Operation Master Role.

Operations master roles (also known as flexible

single master operations, or FSMO) are special roles assigned to one or more
domain controllers in an Active Directory domain. The domain controllers assigned
these roles perform single-master replication.

Active Directory supports multimaster replication of the Active Directory database between all domain
controllers in the domain. However, some changes are impractical to perform in multimaster fashion,
so one or more domain controllers can be assigned to perform operations that are single−master (not
permitted to occur at different places in a network at the same time). Operations master roles are
assigned to domain controllers to perform single-master operations.

In any Active Directory forest, five operations master roles must be assigned to one or
more domain controllers. Some roles must appear in every forest. Other roles must
appear in every domain in the forest. You must be aware of operations master roles
assigned to a domain controller if problems develop on the domain controller or if you
plan to take it out of service.

Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

* Schema master
* Domain naming master

These roles must be unique in the forest. This means that throughout the entire forest
there can be only one schema master and one domain naming master.

* Schema Master Role

The domain controller assigned the schema master role controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master. At any time,
there can be only one schema master in the entire forest.

* Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or
removal of domains in the forest. There can be only one domain naming master in the
entire forest at any time.

Operation Master Role. (Part - II)

Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

* Relative identifier (RID), or relative ID, master
* Primary domain controller (PDC) emulator
* Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest
can have only one RID master, PDC emulator master, and infrastructure master.

* RID Master Role

The domain controller assigned the RID master role allocates sequences of relative IDs
to each of the various domain controllers in its domain. At any time, there can be only
one domain controller acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the
object a unique security ID. The security ID consists of a domain security ID (that is the
same for all security IDs created in the domain) and a relative ID that is unique for each security ID
created in the domain.

To move an object between domains (using Movetree.exe: Active Directory Object

Manager), you must initiate the move on the domain controller acting as the RID
master of the domain that currently contains the object.

* PDC Emulator Role

If the domain contains computers operating without Windows Server 2003 client software or if it
contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC
emulator role acts as a Windows NT PDC. It processes
password changes from clients and replicates updates to the BDCs. At any time, there
can be only one domain controller acting as the PDC emulator in each domain in the
forest.

Even after all systems are upgraded to Windows Server 2003, and the Windows Server 2003 domain
is operating at the Windows Server 2003 functional level, the PDC emulator receives preferential
replication of password changes performed by other domain controllers in the domain. If a password
was recently changed, that change takes time to replicate to every domain controller in the domain.

Operation Master Role. (Part - III)

If a logon authentication fails at another domain controller due to a bad password, that domain
controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.

* Infrastructure Master Role

The domain controller assigned the infrastructure master role is responsible for updating the group-to-
user references whenever the members of groups are renamed or changed. At any time, there can be
only one domain controller acting as the infrastructure master in each domain. When you rename or
move a member of a group (and the member resides in a different domain from the group), the group
might temporarily appear not to contain that member. The infrastructure master of the group’s
domain is responsible for updating the group so it knows the new name or location of the member.
The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and
the group update. Only an administrator looking at that particular group membership
would notice the temporary inconsistency.