Other types of changes are impractical to perform in multimaster fashion, such as those to the Schema and Configuration Partitions. Since these partitions and other types of changes are too sensitive to be done in a multimaster fashion, specific domain controllers are assigned to handle these operations. Since these specific domain controllers handle these particular functions (sometimes referred to as single-master operations), these are the only places within the domain or forest where the copies of these databases are read/write. Everywhere else a copy of these databases reside, it is a read only-copy.

[NOTES FROM THE FIELD] - The read-only database copies of the Schema and Configuration partition operate just like the old domain (SAM) data did under NT4.

Any changes to the SAM database in NT4 had to go to the PDC. Any changes that need to be made to the Schema, for example, go to the Schema Master.


Domain Naming Master Domain Controller

There are certain Flexible Single Masters of Operation (FSMO) roles that are Forest Wide Operations Master Roles. This means that no matter how many domains exist in the forest you will only have one of the those particular FSMO servers in the forest.

The Domain Naming Master Domain Controller handles adding and removing domains in the forest as well as adding and removing any cross-references to domains in external directories (e.g. external Lightweight Directory Access Protocol (LDAP) directories). There can be only one Domain Naming Master in a single forest, and you must be a member of the Enterprise Administrators group to make changes to the Domain Naming Master, such as transferring the FSMO role or adding domains or removing them from the forest.

The image below shows a single forest structure with two domain trees. Each tree has a root domain and two child domains. There is ONE Domain Naming Master Domain Controller in this forest.

By default, the Domain Naming Master is installed on the first domain controller in the forest, and if that domain has only one domain controller, that domain controller holds all the per-forest and per-domain FSMO roles. In most environments there is more than one domain controller installed, and it is a best practice to install at least two even in the smallest environments. The Schema Master and the Domain Naming Master FSMO roles should always remain assigned to the same domain controller.

