Lesson 3: Operations Master Roles

Operations master roles are special roles assigned to one or more domain controllers in an Active Directory domain. The domain controllers assigned these roles perform single-master replication. This lesson introduces you to operations master roles and the tasks involved with master role assignments.

After this lesson, you will be able to

Describe the forest-wide operations master roles

Describe the domain-wide operations master roles

Plan operations master locations

View operations master role assignments

Transfer operations master role assignments

Estimated lesson time: 15 minutes

Operations Master Roles

As discussed in Chapter 2, Active Directory supports multimaster replication
of the Active Directory database between all domain controllers in the domain. However, some
changes are impractical to perform in multimaster fashion, so one or more domain controllers can be
assigned to perform operations that are single-master (not permitted to occur at different places in
a network at the same time). Operations master roles are assigned to domain controllers to perform
single-master operations.

In any Active Directory forest, five operations master roles must be assigned to one or more
domain controllers. Some roles must appear in every forest. Other roles must appear in every domain
in the forest. You can change the assignment of operations master roles after setup, but in most cases
this will not be necessary. You must be aware of operations master roles assigned to a domain controller
if problems develop on the domain controller or if you plan to take it out of service.

Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

Schema master

Domain naming master

These roles must be unique in the forest. This means that throughout the entire forest there can be
only one schema master and one domain naming master.

Schema Master Role

The schema master domain controller controls all updates and modifications to the schema.
To update the schema of a forest, you must have access to the schema master. At any time, there can be
only one schema master in the
entire forest.

Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or
removal of domains in the forest. There can be only one domain naming master in the entire forest
at any time.

Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

Relative ID master

Primary domain controller (PDC) emulator

Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only
one relative ID master, PDC emulator, and infrastructure master.

Relative ID Master Role

The relative ID master allocates sequences of relative IDs to each of the various domain controllers
in its domain. At any time, there can be only one domain
controller acting as the relative ID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it
assigns the object a unique security ID. The security ID consists of a domain
security ID (which is the same for all security IDs created in the domain), and a relative ID that
is unique for each security ID created in the domain.

To move an object between domains (using MOVETREE.EXE: Active Directory
Object Manager), you must initiate the move on the domain controller acting as the relative
ID master of the domain that currently contains the object.

PDC Emulator Role

If the domain contains computers operating without Windows 2000 client software or if it contains
Windows NT backup domain controllers (BDCs), the PDC emulator acts as a Windows NT primary domain
controller. It processes password changes from clients and replicates updates to the BDCs. At any time,
there can be only one domain controller acting as the PDC emulator in each domain in the forest.

Even after all systems are upgraded to Windows 2000, and the Windows 2000 domain is operating in native
mode, the PDC emulator receives preferential
replication of password changes performed by other domain controllers in the domain. If a password was
recently changed, that change takes time to replicate to every domain controller in the domain. If a
logon authentication fails at
another domain controller due to a bad password, that domain controller will
forward the authentication request to the PDC emulator before rejecting the logon attempt.

Infrastructure Master Role

The infrastructure master is responsible for updating the group-to-user references whenever the
members of groups are renamed or changed. At any time, there can be only one domain controller acting
as the infrastructure master in each domain.

When you rename or move a member of a group (and that member resides in a different domain from the
group), the group may temporarily appear not to contain that member. The infrastructure master of the
group's domain is responsible for updating the group so it knows the new name or location of the member.
The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and the group update.
Only an administrator looking at that particular group membership would notice the temporary inconsistency.

Planning Operations Master Locations

In a small Active Directory forest with only one domain and one domain controller, that
domain controller is assigned all the operations master roles. When you create the first domain in a
new forest, all of the operations master roles are
automatically assigned to the first domain controller in that domain.

When you create a new child domain or the root domain of a new domain tree in an existing forest,
the first domain controller in the new domain is automatically assigned the following roles:

Relative identifier master

Primary domain controller (PDC) emulator

Infrastructure master

Because there can be only one schema master and one domain naming master in the forest, these roles
remain in the first domain created in the forest.

Figure 4.9 shows how the operations master roles are distributed throughout a forest by default.

Figure 4.9 Operations master role default distribution in a forest

In Figure 4.9, Domain A was the first domain created in the forest (also called the forest root domain).
It holds both of the forest-wide operations master roles. The first domain controller in each of the other
domains is assigned the three
domain-specific roles.

The default operations master locations work well for a forest deployed on a few domain controllers
in a single site. In a forest with more domain controllers, or in a forest that spans multiple sites,
you might want to transfer the default operations master role assignments to other domain controllers
in the domain or forest.

Planning the Operations Master Role Assignments by Domain

If a domain has only one domain controller, that domain controller will hold all of the domain roles.
Otherwise, choose two well-connected domain controllers that are direct replication partners. Make one of
the domain controllers the operations master domain controller. Make the other the standby operations
master
domain controller. The standby operations master domain controller is used in case of failure of the
operations master domain controller.

In typical domains, you assign both the relative identifier master and PDC emulator roles to the
operations master domain controller. In a very large domain, you can reduce the peak load on the PDC
emulator by placing these roles on separate domain controllers, both of which are direct replication
partners of the standby operations master domain controller. Keep the two roles together unless the load
on the operations master domain controller justifies separating the roles.

Unless there is only one domain controller in the domain, the infrastructure master role should
not be assigned to the domain controller that is hosting the global catalog. However, you should assign
the infrastructure master role to any domain controller that is well connected to a global catalog
(from any domain) in the same site. If the operations master domain controller meets these requirements,
use it unless the load justifies the extra management burden of separating the roles.

If the infrastructure master and global catalog are on the same domain controller, the infrastructure
master will not function. The infrastructure master will never find data that is out of date, so it will
never replicate any changes to the other domain controllers in the domain. If all of the domain controllers
in a domain are also hosting the global catalog, all of the domain controllers will have the current data
and it does not matter which domain controller holds the infrastructure master role.

Planning the Operations Master Roles for the Forest

Once you have planned all of the domain roles for each domain, consider the forest roles.
The schema master and the domain naming master roles should always be assigned to the same domain
controller. For best performance, assign them to a domain controller that is well connected to the
computers used by the administrator or group responsible for schema updates and the creation of new domains.
The load of these operations master roles is very light, so, to simplify management, place these roles on
the operations master domain controller of one of the domains in the forest.

Planning for Growth

Normally, as your forest grows, you will not need to change the locations of the various operations
master roles. But when you are planning to decommission a domain controller, change the global catalog
status of a domain controller, or
reduce the connectivity of parts of your network, you should review your plan and revise the operations
master role assignments, as necessary.

Identifying Operations Master Role Assignments

Before you can revise operations master role assignments, you need to view the current
operations master role assignments for your domain.

To identify the relative ID master, the PDC emulator, or the
infrastructure master role assignments

Open the Active Directory Users and Computers console.

In the console tree, right-click the Active Directory Users And Computers node, then click
Operations Masters.

In the Operations Master dialog box, select one of the following:

Click the RID tab, and the name of the relative ID master appears in the Operations Master box.

Click the PDC tab, and the name of the PDC emulator appears in the Operations Master box.

Click the Infrastructure tab, and the name of the infrastructure master appears in the Operations Master box.

Click Cancel to close the Operations Master dialog box.

To identify the domain naming master role assignment

Open the Active Directory Domains and Trusts console.

In the console tree, right-click the Active Directory Domains And Trusts node, then click Operations
Master.

In the Change Operations Master dialog box, the name of the current domain naming master appears
in the Domain Naming Operations Master box.

Click Close to close the Change Operations Master dialog box.

To identify the schema master role assignment

Open the Active Directory Schema snap-in.

NOTE
The Active Directory Schema snap-in must be installed with the Windows 2000 Administration Tools using
Add/Remove Programs in the Control Panel. See Chapter 3 for details on installing the Active Directory
Schema console.

In the console tree, right-click Active Directory Schema, then click Operations Master.

In the Change Schema Master dialog box, the name of the current schema master appears in the
Current Operations Master box.

Transferring Operations Master Role Assignments

Transferring an operations master role assignment means moving it from one
domain controller to another, with the cooperation of the original role holder.
Depending upon the operations master role to be transferred, you perform the role transfer using
one of the three Active Directory consoles.

To transfer the relative ID master, the PDC emulator, or the infrastructure master role
assignments

Open the Active Directory Users and Computers console.

In the console tree, right-click the domain node that will become the new relative ID master,
PDC emulator, or infrastructure master, then click Connect To Domain.

In the Connect To Domain dialog box, type the domain name or click Browse to select the domain
from the list, then click OK.

In the console tree, right-click the Active Directory Users And Computers node, then click
Operations Masters.

In the Operations Master dialog box, select one of the following:

Click the RID tab, then click Change.

Click the PDC tab, then click Change.

Click the Infrastructure tab, then click Change.

Click OK to close the Operations Master dialog box.

To transfer the domain naming master role assignment

Open the Active Directory Domains and Trusts console.

In the Console tree, right-click the domain controller node that will become the new
domain naming master, then click Connect To Domain.

In the Connect To Domain dialog box, type the domain name or click Browse to select
the domain from the list, then click OK.

In the console tree, right-click the Active Directory Domains And Trusts node, then
click Operations Master.

In the Change Operations Master dialog box, click Change.

Click OK to close the Change Operations Master dialog box.

To transfer the schema master role assignment

Open the Active Directory Schema snap-in.

NOTE
The Active Directory Schema snap-in must be installed with the Windows 2000 Administration
Tools Using Add/Remove Programs in the Control Panel. See Chapter 3 for details on installing the
Active Directory Schema console.

In the console tree, right-click Active Directory Schema, then click Change Domain Controller.

In the Change Domain Controller dialog box, click one of the following:

Any DC to let Active Directory select the new schema operations master.

Specify Name and type the name of the new schema master to specify the new schema operations master.

Click OK.

In the console tree, right-click Active Directory Schema, then click Operations Master.

In the Change Schema Master dialog box, click Change.

Click OK to close the Change Schema Master dialog box.

Responding to Operations Master Failures

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Generally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.

If an operations master is not available due to computer failure or network problems, you can seize the operations master role. This is also referred to as forcing the transfer of the operations master role.

Before forcing the transfer, first determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online.

In general, seizing an operations master role is a drastic step that should be
considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the
following topics.

IMPORTANT
A domain controller whose schema, domain naming, or relative identifier master role has been seized
must never be brought back online without first reformatting the drives and reloading Windows
2000.

Schema Master Failure

Temporary loss of the schema operations master is not visible to network users.
It will not be visible to network administrators either, unless they are trying to modify the
schema or install an application that modifies the schema during
installation.

If the schema master will be unavailable for an unacceptable length of time, you can seize the role to
the standby operations master. However, seizing this role is a step that you should take only when the
failure of the schema master is permanent.

Domain Naming Master Failure

Temporary loss of the domain naming master is not visible to network users. It will not be visible
to network administrators either, unless they are trying to add a domain to the forest or remove a domain
from the forest.

If the domain naming master will be unavailable for an unacceptable length of time, you can seize
the role to the standby operations master. However, seizing this role is a step that you should take
only when the failure of the domain
naming master is permanent.

Relative ID Master Failure

Temporary loss of the relative identifier operations master is not visible to network users.
It will not be visible to network administrators either, unless they are creating objects and the
domain in which they are creating the objects runs out of
relative identifiers.

If the relative identifier master will be unavailable for an unacceptable length of time, you can
seize the role to the operations master. However, seizing this role is a step that you should take
only when the failure of the relative identifier master is permanent.

PDC Emulator Failure

The loss of the primary domain controller (PDC) emulator affects network users. Therefore, when
the PDC emulator is not available, you may need to immediately seize the role.

If the current PDC emulator master will be unavailable for an unacceptable length of time and its
domain has clients without Windows 2000 client software, or if it contains Windows NT backup domain
controllers, seize the PDC emulator master role to the standby operations master. When the original
PDC emulator master is returned to service, you can return the role to the original
domain controller.

Infrastructure Master Failure

Temporary loss of the infrastructure master is not visible to network users. It will not be visible
to network administrators either, unless they have recently moved or renamed a large number of accounts.

If the infrastructure master will be unavailable for an unacceptable length of time, you can seize
the role to a domain controller that is not a global catalog but is well connected to a global catalog
(from any domain), ideally in the same site as the current global catalog. When the original infrastructure master is returned to service, you can transfer the role back to the original domain controller.

Lesson Summary

In this lesson you learned about the two forest-wide operations master roles, the schema master,
and the domain naming master. You also learned about the three domain-wide operations master roles,
the relative ID master, the PDC emulator, and the infrastructure master.

You learned the default operations master locations and some strategies for planning locations.
You also learned how to view operations master role assignments and how to transfer operations master role
assignments if necessary.