Introduction to Flexible Single-Master Operations

In Active Directory any domain controller to which you can connect can be updated, even if that domain controller becomes disconnected from the network. This is known as multimaster update . When network connectivity is restored, updates are replicated throughout the forest. So if two people simultaneously make conflicting updates, each set of updates is replicated. However, even in the presence of conflicting updates, all domain controllers eventually converge to the same value through a process called conflict resolution .

Even with this conflict resolution process, it is sometimes better to prevent conflicts than to resolve them after the fact. For example, if different domain controllers have conflicting versions of the directory schema, the situation could be resolved using the normal conflict resolution methods used by Active Directory. In common cases, the last domain controller to write an update wins. But, because the schema is updated infrequently, and the consistency of the schema is very important, conflict prevention is better than relying on normal conflict resolution methods.

Active Directory performs schema updates in a single master fashion to prevent conflicts. Only one domain controller in the entire forest, the domain controller holding the schema master role, accepts updates to schema objects. An administrator can shift the schema master role from one domain controller to another as the need arises, but at any moment only one domain controller holds the schema master role.

The schema master role is one example of a flexible single-master operation role, also called an operations master role or an FSMO role. Other operations master roles are a part of Microsoft® Windows® 2000 Server; each role controls another specific set of directory changes. For each role, only the domain controller holding that role can make the associated directory changes.

In small Active Directory deployments with a single domain controller, operations master roles are not a consideration. But if you are responsible for the operational health of an Active Directory deployment with more than one domain controller, you need to understand the following:

  • Which domain controllers need to hold operations master roles?

  • What functionality is lost when a domain controller holding an operations master role is unavailable?

  • When a domain controller holding an operations master role is unavailable for an extended period, how do you respond to restore service?

This section discusses each operations master role, answers the questions listed above, and explains how to control access to role placements.