Windows 7 / Getting Started

---

Managing Operations Masters

In an Active Directory domain, all domain controllers are equivalent. They are all capable of writing to the database and replicating changes to other domain controllers. However, in any multimaster replication topology, certain operations must be performed by one and only one system. In an Active Directory domain, operations masters are domain controllers that play a specific role. Other domain controllers are capable of playing the role but do not. This tutorial introduces you to the five operations masters found in Active Directory forests and domains. You learn their purposes, how to identify the operations masters in your enterprise, and the nuances of administering and transferring roles.

Understanding Single Master Operations

In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion. Active Directory is no exception. A limited number of operations are not permitted to occur at different places at the same time and must be the responsibility of only one domain controller in a domain or forest. These operations, and the domain controllers that perform them, are referred to by a variety of terms:

• Operations masters
• Operations master roles
• Single master roles
• Operations tokens
• Flexible Single Master Operations (FSMOs)

Regardless of the term used, the idea is the same. One domain controller performs a function, and while it does, no other domain controller performs that function.

If you were an administrator in the days of Microsoft Windows NT 4.0, the concept of operations masters might sound similar to Windows NT primary domain controllers (PDCs). However, single master operations are characteristic of any replicated database, and Active Directory single master operations are strikingly different from Windows NT 4.0 PDCs in several ways:

• All Active Directory domain controllers are capable of performing single master operations. The domain controller that actually does perform an operation is the domain controller that currently holds the operation's token.
• An operation token, and thus the role, can be transferred easily to another domain controller without a reboot.
• To reduce the risk of single points of failure, the operations tokens can be distributed among multiple DCs.

AD DS contains five operations master roles. Two roles are performed for the entire forest:

• Domain naming
• Schema

Three roles are performed in each domain:

• Relative identifier (RID)
• Infrastructure
• PDC Emulator

Each of these roles is detailed in the following sections. In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.

Tip:
Commit to memory the list of forest-wide and domain single master operations. You are likely to encounter questions that test your knowledge of which roles apply to the entire forest and which are domain specific.

Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest. Each role is performed by only one domain controller in the entire forest.

Domain Naming Master Role

The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must be accessible or the operation will fail.

Schema Master Role

The domain controller holding the schema master role is responsible for making any changes to the forest's schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.