Learn AD in 15 Minutes a Week: Active Directory Schema Master Page 2

There are certain Flexible Single Masters of Operation (FSMO) roles that are Forest Wide Operations Master Roles. This means that no matter how many domains exist in the forest, you will only have one of the those particular FSMO servers in the forest.

The Schema Master Domain Controller handles all of the updates and modifications to the Windows 2000 Active Directory Schema, and you must have access to the Schema Master to make the changes. There can be only one Schema Master in the entire forest, and you must be a member of the Schema Administrators group to make changes to the Schema.

The image below shows a single forest structure with two domain trees. Each tree has a root domain and two child domains. There is ONE Schema Master Domain Controller in this forest.

By default, the Schema Master is installed on the first domain controller in the forest, and if that domain has only one domain controller, that domain controller holds all the per-forest and per-domain FSMO roles. In most environments there is more than one domain controller installed, and it is a best practice to install at least two even in the smallest environments.

The Windows 2000 Active Directory Schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as computers, users, and printers for that forest. The domain controller that holds the Schema Master role is the only domain controller that can perform write operations to the Active Directory Schema. These Schema updates are replicated from the Schema Operations Master to all other Domain Controllers in the forest as read-only replicas. The Windows 2000 Active Directory Schema is not accessible across the domains in multimaster fashion, as it is too sensitive of a structure to allow these type of changes. Multimaster updates to the Schema, in the case where two or more domain controllers were allowed to attempt to update the schema at the same time, would most like result in continuity issues and therefore is kept to a single-master operation, where there is only one read/write copy of the Schema, which is held by the Schema Master Domain Controller.

All of the objects across all the domains in a single forest have a specific and common set of object classes and attributes assinged to them.

Object classes describe the directory objects that can be created. Users and printers are just a couple examples of this. Each object class is a collection of attributes than can be assigned to it. User objects might have a hire date attribute attached to their object that can be defined and a printer object would not. Just the same, a printer object might have an installation date attribute attached to their object and a user object would not.