Active directory is a multi-master enabled database. It provides the flexibility to allow changes to occur at any of the domain controllers. Flexibility comes with added responsibility. There is a need to prevent conflicting updates from being made across multiple domain controllers.
This is made possible with the Flexible Single Master Operations roles (FSMO). Vital updates like schema updates, inclusion of new domains can be done only at a particular domain controller. There are 5 FSMO roles with 3 having domain level application and 2 having forest level application.
So how does Active Directory confirm the identity of the user requesting for access to a resource? How does a client query a server for a particular resource? The answers to these questions are through the support of standard interfaces and protocols like Domain Name System (DNS), Kerberos, and Lightweight Directory Access Protocol (LDAP).
For a detailed breakdown of the roles, click FSMO Roles – In detail