Introduction• In every forest, there are five operations master roles that areassigned to one or more domain controllers.• Forest-wide operations master roles must appear only oncein every forest.• Domain-wide operations master roles must appear once inevery domain in the forest.• The operations master roles are sometimes called flexiblesingle master operations (FSMO) roles.• By default all roles are assigned to first domain controller.
Forest-wide Operations Master RolesEvery forest must have the following roles: Schema Master Domain Naming MasterNote : These roles must be unique in the forest. Thismeans that throughout the entire forest there can beonly one schema master and one domain namingmaster.
Domain-wide Operations Master Roles :Domain-wide Operations Master Roles Every domain in theforest must have the following roles: Relative Identifier (RID) Master PDC Emulator MasterInfrastructure MasterNote: These roles must be unique in each domain. Thismeans that each domain in the forest can have only one RIDmaster, PDC emulator master, and infrastructure master.
Schema Master (Forest Wide)• The schema master domain controller controls all updatesand modifications to the schema.• Once the Schema update is complete, it is replicated from theschema master to all other DCs in the directory.• To update the schema of a forest, you must have access tothe schema master.• There can be only one schema master in the entire forest.• In order to change or move the Schema Master role toanother Server, you must be a member of SchemaAdministrators Group.• By default, the first server in the forest has Schema MasterRole
Domain Naming Master (Forest Wide)• The domain controller holding the domain naming masterrole controls the addition or removal of domains in the forest.• There can be only one domain naming master in the entireforest.• By default, the first server in the forest has the domainnaming master role• In order to change or move the Domain Naming Master roleto another Server, you must be a member of EnterpriseAdministrators Group.
PDC Emulator (Domain Wide)• The PDC emulator role provides backwards compatibility for WindowsNT backup domain controllers (BDCs).• The PDC emulator advertises itself as the primary domain controller forthe domain.• It also acts as the domain master browser and maintains the latestpassword for all users within the domain.• The PDC emulator is necessary to synchronize time in an enterprise.• It processes password changes from clients and replicates updates tothe BDCs.• At any time, there can be only one domain controller acting as the PDCemulator master in each domain in the forest.• By default, the first server in the domain has PDC Emulator Master role.• In order to change or move the PDC Emulator role to another Server,you must be a member of Domain Administrators Group
PDC Emulator ContinuedIn a Windows 2000/2003 domain, the PDC emulator roleholder retains the following functions: Password changes performed by other DCs in the domain arereplicated preferentially to the PDC emulator.Authentication failures that occur at a given DC in adomain because of an incorrect password are forwardedto the PDC emulator before a bad password failuremessage is reported to the user.Account lockout is processed on the PDC emulator.Editing or creation of Group Policy Objects (GPO) is alwaysdone from the GPO copy found in the PDC EmulatorsSYSVOL share.
Infrastructure Master (DomainWide)The Infrastructure Manager role is responsible for updating references fromobjects within its domain with objects in other domains.•The infrastructure master compares its data with that of a global catalog.•Global catalogs receive regular updates for objects in all domains throughreplication, so the global catalog data will always be up to date.•If the infrastructure master finds data that is out of date, it requests theupdated data from a global catalog. The infrastructure master then replicatesthat updated data to the other domain controllers in the domain.•There is one infrastructure operations master in every domain in a forest.•By default, it is placed in the first domain controller in the domain.•In order to change or move the Infrastructure Master role to another Server,you must be a member of Domain Administrators Group.
RID Master (Domain Wide)• The RID Master manages the Security Identifier (SID) for everyobject within the domain.• The RID master allocates sequences of relative IDs (RIDs) to each ofthe various domain controllers in its domain.• Whenever a domain controller creates a user, group, or computerobject, it assigns the object a unique security ID (SID).• The SID consists of a domain SID, which is the same for all SIDscreated in the domain, and a RID, which is unique for each SIDcreated in the domain.• By default, the first server in the domain is the RID OperationsMaster• In order to change or move the RID Master role to another Server,you must be a member of Domain Administrators Group
Role Transfer• Used to move a FSMO role gracefully from one livedomain controller to another live domain controller.• Transfer a FSMO role to other domain controllers in thedomain or forest to balance the load among domaincontrollers or to accommodate domain controllermaintenance and hardware upgrades.• NTDSUTIL Utility is used to perform this task
Role SeizureUsed only when you have experienced a failure ofa domain controller that holds FSMO role and youforced an ungraceful transfer.Seize a FSMO role assignment when a serverholding the role fails and you do not intend torestore it.• Seizing a FSMO role is a drastic step that should beconsidered only if the current FSMO role holder willnever be available again.NTDSUTIL Utility is used to perform this task