Active Directory operates in a multi-master replication manner. What this means is that each domain controller in the domain holds a readable, writable replica of the Active Directory data store. In multi-master replication, any domain controller is able to change objects within Active Directory. Multi-master replication is ideal for the majority of information located in Active Directory. However, certain Active Directory functions or operations are not managed in a multi-master manner because they cannot be shared without causing some data uniformity issues. These functions are called Flexible Single Master Operations (FSMOs).
There are five Operations Master (OM) roles which are automatically installed when you install the first domain controller. These five OMs are installed on the domain controller. Two of these OM roles apply to the entire Active Directory forest. The roles that apply to the forest are the Schema Master role and the Domain Naming Master role. The other three OM roles apply to each domain. The roles that apply to a domain are the Relative identifier (RID)/relative ID Master Role, the Primary Domain Controller (PDC) Emulator role, and the Infrastructure Master role. When a domain controller is assigned a FSMO, that domain controller becomes a role master. The particular domain controller that is assigned these roles performs single-master replication within the Active Directory environment.
Because domain controllers generally contain the same Active Directory information, when one domain controller is unavailable, the remainder of the domain controllers are able to provide access to Active Directory objects. However, if the domain controller that is lost has one of these OM roles installed, you could find that no new objects can be added to the domain.
- Schema Master Role
- Domain Naming Master Role
- RID (Relative Identifier) Master Role
- PDC (Primary Domain Controller) Emulator Master Role
- Infrastructure Master Role
Forest-Wide Operations Master Roles
Schema Master Role:
Because the objects that exist in the in the schema directory partition define the Active Directory structure for a forest, great control is placed on who can add objects to this partition. Since each domain controller in an Active Directory environment have a common schema, the information in the schema has to be consistent on each domain controller. It is the domain controller that is assigned the Schema Master role that controls which objects are added, changed, or removed from the schema. The domain controller with the Schema Master role is the only domain controller in the entire Active Directory forest that can perform any changes to the schema. You can use the Active Directory Schema MMC snap-in to make changes to the schema, and only if you are a member of the Schema Admins group. Any changes made to the schema would affect each domain controller within the Active Directory forest. You can transfer the Schema Master role to a different domain controller within the forest. You can also seize the role if the existing domain controller holding the role had a failure and cannot be recovered.
Domain Naming Master Role:
As is the case with the Schema Master role, only one Domain Naming Master role is allowed in the entire forest. The domain controller that is assigned the Domain Naming Master role is responsible for tracking all the domains within the entire Active Directory forest to ensure that duplicate domain names are not created. The domain controller with the Domain Naming Master role is accessed when new domains are created for a tree or forest. This ensures that domains are not simultaneously created within the forest. The default configuration is that the first domain controller promoted in a forest, is assigned this role. You can however transfer the Domain Naming Master role to a different domain controller within the forest.
Domain-Wide Operations Master Roles
Relative identifier (RID) Master Role:
When a security object is created within Active Directory, it is allocated a security ID. The security ID is made up of the domain security ID and a relative ID. The domain security ID is exactly the same for each security ID created in the particular domain. The relative ID on the other hand is unique to each security ID created within the domain. Because each relative ID has to be unique, the domain controller that is assigned the RID Master role is responsible for tracking and for assigning unique relative IDs to domain controllers whenever new objects are created. To ensure efficiency when assigning relative IDs to domain controllers, the domain controller assigned the RID Master role actually generates a set of 500 relative IDs to allocate to domain controllers. As the number of available relative IDs decreases, the RID Master generates more relative IDs to maintain the number of relative IDs available as 500. The default configuration is that the RID Master role and PDC Emulator role is assigned to the identical domain controller. You can however transfer the RID Master role to a different domain controller within the domain.
PDC Emulator Role:
In domains that contain Windows NT Backup Domain Controllers (BDCs), the domain controller which is assigned the PDC Emulator role functions as the Windows NT Primary Domain Controller (PDC). The PDC Emulator role has importance when it comes to replication – BDCs only replicate from a Primary Domain Controller! Objects that are security principles can only be created and replicated by the PDC Emulator. Security principles are Users, Computers, and Groups. It is therefore the PDC Emulator that enables down-level operating systems to co-exist in Windows 2000 and Windows Server 2003 Active Directory environments. After the domain is operating in the Windows Server 2003 functional level, the domain controller assigned the PDC Emulator role continues to perform other operations for the domain.
These additional functions include the following:
- All password changes and account lockout requests are forwarded to the PDC Emulator. A domain controller within a domain checks first with the PDC Emulator to verify whether a bad password provided by a user was a recently changed password, and is therefore a valid password.
- Group policies consist of a Group Policy Container (GPC) in Active Directory, and a Group Policy Template (GPT) in the SYSVOL folder. Because these two items can become out of sync due to multi-master replication, the Group Policy Editor is by default set to the PDC Emulator. This prevents group policy changes from being made on all domain controllers within the domain.
Infrastructure Master Role:
The domain controller assigned the Infrastructure Master Role has the following functions within the domain:
- Updates the group-to-user references when the members of groups are changed. These updates are sent by the Infrastructure Master to the remainder of the domain controllers within the domain via multi-master replication.
- Deletes any stale or invalid group-to-user references within the domain. To do this, the Infrastructure Master Role checks with the Global Catalog for stale group-to-user references.
23.793483
90.404787