What are Operations Masters?
In this section
- Operations Master Roles
- Operations Master Dependencies
- Related Information
Active Directory defines five operations master roles: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master. The domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database.
Active Directory is a multimaster enabled database, which provides the flexibility of allowing changes to occur at any domain controller in the forest. However, because it is multimaster enabled, it can also allow conflicting updates that can potentially lead to problems when data is replicated throughout the domain or forest.
The general approach to resolving Active Directory replication conflicts is to order all update operations (Add, Modify, Move, and Delete) by assigning a globally unique stamp to the originating update. Each replicated attribute value (or multivalue) is stamped during the originating update and this stamp is replicated with the value. The stamp that is applied during an originating write consists of a version number, a time stamp of when the originating write occurred, and the originating domain controller. Conflicts are resolved by comparing the version number. If two stamps have the same version number, the originating time almost always breaks the tie. In the extremely rare event that the same attribute is updated on two different domain controllers during the same second, the originating domain controller breaks the tie in an arbitrary fashion.
Although this resolution method is acceptable, some changes are too difficult to resolve by using the stamp of the originating update. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after it has occurred.
When changes such as the addition or removal of domains to a forest or password changes are made, Active Directory performs them in a single-master fashion to prevent conflicting updates from occurring. In a single-master update model, only one domain controller in the entire directory is allowed to process the update. This is similar to the role of a Windows NT PDC, in which the PDC is responsible for processing all updates in a given domain.
Active Directory extends the single-master model to include multiple roles that are responsible for different types of updates. Active Directory also provides the ability to transfer an operations master role to another domain controller.
- By designating a single domain controller to manage specific tasks, Active Directory enhances your ability to avoid conflicts in the directory, ensure consistency of the schema, and to add a domain to, or remove a domain from a forest. Operations masters also maintain interaction between Windows Server 2003, Windows 2000 Server and earlier versions of Windows operating systems and maintain consistent group-to-user references across domains.
Operations Master Roles
The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.
Forestwide Operations Master Roles
The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest.
The schema master is responsible for performing updates to the Active Directory schema. The schema master is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest. Having only one schema master for each forest prevents any conflicts that would result if two or more domain controllers attempt to concurrently update the schema.
Domain Naming Master
The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest hierarchy. The domain controller that has the domain naming master role must be available in order to perform the following actions:
- Add new domains or application directory partitions to the forest.
- Remove existing domains or application directory partitions from the forest.
- Add replicas of existing application directory partitions to additional domain controllers.
- Add or remove cross-reference objects to or from external directories.
- Prepare the forest for a domain rename operation.
Domainwide Operations Master Roles
The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RID master, PDC emulator, and infrastructure master.
The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain.
The PDC emulator operations master acts as a Windows NT PDC in domains that contain client computers operating without Active Directory client software or Windows NT backup domain controllers (BDC). In addition, the PDC emulator processes password changes from clients and replicates the updates to the Windows NT BDCs. Even after all domain controllers are upgraded to Windows 2000 Server or Windows Server 2003, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain.
If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.
Operations Master Dependencies
Domain controllers designated as operations masters have the following dependencies:
Operations master placement
Because operations masters are critical to the long-term performance of the directory, they must be available to all domain controllers and desktop clients that require their services. Careful placement of your operations masters becomes more important as you add more domains and sites to build your forest.
By improperly placing operations master role holders, you might prevent clients running Windows NT Workstation 4.0, Windows 95, or Windows 98 without the Active Directory client installed from changing their passwords, or be unable to add domains and new objects, such as users and groups. You might also be unable to make changes to the schema. In addition, name changes might not properly appear within group memberships that are displayed in the user interface.
As your environment changes, you must avoid the problems associated with improperly placed operations master role holders. Eventually, you might need to reassign the roles to other domain controllers.
Although you can assign the operations master roles to any domain controller, follow these guidelines to minimize administrative overhead and ensure the performance of Active Directory:
- Leave the two forestwide roles on a domain controller in the forest root domain.
- Place the two forestwide roles on a global catalog server.
- Place the three domainwide roles on the same domain controller.
- In a forest that contains multiple domains, do not place the domainwide roles on a global catalog server unless all domain controllers in the domain are also global catalog servers.
- Place the domainwide roles on a higher performance domain controller.
- Adjust the workload of the operations master role holder, if necessary.
Active Directory replication
Operations masters replicate changes made on them throughout the domain or forest, depending on whether they hold a domain or forest role. Active Directory replication must be working properly in order for the other domain controllers to receive these changes.
Domain Name System (DNS)
Active Directory requires that DNS is properly designed and deployed so that domain controllers can correctly resolve DNS names of replication partners. If DNS is not working properly, operations masters cannot be contacted to perform their specific domain or forest functions.
User rights for designating operations master roles can be set for groups or users in a forest. This allows you to limit or add to the group of default users that can change operations master role holders in a forest or domain. The following user rights are required to change operations master role holders:
- The Change Schema Master right is required to transfer or seize the schema master. By default, only members of the Schema Administrators group are assigned this right.
- The Change Domain Master right is required to transfer or seize the domain naming master role. Be default, only members of the Enterprise Admins group are assigned this right.
- The Change PDC right is required to transfer or seize the PDC emulator role. By default, only members of the Domain Admins group are assigned this right.
- The Change Infrastructure Master right is required to transfer or seize the infrastructure master. By default, only members of the Domain Admins group are assigned this right.
- The Change RID Master right is required to transfer or seize the RID master role. By default, only members of the Domain Admins group are assigned this right.
The following resources contain additional information that is relevant to this section.