Master permission to designate rights.

You can also change the RID Master, PDC Emulator, and Infrastructure Master in the Active Directory Users and Computers snap-in by right-clicking the domain item, and then clicking Operations Master.

LDAP Representations
The following items are Lightweight Directory Access Protocol (LDAP) representations indicating where the permissions reside in Active Directory:  Primary Domain Controller (PDC) FSMO:

LDAP://DC=MICROSOFT,DC=COM

 RID Master FSMO:

LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM

 Schema Master FSMO:

LDAP://CN=Schema,CN=Configuration,DC=MICROSOFT,DC=COM

 Infrastructure Master FSMO:

LDAP://CN=Infrastructure,DC=MICROSOFT,DC=COM

 Domain Naming Master FSMO:

LDAP://CN=Partitions,CN=Configuration,DC=MICROSOFT,DC=COM



Keywords: kbenv kbinfo KB228776

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.