Operation Masters

Active Directory uses multi master technology. Each Domain Controller in the domain is having a writable copy of the database. But there are some services that can’t use multi master technology. There will be only one writable copy for these services. In AD these services are referred as Flexible Single Master Operation (FSMO). There are 5 operation master roles. Two of them are forest level roles and 3 of them are domain level roles.

1.   Shema Master: There will be only one schema master in the entire forest. It contains the classes (like user) and attributes (like city) for the entire forest. The schema partition from the schema master will be replicated to every single DC in the forest. Always the schema will have some changes when the new server product releases. So if you want to add server 2012 as a DC in a 2003 or 2008 AD environment, you should modify the schema by running adprep/forestprep and adprep/domainprep. In order to modify the schema, you should be a member of schema admin group. If the schema get corrupted, your AD structure will also get corrupted. Once a class or attribute added to the schema, it can’t be deleted. Only you can deactivate it from replication. If you want to install any AD aware applications like exchange, the schema should be modified.

2.   Domain Naming Master: There will be only one domain naming master in the entire forest. It is used when you add or remove a new tree or add anew domain. Schema master and domain naming master are the forest level roles.

3.   RID Master: Relative ID master is a domain level role and there will be one RID master for each domain. In AD when you create an object like user a security Identifier (SID) is generated to represent that object. The SID is divided in to two parts, the domain SID and the relative ID (RID). RID will be unique in a domain. Whenever an additional AD is created the RID master will allocate a pool of RIDs to that DC.

4.   Infrastructure Master: This is a domain level role and has importance in a multi domain environment only. This is used to update group membership for users who resides in different domain. It ensures the integrity of the object in other domains. In a single domain environment infrastructure master has nothing to do. In a multi domain structure Infrastructure master role should be assigned to a DC that is not a global catalog server.

5.   PDC Emulator: PDC emulator is the busiest role and it is a domain level role. The most important thing done by this role is the time sync. Each client machine and member server should time sync with the DC in to which authenticates. Microsoft Kerberos will not allow a client machine to authenticate if there is more than 5 minute time discrepancy. Each DC time syncs with the PDC Emulator. PDC Emulator provides backward compatibility with NT 4.0 domains. Also it process account lockouts for the entire domain immediately. Any changes related with group policy occurs in the PDC Emulator and then replicated to other DCs.

Locating FSMO Roles

    You can use command line or GUI to locate the FSMO role. Open the command prompt and type netdom /query fsmo

    As I have only one DC, all the roles are assigned to DC1.xyz.com.

    To check it in the GUI open active directory users and computers and right click the domain, xyz.com and go to operation masters and it will show you the 3 domain level operation masters.

    To locate the Domain Naming Master, open active directory domains and trusts and right click on active directory domains and trusts and click on operation master.

    To locate the schema master, we need to register the schema management dll. To do that open run and type regsvr32 schmmgmt.dll

Click OK and you will get the registration succeeded message.

After that open run and type MMC to open the Microsoft management console.

Click OK.

Click on the file menu of mmc and choose add/remove snap-in

Choose Active directory Schema and click on add button.

 

    After click add click OK. Right click Active Directory Schema and clickon the operations master to see or change the schema master. 

    In order to change any of the FSMO role to another DC, Login to the DC in to which you want to change and locate the master role as described above and click on the change button to transfer the master role to that DC.