Information Technology Reference
In-Depth Information
Windows Server domains have five operations master roles (also known as flexible single
master operations or FSMO) that support the operations of the domain. Each role resides on
only a single domain controller. You can transfer one or more roles to a different server in
the domain to balance the operations across available domain controllers. Transferring a role
requires both the original domain controller and the target domain controller to be online
and able to communicate.
If a domain controller is permanently unavailable, you can seize any operations master
roles that it held to another domain controller. You should seize roles only when the original
holder of the role is not available and can't be restored. After a role has been seized from a
domain controller, that domain controller should never be reintroduced into the domain.
Two of the operations master roles are forest-wide roles, and the remaining three are
domain-wide roles, as follows:
■
Schema master
Responsible for performing updates to the AD DS schema. The
schema master role is a forest-wide role. The domain controller that holds the schema
master role is the only domain controller that can perform write operations to the
directory schema. Transferring or seizing the schema master role requires the Change
Schema Master right. By default, only members of the Schema Administrators group
have this right.
Domain naming master
Responsible for the addition and removal of all domains and
directory partitions in the forest. The domain naming master role is a forest-wide role.
Transferring or seizing the domain naming master role requires the Change Domain
Master right. By default, only members of the Enterprise Admins group have this right.
■
RID master
Allocates blocks of relative identifiers (RIDs) to each domain controller
in the domain. The RID master role is a domain-wide role. When a domain controller
creates a new security principal, such as a user, group, or computer object, the object is
assigned a globally unique security identifier (SID). The SID is a combination of the do-
main SID plus an RID for the object. Transferring or seizing the RID master role requires
the Change RID Master right. By default, only members of the Domain Admins group
have this right.
■
PDC emulator master
Receives preferential replication of password changes in the
domain and is the definitive source for password information. The primary domain
controller (PDC) emulator in the forest root domain is the Windows Time Service time
source for the forest. The PDC emulator master role is a domain-wide role. Transfer-
ring or seizing the PDC emulator role requires the Change PDC right. By default, only
members of the Domain Admins group have this right.
■
Infrastructure master
Responsible for updating object references in its domain
to objects in another domain and replicating changed references to other domain
controllers in the domain. The infrastructure master role is a domain-wide role. Trans-
ferring or seizing the infrastructure master role requires the Change Infrastructure
Master right. By default, only members of the Domain Admins group have this right.
■
