Thursday, 8 May 2014

Operation Master Role

Active Directory has five operations master roles otherwise known as FSMO roles. These roles are assigned to one Domain Controller to ensure changes happen in only one location at a time. This ensures that the Active Directory database is kept consistent.


 the five operations master roles. At the forest level, there is the Schema Master and Domain Naming Master. At the domain level, the 3 other operational roles are Infrastructure Master, PDC Emulator and RID Master.
Schema Master (Forest Wide)
The Schema Master determines the structure and thus what can be stored in Active Directory. It contains details of every object that can be created and the attributes for that object. For example, if you want to add an attribute to every user in the forest (such as a field with the user’s pay grade in it), you would add an attribute to the schema to accommodate this change. It is important to think carefully before making changes to the schema as changes to the schema can’t be reversed but they can be disabled. If you want to test changes to the schema, create a new forest and make your changes there so the production environment is not affected.
Domain Naming Master (Forest Wide)
The Domain Naming Master is responsible for ensuring that two domains in the forest do not have the same name.
Relative ID Master (RID Master)
This master role allocates RID pools. A RID is a sequential number that is added to the end of a SID. A SID, or security identifier, is required for every Active Directory object. An example of a SID is shown here:
S-1-5-21-1345645567-543223678-2053447642-1340.
The RID is the last part of the SID, in this case 1340. The RID Master allocates a pool or block of RIDs to a Domain Controller. The Domain Controller uses the RID pool when Active Directory objects are created. The Domain Controller will request a new RID pool before it runs out. However, keep in mind that if you create a lot of Active Directory objects at once, the RID Master will need to be online to allocate new RID pools. If the Domain Controller runs out of RIDs and can’t contact the RID Master, no objects in Active Directory can be created on that Domain Controller.
PDC (Primary Domain Controller) Emulator
Originally the PDC Emulator provided a bridge between Windows NT4 Domain Controllers and Windows Server 2000 Domain Controllers. Even if you do not have any NT4 Domain Controllers on your network, it still provides some services.
The PDC Emulator forms the root of the time sync hierarchy in your domain. All other Domain Controllers will sync their time from this Domain Controller. Your clients and servers will in turn sync their time from their local Domain Controller. You should configure the PDC to sync its time from an external time source to ensure that it is accurate.
When a user enters in a wrong password, the PDC Emulator may be contacted to find out if this password is in fact an updated password. Password changes are replicated to the PDC Emulator first and thus it is considered the final authority on correct and incorrect passwords.
The PDC Emulator is contacted when changes to DFS (Distributed File System) are made. This can be switched off if the load on the PDC Emulator becomes too great.
Infrastructure Master
The Infrastructure Master is responsible for ensuring that objects that use multiple domain references are kept up to date and consistent. When you are in a single domain you don’t need to worry about this. In a multiple domain environment with Windows Server 2000/2003 Domain Controllers, you must ensure that the Domain Controller that is holding the Infrastructure Master role is not a Global Catalog Server or all of the Domain Controllers will be Global Catalog Servers. If the Domain Controller is a Global Catalog Server this can cause objects in the domain not to update correctly. If you only have Windows Server 2008 Domain Controllers, you don’t need to worry about whether the Infrastructure Master is on a Global Catalog Server or not.

No comments:

Post a Comment