Professional Documents
Culture Documents
Active Directory supports multimaster replication of the Active Directory database between all domain
controllers in the domain. However, some changes are impractical to perform in multimaster fashion,
so one or more domain controllers can be assigned to perform operations that are single−master (not
permitted to occur at different places in a network at the same time). Operations master roles are
assigned to domain controllers to perform single-master operations.
In any Active Directory forest, five operations master roles must be assigned to one or
more domain controllers. Some roles must appear in every forest. Other roles must
appear in every domain in the forest. You must be aware of operations master roles
assigned to a domain controller if problems develop on the domain controller or if you
plan to take it out of service.
* Schema master
* Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest
there can be only one schema master and one domain naming master.
These roles must be unique in each domain. This means that each domain in the forest
can have only one RID master, PDC emulator master, and infrastructure master.
Even after all systems are upgraded to Windows Server 2003, and the Windows Server 2003 domain
is operating at the Windows Server 2003 functional level, the PDC emulator receives preferential
replication of password changes performed by other domain controllers in the domain. If a password
was recently changed, that change takes time to replicate to every domain controller in the domain.
There is no compromise to security during the time between the member rename and
the group update. Only an administrator looking at that particular group membership
would notice the temporary inconsistency.