ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Schema Master Domain Controller
There are certain Flexible Single
Masters of Operation (FSMO) roles that are Forest Wide
Operations Master Roles. This means that no matter how many
domains exist in the forest, you will only have one of the
those particular FSMO servers in the forest.
The Schema Master Domain Controller
handles all of the updates and modifications to the Windows
2000 Active Directory Schema, and you must have access to the
Schema Master to make the changes. There can be only one
Schema Master in the entire forest, and you must be a member
of the Schema Administrators group to make changes to the
Schema.
The image below shows a single forest
structure with two domain trees. Each tree has a root domain
and two child domains. There is ONE Schema Master
Domain Controller in this forest.
By default, the Schema Master is
installed on the first domain controller in the
forest, and if that domain has only one domain controller, that domain
controller holds all the per-forest and per-domain FSMO roles. In
most environments there is more than one domain controller
installed, and it is a best practice to install at least two even in
the smallest environments.
The Windows 2000 Active Directory
Schema contains the master list of object classes and
attributes that are used to create all Active Directory
objects, such as computers, users, and printers for that
forest. The domain controller that holds the Schema Master
role is the only domain controller that can perform write
operations to the Active Directory Schema. These Schema updates are
replicated from the Schema Operations Master to all other
Domain Controllers in the forest as read-only replicas. The Windows 2000 Active
Directory Schema is not accessible across the domains in
multimaster fashion, as it is too sensitive of a structure to
allow these type of changes. Multimaster updates to the
Schema, in the case where two or more domain controllers
were allowed to attempt to update the schema at the same
time, would most like result in continuity issues and therefore is
kept to a single-master operation, where there is only one
read/write copy of the Schema, which is held by the Schema
Master Domain Controller.
All of the
objects across all the domains in a single forest have a
specific and common set of object classes and attributes
assinged to them.
Object
classes describe the directory objects that can be created.
Users and printers are just a couple examples of this. Each
object class is a collection of attributes than can be
assigned to it. User objects might have a hire date
attribute attached to their object that can be defined and a
printer object would not. Just the same, a printer object
might have an installation date attribute attached to their
object and a user object would not.
