Operation Master Roles

                           Understanding Operation Master Roles

What are Operations Masters?

Active Directory Domain Services (AD DS) defines five operations master roles: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the AD DS database.

In Windows Server® 2003 and Microsoft Windows® 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008 , the directory service is named Active Directory Domain Services. The rest of this topic refers to AD DS, but the information is also applicable to   Active Directory.

AD DS is a multimaster enabled database, which provides the flexibility of allowing changes to occur at any domain controller in the forest. However, because it is multimaster enabled, it can also allow conflicting updates that can potentially lead to problems when data is replicated throughout the domain or forest.

The general approach to resolving AD DS replication conflicts is to order all update operations (Add, Modify, Move, and Delete) by assigning a globally unique stamp to the originating update. Each replicated attribute value (or multivalue) is stamped during the originating update and this stamp is replicated with the value. The stamp that is applied during an originating write consists of a version number, a time stamp of when the originating write occurred, and the originating domain controller. Conflicts are resolved by comparing the version number. If two stamps have the same version number, the originating time almost always breaks the tie. In the extremely rare event that the same attribute is updated on two different domain controllers during the same second, the originating domain controller breaks the tie in an arbitrary fashion.

Although this resolution method is acceptable, some changes are too difficult to resolve by using the stamp of the originating update. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after it has occurred.

When changes such as the addition or removal of domains to a forest or password changes are made, AD DS performs them in a single-master fashion to prevent conflicting updates from occurring. In a single-master update model, only one domain controller in the entire directory is allowed to process the update. This is similar to the role of a Windows NT PDC, in which the PDC is responsible for processing all updates in a given domain.

AD DS extends the single-master model to include multiple roles that are responsible for different types of updates. AD DS also provides the ability to transfer an operations master role to another domain controller.

• By designating a single domain controller to manage specific tasks, AD DS enhances your ability to avoid conflicts in the directory, ensure consistency of the schema, and to add a domain to, or remove a domain from a forest. Operations masters also maintain interaction between earlier versions of Windows operating systems that do not include AD DS or Active Directory and they maintain consistent group-to-user references across domains.

Operations Master Roles

The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.

Forestwide Operations Master Roles

The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest.

Schema Master

The schema master is responsible for performing updates to the AD DS schema. The schema master is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest. Having only one schema master for each forest prevents any conflicts that would result if two or more domain controllers attempt to concurrently update the schema.

Domain Naming Master

The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest hierarchy. The domain controller that has the domain naming master role must be available in order to perform the following actions:

• Add new domains or application directory partitions to the forest.
• Remove existing domains or application directory partitions from the forest.
• Add replicas of existing application directory partitions to additional domain controllers. 
• Add or remove cross-reference objects to or from external directories.
• Prepare the forest for a domain rename operation. 

Domainwide Operations Master Roles

The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RID master, PDC emulator, and infrastructure master.

RID Master

The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain.

PDC Emulator

The primary domain controller (PDC) emulator operations master. The PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain, and it is the source for the latest password information whenever a logon attempt fails as a result of a bad password. It is a preferred point of administration for services (examples are Group Policy and Distributed File System, DFS). For this reason, of all operations master roles, the PDC emulator operations master role has the highest impact on the performance of the domain controller that hosts that role. The PDC emulator in the forest root domain is also the default Windows Time service (W32time) time source for the forest.

The PDC emulator operations master also processes all replication requests from Windows NT Server 4.0 backup domain controllers (BDCs). It processes all password updates for clients not running Active Directory–enabled client software, plus any other directory write operations.

Infrastructure Master

The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.

Operations Master Dependencies

Domain controllers designated as operations masters have the following dependencies:

Operations master placement

Because operations masters are critical to the long-term performance of the directory, they must be available to all domain controllers and desktop clients that require their services. Careful placement of your operations masters becomes more important as you add more domains and sites to build your forest.

By improperly placing operations master role holders, you might prevent clients running Windows NT Workstation 4.0, Windows 95, or Windows 98 without the Active Directory client installed from changing their passwords, or be unable to add domains and new objects, such as users and groups. You might also be unable to make changes to the schema. In addition, name changes might not properly appear within group memberships that are displayed in the user interface.

As your environment changes, you must avoid the problems associated with improperly placed operations master role holders. Eventually, you might need to reassign the roles to other domain controllers.

Although you can assign the operations master roles to any domain controller, follow these guidelines to minimize administrative overhead and ensure the performance of Active Directory:

• Leave the two forestwide roles on a domain controller in the forest root domain.
• Place the two forestwide roles on a global catalog server. 
• Place the three domainwide roles on the same domain controller.
• In a forest that contains multiple domains, do not place the domainwide roles on a global catalog server unless all domain controllers in the domain are also global catalog servers. 
• Place the domainwide roles on a higher performance domain controller. 
• Adjust the workload of the operations master role holder, if necessary.

Active Directory replication

Operations masters replicate changes made on them throughout the domain or forest, depending on whether they hold a domain or forest role. AD DS replication must be working properly in order for the other domain controllers to receive these changes.

Domain Name System (DNS)

AD DS requires that DNS is properly designed and deployed so that domain controllers can correctly resolve DNS names of replication partners. If DNS is not working properly, operations masters cannot be contacted to perform their specific domain or forest functions.

Security

User rights for designating operations master roles can be set for groups or users in a forest. This allows you to limit or add to the group of default users that can change operations master role holders in a forest or domain. The following user rights are required to change operations master role holders:

• The Change Schema Master right is required to transfer or seize the schema master. By default, only members of the Schema Administrators group are assigned this right.
• The Change Domain Master right is required to transfer or seize the domain naming master role. Be default, only members of the Enterprise Admins group are assigned this right.
• The Change PDC right is required to transfer or seize the PDC emulator role. By default, only members of the Domain Admins group are assigned this right.
• The Change Infrastructure Master right is required to transfer or seize the infrastructure master. By default, only members of the Domain Admins group are assigned this right.
• The Change RID Master right is required to transfer or seize the RID master role. By default, only members of the Domain Admins group are assigned this right.