GuidesLearn AD in 15 Minutes a Week: Active Directory Single Masters of...

Learn AD in 15 Minutes a Week: Active Directory Single Masters of Operation Page 2





There are certain Flexible Single
Masters of Operation (FSMO) roles that are Forest Wide
Operations Master Roles. This means that no matter how many
domains exist in the forest you will only have one of the
following FSMO servers each in the forest.

The Schema Master Domain Controller
handles all of the updates and modifications to the Windows
2000 Active Directory Schema, and you must have access to the
Schema Master to make the changes. There can be only one
Schema Master in the entire forest, and you must be a member
of the Schema Administrators group to make changes to the
Schema.

TheDomain Naming Master Domain Controller handles
the adding and removing of domains in the forest as well as
adding and removing any cross-references
to domains in external directories. (e.g. external
Lightweight Directory Access Protocol (LDAP) directories
.)
There can be only one Domain Naming Master in a single
forest, and you must be a member of the Enterprise
Administrators group to make changes to the Domain Naming
Master, such as transferring the FSMO role or adding domains or
removing them from the forest.

The image below shows a single forest
structure with two domain trees. Each tree has a root domain
and two child domains. There is ONE Schema Master
Domain Controller and ONE Domain Naming Master Domain
Controller in this forest.

There are certain Flexible Single
Masters of Operation (FSMO) roles that are Domain Wide
Operations Master Roles. This means that no matter how many
domains exist in the forest, you will have one of the
following FSMO servers each, in each and every domain in the
forest.

The Relative ID Master Domain
Controller
performs the work of “handing out” relative
identifiers (IDs) to each of the domain controllers in the
local domain. There is only one Relative ID Master Domain
Controller in each single domain in the forest. For every
domain, including child domains, there is a Relative ID
Master Domain Controller.

Whenever an administrator from a specific domain creates a
user, group, or computer object in that domain, the Relative
ID Master Domain Controller from that domain assigns the
newly created object a unique security ID for that domain by
way of the RIDs the creating Domain Controllers own.
Remember, all of the Domain Controllers in the domain are
assigned relative identifiers from the Relative ID Master Domain
Controller. All of the objects created on the different
Domain Controllers throughout the domain are IDed in this
fashion.
The object’s security ID (SID) consists of a domain security ID
(which is the same for all security IDs created in the
domain) and a relative ID that is unique for each security
ID created in the domain.

[NOTES FROM THE FIELD] –
Think of it like this, the Relative ID Master Domain
Controller hands out a block of IDs to the domain
controllers so that no two domain controllers in the same
domain can create the “same” RID. DC ONE is handed this
domain’s security ID of a1b and a block of relative IDs from
001 to 100. DC TWO is handed this domain’s security ID a1b
and a block of relative IDs from 101 to 200. (These are not
actual values that are used; they are only examples.) When
an Administrator creates a GROUP object at DC ONE it’s given
a RID of a1b-001. One second later another Administrator
creates a user at DC ONE and it is given a RID of a1b-002.
One second later another Administrator creates a user at DC
TWO, and it is given a RID of a1b-101.

All of these objects are unique
because they all end in different identifiers, yet they are
also all “marked” relative via their domain security ID of
a1b.

An object created in another domain
may have the unique number of -001 but it will have a domain
security ID of that domain, something different than a1b of
the domain in our example.

When an administrator moves objects from one domain to
another (using the MOVETREE.EXE utility or the Active
Directory Object Manager; you cannot use Active Directory
Users and Computers for this), the move must be made via the
Relative ID Master domain controller that “houses” that
object, not the Relative ID Master Domain Controller where
the object is going. For all intents and purposes, that Relative ID Master Domain
Controller knows nothing of this object at this point,

The PDC Emulator Domain Controller acts as a Windows
NT Primary Domain Controller when there is a domain
environment that contains both NT4 BDCs and Windows 2000
DCs. It processes all of the NT4 password changes from
clients and replicates domain updates to the down-level
BDCs. Once any and all upgrades to the domain controllers
have been performed and the last of the BDCs are either
upgraded or otherwise removed from the environment, the
Windows 2000 domain can be switched to Native Mode. Once the
domain is in Native Mode the PDC emulator still performs
certain singular duties that no other DCs in the domain
handle.

The PDC Emulator receives preferential replication
of password changes performed by other domain controllers in
the domain. When passwords are changed, that change takes
time to replicate to every domain controller in the domain,
and that synchronization delay might cause an authentication
failure at a domain controller that hadn’t yet received the
change. Before that domain controller denies access to
whatever is trying to perform the access, it will forward
the authentication request to the PDC Emulator before
rejecting the logon attempt, as the PDC Emulator may have
different information (e.g. a new password. Think of it like
a domain controller double check. Making sure it’s proper to
deny access before actually doing it.)

There is only one PDC Emulator Domain
Controller in each single domain in the forest. For every
domain, including child domains, there is a PDC Emulator
Domain Controller.

The Infrastructure Master Domain Controller
handles all of the cross-domain (between domains) data
updates for users and groups and their memberships. Whenever
groups or user names are renamed or changed, and whenever
group memberships change, it is the single Infrastructure
Master Domain Controller that is handling the single-master
operation. There is only one Infrastructure Master Domain
Controller in each single domain in the forest. For every
domain, including child domains, there is a Infrastructure
Master Domain Controller.

 

Latest Posts

Related Stories