Physical Structure  «Prev  Next»
Lesson 7 Operations masters
Objective Define operations masters.

Operations Masters Active Directory

An Operations master is a domain controller that has been assigned one or more special roles in an Active Directory domain.
Because there is no primary domain controller (PDC) in Windows 2000, operations masters fill the various roles performed by the PDC in NT 4.0 networks. Because changes to the directory database can be made simultaneously at multiple domain controllers, operations masters are needed for operations that have consequences for the whole domain (like deleting a domain or changing the schema).
The operations master provides a lockout mechanism to ensure that changes get propagated properly. So if you want to make a change to the schema, for instance, you must do so from the schema master (or the domain controller you're using must request permission from the schema master). The domain controllers that are assigned these roles, perform single-master operations. These operations are not permitted to occur simultaneously on different controllers on the network. This is to avoid changes being made out of order, which would result in incorrect updates on some of the domain controllers.

Rules for Operations Master Roles

There are three rules governing the operations master roles:
Role Description
Roles are Proprietary The domain controller that controls the particular operation owns the operations master role for that operation.
Transferable Ownership of these operations master roles can be transferred to other domain controllers.
Exclusive However, only one domain controller can own an operations master role at one time.

Five Operations Master Roles

Every Active Directory forest must have domain controllers that fulfill each of the five operations master roles. This does not mean every forest must have five separate domain controllers. The same domain controller can fill more than one role at a time. The roles are:
  1. Schema master
  2. Domain naming master
  3. Relative identifier (RID) master
  4. PDC emulator
  5. Infrastructure master
View the table below to see a table that discusses each of these master roles in more detail.
Master role   Description
chema master
One per entire forest 		The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. The schema is an extensible description of object classes and attributes stored in Active Directory.
Domain naming master
One per entire forest 		The domain naming master controls the addition or removal of domains in the forest.  
RID master
One per forest domain 		The RID master allocates sequences of RIDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID).
The SID consists of a domain SID (that is the same for all SIDs that are created in the domain) and a RID that is unique for each SID that is created in the domain.
PDC emulator
One required per forest domain 		The PDC emulator processes password changes and replicates updates to the backup domain controllers running Windows NT. In a Windows 2000 domain in nonnative mode, if the domain contains computers that are not running Windows 2000 client software, or if it contains domain controllers running Windows NT, the PDC emulator processes password changes and replicates updates to the backup domain controllers running Windows NT.
In a Windows 2000 domain in native mode, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain.If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.
Infrastructure master
One per domain 		The infrastructure master is responsible for updating the group-to-user references whenever group memberships are changed. If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that the user account is renamed and the time that a group that contains that user will display the new name of the user account. The infrastructure master of the group's domain distributes the update through multimaster replication.

Transferring and seizing Single Master Operations Roles

When you add additional domain controllers to a domain, you can transfer the single master operations roles from the original domain controller to other domain controllers. In addition, when you need to take a domain controller that holds a single master operations role offline, you should transfer its single master operations role to another domain controller so that the single master services continue uninterrupted. You may also seize single master operation roles. If a domain controller that holds a single master operations role becomes unavailable and cannot be brought back online within an acceptable amount of time, you must seize that single master operations role with another domain controller.
Seizing the role of the RID master, domain naming master, or schema master is a drastic step that should be considered only if the current operations master will never be available again. The Slide Show below will show you how to implement both of these processes. 

Open 
Domain naming master
Active Directory Domains and Trusts
Schema master
Active Directory Schema
RID master
Active Directory Users and Computers
PDC emulator
Active Directory Users and Computers
Infrastructure master
Active Directory Users and Computers

1) To transfer a single master operations role, first open the appropriate tool according to the table above.
1) To transfer a single master operations role, first open the appropriate tool according to the table above.

2) In the console tree, right click the domain controller that will be the new operations master, then click Connect to domain.
2) In the console tree, right click the domain controller that will be the new operations master, then click Connect to domain.

3) Type the domain name or click Browse and select the domain from the list.
3)Type the domain name or click Browse and select the domain from the list

4) In the console tree, right click Users and Computers, Domains and Trusts, or Schema, as appropriate, then click Operations Master
4) In the console tree, right click Users and Computers, Domains and Trusts, or Schema, as appropriate, then click Operations Master

5) If you are using Users and Computers, select the tab for the single master operations role you want to transfer, then click Change.
5) If you are using Users and Computers, select the tab for the single master operations role you want to transfer, then click Change

6) If you are using Domains and Trusts or Schema, click Change
6) If you are using Domains and Trusts or Schema, click Change

7) Now, to seize a single master operations role, begin by opening a comman prompt and type ntdsutil.
7) Now, to seize a single master operations role, begin by opening a command prompt and type ntdsutil

8) Transfer Seizing Roles 80
8) At the ntdsutil prompt, type roles

9) Transfer Seizing Roles 90
9) At the fsmo maintenance prompt, type connections.

10) Transfer Seizing Roles 100
10) At the server connections prompt, type connect to server, followed by the fully qualified domain name of the server that will seize the single master operations role

11) AAt the server connections prompt, type quit.
11) At the server connections prompt, type quit.

12) At the fsmo maintenance prompt, type one of the following commands:
12) At the fsmo maintenance prompt, type one of the following commands:

13)Seize domain naming master.
13) Seize domain naming master.

14) Seize schema master
14) Seize schema master

15) Seize RID master
15) Seize RID master

16) Seize PDC
16) Seize PDC

17) Seize infrastructure master
17) Seize infrastructure master

18) Transfer Seizing Roles
18) At the fsmo maintenance prompt, type quit.

19) At the ntdsutil prompt, type quit. This completes the process.
19) At the ntdsutil prompt, type quit. This completes the process

Seize the Operations Master Role

You can use the Ntdsutil.exe command-line tool to transfer and seize any operations master (also known as flexible single master operations or FSMO) role. You must use Ntdsutil.exe to seize the schema operations master, domain naming operations master, and relative ID (RID) operations master roles. When you use Ntdsutil.exe to seize an operations master role, the tool first attempts a transfer from the current role owner. If the current role owner is not available, the tool seizes the role. When you use Ntdsutil.exe to seize an operations master role, the procedure is nearly identical for all roles. There is a minor change in the command syntax for versions of Ntdsutil.exe that run on Windows Server 2008 and Windows Server 2008 R2, as noted in the following table. For more information about using Ntdsutil.exe, type ? at the ntdsutil: command prompt.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To seize an operations master role

  1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type ntdsutil, and then press ENTER.
  3. At the ntdsutil: prompt, type roles, and then press ENTER.
  4. At the fsmo maintenance: prompt, type connections, and then press ENTER.
  5. At the server connections: prompt, type connect to server <servername> (where <servername> is the name of the domain controller that will assume the operations master role), and then press ENTER.
  6. After you receive confirmation of the connection, type quit, and then press ENTER.
  7. Depending on the role that you want to seize, at the fsmo maintenance: prompt, type the appropriate command, and then press ENTER.


  1. To transfer a single master operations role, first open the appropriate tool according to the table above.
  2. In the console tree, right click the domain controller that will be the new operations master, then click Connect to domain.
  3. Type the domain name or click Browse and select the domain from the list
  4. In the console tree, right click Users and Computers, Domains and Trusts, or Schema, as appropriate, then click Operations Master
  5. If you are using Users and Computers, select the tab for the single master operations role you want to transfer, then click Change
  6. If you are using Domains and Trusts or Schema, click Change
  7. Now, to seize a single master operations role, begin by opening a command prompt and type ntdsutil
  8. At the ntdsutil prompt, type roles
  9. At the fsmo maintenance prompt, type connections.
  10. At the server connections prompt, type connect to server, followed by the fully qualified domain name of the server
  11. At the server connections prompt, type quit.
  12. At the fsmo maintenance prompt, type one of the following commands:
  13. Seize domain naming master.
  14. Seize schema master
  15. Seize RID master
  16. Seize PDC
  17. Seize infrastructure master
  18. At the fsmo maintenance prompt, type quit.
  19. At the ntdsutil prompt, type quit. This completes the process

The next lesson wraps up this module.
The following link describes in greater detail link the concept of Active Directory Operations

Ad Deploying Active Directory