Active Directory Operations Masters

When a change is made to a domain, the change is replicated across all of the domain controllers in the domain. Some changes, such as those made to the schema, are replicated across all of the domains in the forest. This replication is called multimaster replication. But few changes are practically not possible to perform with multimaster replication, so a domain controller known as Operations Master takes such type of changes to perform. Five Operations Master Roles are given to one or more domain controllers in each forest.

Operations Master Roles

The operations master roles are also called as flexible single master operations (FSMO) roles.

Forest-Wide Roles: Unique to a forest

• Schema Master: Controls all modifications and updates to the schema. The schema contains the master list of objects classes and attributes that are used to create all Active Directory objects, such as users, computers and printers. One needs to have access to update the schema of a forest. There is only one schema master in the entire forest.
• Domain Naming Master: Controls the additions or removal of domains in the forest. When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain. There can be only one domain naming master in the entire forest.
  The role of domain naming master can be hold by any Windows Server 2000/2003. Domain naming master should be configured as a global catalog server.

There is only one schema master and one domain-naming master in the entire forest.

Domain-Wide Roles: Unique to each domain in a forest

• Primary Domain Controller (PDC) Emulator: If your networks has one or more Windows NT, there it act as Windows NT PDC to support any backup domain controller (BDCs) running Windows NT within a mixed mode domain. This type of domain has domain controllers that run Windows NT. The PDC Emulator role is maintained in the first domain controller that you create in a domain. By default, for time synchronization throughout the domain for all domain controllers, PDC emulator master is also responsible. Using "net time" one can synchronize the time of PDC Emulator with external server. Syntax is:

  net time ServerName/setsntp:TimeSource
  

  After executing this statement, all computers in the entire forest run within seconds of each other. PDC emulator role supports two authentication protocols: Kerberos V5 protocol and NTLM protocol

• Relative Identifier Master: When you create a new user, computer or object, the domain controller creates a new security principal for that object and assigns that object a unique security identifier (SID). This SID consists of domain ID and a relative identifier (RID). The RID master allocates blocks of RIDs to each domain controller in the domain. Domain controller use these allocated block of RIDs to assigns a RID to objects.
  Using Movetree.exe you can move an object between domains. But before this you need to initiate the move on the Relative Identifier (RID) master domain which contains the object.
• Infrastructure Master: Infrastructure master updates objects references when objects are moved from one domain to another. The object references contain GUID (Global Unique Identifier), a Security Identifier (SID), and distinguished name. The infrastructure master always replicates its data with global catalog.
  Global catalogs always receive the regular updates from other domain through replication; therefore global catalog data is always up to date. For regular updates it will always ask the global catalog. Then infrastructure master replicates its updated data to all domain controllers in the domain. Infrastructure master and global catalog should never be on the same domain controller because infrastructure master will not function.