Physical Structure  «Prev  Next»
Lesson 7 Operations masters
Objective Define operations masters.

Operations Masters Active Directory

An Operations master is a domain controller that has been assigned one or more special roles in an Active Directory domain.
Because there is no primary domain controller (PDC) in Windows 2000, operations masters fill the various roles performed by the PDC in NT 4.0 networks. Because changes to the directory database can be made simultaneously at multiple domain controllers, operations masters are needed for operations that have consequences for the whole domain (like deleting a domain or changing the schema).
The operations master provides a lockout mechanism to ensure that changes get propagated properly. So if you want to make a change to the schema, for instance, you must do so from the schema master (or the domain controller you're using must request permission from the schema master). The domain controllers that are assigned these roles, perform single-master operations. These operations are not permitted to occur simultaneously on different controllers on the network. This is to avoid changes being made out of order, which would result in incorrect updates on some of the domain controllers.

Rules for Operations Master Roles

There are three rules governing the operations master roles:
Role Description
Roles are Proprietary The domain controller that controls the particular operation owns the operations master role for that operation.
Transferable Ownership of these operations master roles can be transferred to other domain controllers.
Exclusive However, only one domain controller can own an operations master role at one time.

Five Operations Master Roles

Every Active Directory forest must have domain controllers that fulfill each of the five operations master roles. This does not mean every forest must have five separate domain controllers. The same domain controller can fill more than one role at a time. The roles are:
  1. Schema master
  2. Domain naming master
  3. Relative identifier (RID) master
  4. PDC emulator
  5. Infrastructure master
View the table below to see a table that discusses each of these master roles in more detail.
Master role   Description
chema master
One per entire forest
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. The schema is an extensible description of object classes and attributes stored in Active Directory.
Domain naming master
One per entire forest
The domain naming master controls the addition or removal of domains in the forest.  
RID master
One per forest domain
The RID master allocates sequences of RIDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID).
The SID consists of a domain SID (that is the same for all SIDs that are created in the domain) and a RID that is unique for each SID that is created in the domain.
PDC emulator
One required per forest domain
The PDC emulator processes password changes and replicates updates to the backup domain controllers running Windows NT. In a Windows 2000 domain in nonnative mode, if the domain contains computers that are not running Windows 2000 client software, or if it contains domain controllers running Windows NT, the PDC emulator processes password changes and replicates updates to the backup domain controllers running Windows NT.
In a Windows 2000 domain in native mode, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain.If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.
Infrastructure master
One per domain
The infrastructure master is responsible for updating the group-to-user references whenever group memberships are changed. If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that the user account is renamed and the time that a group that contains that user will display the new name of the user account. The infrastructure master of the group's domain distributes the update through multimaster replication.

Transferring and seizing Single Master Operations Roles

When you add additional domain controllers to a domain, you can transfer the single master operations roles from the original domain controller to other domain controllers. In addition, when you need to take a domain controller that holds a single master operations role offline, you should transfer its single master operations role to another domain controller so that the single master services continue uninterrupted. You may also seize single master operation roles. If a domain controller that holds a single master operations role becomes unavailable and cannot be brought back online within an acceptable amount of time, you must seize that single master operations role with another domain controller.
Seizing the role of the RID master, domain naming master, or schema master is a drastic step that should be considered only if the current operations master will never be available again. The Slide Show below will show you how to implement both of these processes.

Domain naming master
Active Directory Domains and Trusts
Schema master
Active Directory Schema
RID master
Active Directory Users and Computers
PDC emulator
Active Directory Users and Computers
Infrastructure master
Active Directory Users and Computers     

1) Transfer Role 1 2) Transfer Role 2 3) Transfer Role 3 4) Transfer Role 4 5) Transfer Role 5 6) Transfer Role 6 7) Transfer Role 7 8) Transfer Role 8 9) Transfer Role 9 10) Transfer Role 10 11) Transfer Role 11 12) Transfer Role 12 13) Transfer Role 13 14) Transfer Role 14 15) Transfer Role 15 16) Transfer Role 16 17) Transfer Role 17 18) Transfer Role 18 19) Transfer Role 19

Active Directory Field Guide
  1. To transfer a single master operations role, first open the appropriate tool according to the table above.
  2. In the console tree, right click the domain controller that will be the new operations master, then click Connect to domain.
  3. Type the domain name or click Browse and select the domain from the list
  4. In the console tree, right click Users and Computers, Domains and Trusts, or Schema, as appropriate, then click Operations Master
  5. If you are using Users and Computers, select the tab for the single master operations role you want to transfer, then click Change
  6. If you are using Domains and Trusts or Schema, click Change
  7. Now, to seize a single master operations role, begin by opening a command prompt and type ntdsutil
  8. At the ntdsutil prompt, type roles
  9. At the fsmo maintenance prompt, type connections.
  10. At the server connections prompt, type connect to server, followed by the fully qualified domain name of the server
  11. At the server connections prompt, type quit.
  12. At the fsmo maintenance prompt, type one of the following commands:
  13. Seize domain naming master.
  14. Seize schema master
  15. Seize RID master
  16. Seize PDC
  17. Seize infrastructure master
  18. At the fsmo maintenance prompt, type quit.
  19. At the ntdsutil prompt, type quit. This completes the process

Transferring Seizing Operations Roles
The next lesson wraps up this module.

Active Directory Operations

Click the Exercise link below to complete the matching exercise.
Active Directory Operations

Ad Deploying Active Directory