A designated operations master has a flexible single-master operations (FSMO) role. The five designated roles are

As depicted in Figure 33-15, two of the roles, schema master and domain naming master, are assigned on a per-forest basis. This means that there is only one schema master and only one domain naming master in a forest. The other three roles, RID master, infrastructure master, and PDC emulator, are assigned on a per-domain basis. For each domain in the forest, there is only one of these operations master roles.

Figure 33-15. Operations masters in forests and domains.

When you install Active Directory and create the first domain controller in a new forest, all five roles are assigned to that domain controller. As you add domains, the first domain controller installed in a domain is automatically designated the RID master, infrastructure master, and PDC emulator for that domain.

As part of domain design, you should consider how many domain controllers you need per domain, and whether you need to transfer operations master roles after you install new domain controllers. In all cases, you'll want to have at least two domain controllers in each domain in the forest. The reasons for transferring the operations master roles depend on several factors. First, you might want to transfer an operations master role to improve performance, as you might do when a server has too heavy a workload and you need to distribute some of the load. Second, you might need to transfer an operations master role if you plan to take the server with that role offline for maintenance or if the server fails.

Inside Out: Recommended placement of operations master roles

Microsoft recommends the following configuration:

• Ideally, the forest-wide roles, schema master and domain naming master, should be placed on the same domain controller. There is very little overhead associated with these roles, so placement on the same server adds very little load overall. However, it is important to safeguard this server, because these are critical roles in the forest. In addition, the server acting as the domain naming master should also be a global catalog server.

• Ideally, the relative ID master and PDC emulator roles should be placed on the same domain controller. The reason for this is that the PDC emulator uses more relative IDs than most other domain controllers. If the relative ID master and PDC emulator roles aren't on the same domain controller, the domain controllers on which they are placed should be in the same Active Directory site, and the domain controllers should have a reliable connection between them.

• Ideally, the infrastructure master should not be placed on a domain controller that is also a global catalog server. The reason for this is a bit complicated, and there are some important exceptions to note.

  The infrastructure master is responsible for updating cross-domain group membership and determines whether its information is current or out of date by checking a global catalog and then replicating changes to other domain controllers as necessary. If the infrastructure master and the global catalog are on the same server, the infrastructure master doesn't see that changes have been made and thus doesn't replicate them.

  The exceptions are for a single-domain forest or a multi-domain forest where all domain controllers are global catalog servers. In the case of a single domain forest, there are no cross-group references to update, so it doesn't matter where the infrastructure master is located. In the case of a multi-domain forest where all domain controllers are global catalog servers, all the domain controllers know about all the objects in the forest already, so the infrastructure master doesn't really have to make updates.

The schema master is the only domain controller in the forest with a writeable copy of the schema container. This means that it is the only domain controller in the forest on which you can make changes to the schema. You make changes to the schema using the Active Directory Schema snap-in. When you start the Active Directory Schema snap-in, it makes a direct connection to the schema master, allowing you to view the schema for the directory.

To make changes to the schema, however, you must use an account that is a member of the Schema Admins group.

By default, the schema master is the first domain controller installed in the forest root domain. This role can be transferred using the Active Directory Schema snap-in or the NTDSUTIL command-line utility.

To locate the schema master, open the Active Directory Schema snap-in in a custom console. Right-click the Active Directory Schema node, and then select Operations Master. The Change Schema Master dialog box, shown in the following screen, shows the current schema master:

To transfer the schema master role to another server, follow these steps:

The domain naming master is responsible for adding or removing domains from the forest. Any time you create a domain, a Remote Procedure Call (RPC) connection is made to the domain naming master, which assigns the domain a globally unique identifier (GUID). Any time you remove a domain, an RPC connection is made to the domain naming master and the previously assigned GUID reference is removed. If you cannot connect to the domain naming master when you are trying to add or remove a domain, you will not be able to create or remove the domain.

To locate the domain naming master, start Active Directory Domains And Trusts. Right-click the Active Directory Domains And Trusts node, and then select Operations Master. The Change Operations Master dialog box, shown in the following screen, shows the current domain naming master:

To transfer the domain naming master role to another server, follow these steps:

The relative ID (RID) master controls the creation of new security principals such as users, groups, and computers throughout its related domain. Every domain controller in a domain is issued a block of relative IDs by the RID master. These relative IDs are used to build the security IDs that uniquely identify security principals in the domain. The actual security ID generated by a domain controller consists of a domain identifier, which is the same for every object in a domain, and a unique relative ID that differentiates the object from any other objects in the domain.

The block of relative IDs issued to a domain controller is called a RID pool. Typically, blocks of relative IDs are issued in lots of 10,000. When the RID pool on a domain controller is nearly exhausted, the domain controller requests a new block of 10,000 RIDs. It is the job of the RID master to issue blocks of RIDs and it does so as long as it is up and running. If a domain controller cannot connect to the RID master and for any reason runs outs of RIDs, no new objects can be created on the domain controller and object creation will fail. To resolve this problem, the RID master must be made available or the RID master role must be transferred to another server.

To locate the RID master, start Active Directory Users And Computers. Right-click the domain you want to work with, and then select Operations Masters. The Operations Masters dialog box, shown in the following screen, shows the current RID master on the RID tab:

To transfer the RID master role to another server, follow these steps:

The PDC emulator role is required for Windows Server 2003 to coexist with Windows NT 4 domain controllers. In a domain using the Windows 2000 mixed or Windows Server 2003 interim functional level, the Windows Server 2003 domain controller with this role acts as the primary domain controller (PDC) for all Windows NT 4 backup domain controllers (BDCs). In these environments, the job of the PDC emulator is to authenticate Windows NT logons, process password changes, and replicate domain changes to BDCs. It also runs the domain master browser service.

In a domain using the Windows 2000 native or Windows Server 2003 functional level, the Windows Server 2003 domain controller with this role is still responsible for processing password changes. When a user changes a password, the change is first sent to the PDC emulator, which in turn replicates the change to all the other domain controllers in the domain.

All domain controllers in a domain know which server has the PDC emulator role. If a user tries to log on to the network but provides an incorrect password, the domain controller checks the PDC emulator to see that it has a recent password change for this account. If so, the domain controller retries the logon authentication on the PDC emulator. This approach is designed to ensure that if a user has recently changed a password they are not denied logon with the new password.

To locate the PDC emulator, start Active Directory Users And Computers. Right-click the domain you want to work with, and then select Operations Masters. The Operations Masters dialog box shows the current PDC emulator on the PDC tab.

To transfer the PDC emulator role to another server, follow these steps:

The infrastructure master is responsible for updating cross-domain group-to-user references. This means that the infrastructure master is responsible for ensuring that changes to the common name of a user account are correctly reflected in the group membership information for groups in other domains in the forest. The infrastructure master does this by comparing its directory data to that of a global catalog. If the data is outdated, it updates the data and replicates the changes to other domain controllers in the domain. If for some reason the infrastructure master is unavailable, group-to-user name references will not be updated, and cross-domain group membership may not accurately reflect the actual names of user objects.

To locate the infrastructure master, start Active Directory Users And Computers. Right-click the domain you want to work with, and then select Operations Masters. The Operations Masters dialog box shows the current infrastructure master on the Infrastructure tab.

To transfer the infrastructure master role to another server, follow these steps: