Home > Articles > Certification > Microsoft Certification

  • Print
  • + Share This
This chapter is from the book

Flexible Single-Master Operation (FSMO) Roles

The Active Directory global catalog is a multimaster database in which all global catalog servers participate equally. However, for some specific roles, Windows 2000 maintains the single-master model seen in NT domains. These roles involve changes that could potentially result in conflict affecting identification of users or computers, and also provide legacy support for pre-Windows systems maintained within a Windows 2000 Active Directory deployment. Only a single domain controller within a domain or forest may assume these operations master roles.

Table 3.1 details the Flexible Single-Master Operation (FSMO) roles.

Table 3.1 Windows 2000 FSMO roles.

Role

Purpose

Domain Naming Master

This forest-level operations master role is assigned to the domain controller responsible for making changes to domain naming within the catalog. It is the only domain controller that may add or remove child domains.

Infrastructure Master

This forest-level operations master role is assigned to the domain controller responsible for updating the name and security ID (SID) for objects referenced between domains.

PDC Emulator

This domain-level operations master role is assigned to the domain controller responsible for time synchronization, which is required by the Kerberos authentication protocol. The PDC Emulator in the root domain of each forest should be directed to an external time service, and all subdomain PDC Emulators will synchronize with their parent-domain. Additionally, the PDC Emulator role is used in support of legacy operating systems maintained within a Windows 2000 domain. The PDC Emulator for a given domain is preferentially given the duty of handling password changes, account lockout, and password failure notification.

RID Master

When a new security principle is created, it is assigned a unique SID that is a combination of the domain SID and a unique Relative ID (RID). The domain-level RID Master role is assigned to the domain controller responsible for ensuring that each domain controller is provided with a unique pool of Relative IDs.

Schema Master

This directory-level master role is assigned to the one domain controller responsible for changes to the schema of the directory, such as the addition of new attributes available for security principles. Once schema changes are made to the global catalog on this domain controller, they are propagated to all other global catalog servers throughout the enterprise.


TIP

The Infrastructure Master role should not be assigned to a server also designated as a global catalog server, or it will fail when attempting to update name and SID information and generate errors in the event log.

  • + Share This
  • 🔖 Save To Your Account