Other types of changes are impractical
to perform in multimaster fashion, such as those to the
Schema and Configuration Partitions. Since these partitions
and other types of changes are too sensitive to be done in a
multimaster fashion, specific domain controllers are
assigned to handle these operations. Since these specific
domain controllers handle these particular functions
(sometimes referred to as single-master operations), these are
the only places within the domain or forest where the copies
of these databases are read/write. Everywhere else a copy
of these databases reside, it is a read only-copy.
[NOTES FROM THE FIELD] – The
read-only database copies of the Schema and Configuration
partition operate just like the old domain (SAM) data did
Any changes to the SAM database in
NT4 had to go to the PDC. Any changes that need to be made
to the Schema, for example, go to the Schema Master.
Domain Naming Master
There are certain Flexible Single
Masters of Operation (FSMO) roles that are Forest Wide
Operations Master Roles. This means that no matter how many
domains exist in the forest you will only have one of the
those particular FSMO servers in the forest.
The Domain Naming Master Domain
Controller handles adding and removing domains in
the forest as well as adding and removing
any cross-references to domains in external directories
(e.g. external Lightweight Directory Access Protocol (LDAP)
directories). There can be only one Domain Naming
Master in a single forest, and you must be a member of the
Enterprise Administrators group to make changes to the
Domain Naming Master, such as transferring the FSMO role or
adding domains or removing them from the forest.
The image below shows a single forest
structure with two domain trees. Each tree has a root domain
and two child domains. There is ONE Domain Naming
Master Domain Controller in this forest.
By default, the Domain Naming Master is
installed on the first domain controller in the
forest, and if that domain has only one domain controller, that domain
controller holds all the per-forest and per-domain FSMO roles. In
most environments there is more than one domain controller
installed, and it is a best practice to install at least two even in
the smallest environments. The Schema Master and the Domain
Naming Master FSMO roles should always remain assigned to
the same domain controller.
Page 3: Transferring FSMO Domain Controller Roles