Learn AD in 15 Minutes a Week: Active Directory Single Masters of Operation Page 2

By ServerWatch Staff (Send Email)
Posted Jun 19, 2002



There are certain Flexible Single Masters of Operation (FSMO) roles that are Forest Wide Operations Master Roles. This means that no matter how many domains exist in the forest you will only have one of the following FSMO servers each in the forest.

The Schema Master Domain Controller handles all of the updates and modifications to the Windows 2000 Active Directory Schema, and you must have access to the Schema Master to make the changes. There can be only one Schema Master in the entire forest, and you must be a member of the Schema Administrators group to make changes to the Schema.

TheDomain Naming Master Domain Controller handles the adding and removing of domains in the forest as well as adding and removing any cross-references to domains in external directories. (e.g. external Lightweight Directory Access Protocol (LDAP) directories.) There can be only one Domain Naming Master in a single forest, and you must be a member of the Enterprise Administrators group to make changes to the Domain Naming Master, such as transferring the FSMO role or adding domains or removing them from the forest.

The image below shows a single forest structure with two domain trees. Each tree has a root domain and two child domains. There is ONE Schema Master Domain Controller and ONE Domain Naming Master Domain Controller in this forest.



There are certain Flexible Single Masters of Operation (FSMO) roles that are Domain Wide Operations Master Roles. This means that no matter how many domains exist in the forest, you will have one of the following FSMO servers each, in each and every domain in the forest.

The Relative ID Master Domain Controller performs the work of "handing out" relative identifiers (IDs) to each of the domain controllers in the local domain. There is only one Relative ID Master Domain Controller in each single domain in the forest. For every domain, including child domains, there is a Relative ID Master Domain Controller.

Whenever an administrator from a specific domain creates a user, group, or computer object in that domain, the Relative ID Master Domain Controller from that domain assigns the newly created object a unique security ID for that domain by way of the RIDs the creating Domain Controllers own. Remember, all of the Domain Controllers in the domain are assigned relative identifiers from the Relative ID Master Domain Controller. All of the objects created on the different Domain Controllers throughout the domain are IDed in this fashion. The object's security ID (SID) consists of a domain security ID (which is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain.

[NOTES FROM THE FIELD] - Think of it like this, the Relative ID Master Domain Controller hands out a block of IDs to the domain controllers so that no two domain controllers in the same domain can create the "same" RID. DC ONE is handed this domain's security ID of a1b and a block of relative IDs from 001 to 100. DC TWO is handed this domain's security ID a1b and a block of relative IDs from 101 to 200. (These are not actual values that are used; they are only examples.) When an Administrator creates a GROUP object at DC ONE it's given a RID of a1b-001. One second later another Administrator creates a user at DC ONE and it is given a RID of a1b-002. One second later another Administrator creates a user at DC TWO, and it is given a RID of a1b-101.

All of these objects are unique because they all end in different identifiers, yet they are also all "marked" relative via their domain security ID of a1b.

An object created in another domain may have the unique number of -001 but it will have a domain security ID of that domain, something different than a1b of the domain in our example.

When an administrator moves objects from one domain to another (using the MOVETREE.EXE utility or the Active Directory Object Manager; you cannot use Active Directory Users and Computers for this), the move must be made via the Relative ID Master domain controller that "houses" that object, not the Relative ID Master Domain Controller where the object is going. For all intents and purposes, that Relative ID Master Domain Controller knows nothing of this object at this point,

The PDC Emulator Domain Controller acts as a Windows NT Primary Domain Controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs. It processes all of the NT4 password changes from clients and replicates domain updates to the down-level BDCs. Once any and all upgrades to the domain controllers have been performed and the last of the BDCs are either upgraded or otherwise removed from the environment, the Windows 2000 domain can be switched to Native Mode. Once the domain is in Native Mode the PDC emulator still performs certain singular duties that no other DCs in the domain handle.

The PDC Emulator receives preferential replication of password changes performed by other domain controllers in the domain. When passwords are changed, that change takes time to replicate to every domain controller in the domain, and that synchronization delay might cause an authentication failure at a domain controller that hadn't yet received the change. Before that domain controller denies access to whatever is trying to perform the access, it will forward the authentication request to the PDC Emulator before rejecting the logon attempt, as the PDC Emulator may have different information (e.g. a new password. Think of it like a domain controller double check. Making sure it's proper to deny access before actually doing it.)

There is only one PDC Emulator Domain Controller in each single domain in the forest. For every domain, including child domains, there is a PDC Emulator Domain Controller.

The Infrastructure Master Domain Controller handles all of the cross-domain (between domains) data updates for users and groups and their memberships. Whenever groups or user names are renamed or changed, and whenever group memberships change, it is the single Infrastructure Master Domain Controller that is handling the single-master operation. There is only one Infrastructure Master Domain Controller in each single domain in the forest. For every domain, including child domains, there is a Infrastructure Master Domain Controller.

 

Page 2 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.