Configuring Operations Masters

In an Active Directory domain all the domain controllers are equivalent and can perform all the functions. However, in a multidomain environment, where multimaster replication needs to be performed, certain changes cannot be performed on all the domain controllers. For example the schema master changes should not be performed as multimaster replication. Rather these changes must be performed as single master operation.

In Active Directory environment where domain controllers play a single master role are called operations masters. The single master operation roles can be transferred on any domain controller in a domain and are therefore called flexible single master operations (FSMO). At any given time only one role can be assigned/ performed to/by a domain controller.

There are total five types of FSMO roles, out of which three are domain level roles and two are forest wide roles. All the five operations master roles are automatically configured on the first domain controller that is configured in a forest. The domain level operations master roles are configured in each domain and are also assumed by the first domain controller in each of the additional domains created in the forest. These roles are:

• PDC (Primary Domain Controller) emulator: It services logon requests and processes all password updates.
• Relative ID (RID): It is responsible for assigning unique RIDs to all the domain controllers and maintaining the global RID pool for the domain.
• Infrastructure: It is responsible for maintaining a list of the security principals. It keeps the group-to-user references updated as group membership changes and then replicate them to other domain controllers.

The forest wide roles can be implemented on one domain controller per forest. These roles are:

• Schema operations: It is responsible to commit all the changes to the schema.
• Domain naming: It is responsible to control the addition and removal of domains to and from the forest.

The automatic assignment of roles on the first domain controller in a forest overburdens the first domain controller. To avoid this overburden, you can transfer the operation master roles to other domain controllers in the domain\forest. The placement of each operation master role is important and requires a careful planning.

Placing Operations Masters

• PDC Emulator: A PDC emulator processes all the logon requests in a domain and it must always be available. There can be only one PDC emulator in a domain. It should be placed at a location where password forwarding operations are most needed to avoid logon failures that may occur due to delays in password replication process. To achieve best performance, it should be placed on a dedicated domain controller that is well connected to other locations and that does not have other FSMO responsibilities.
• Relative ID (RID) Master: The RID master ensures that there is no overlapping in the assignment of RID of a domain because each domain has a unique RID. There can be only one RID master in a domain. The RID master can be placed with any other FSMO role on a domain controller because additional load on an RID master is quite insignificant. It can be placed with PDS Emulator role on a domain controller.
• Infrastructure Master: The Infrastructure master keeps the group-to-user references updated as group membership changes and then replicate them to other domain controllers. The Infrastructure master can be placed with any other FSMO role on a domain controller because additional load on an Infrastructure master is quite insignificant. However, the Infrastructure master role should not be placed on global catalog servers because GC servers can replicate information on any domain.
• Schema Operations Master: Only one schema operations master can exist in a forest. Schema master changes are not performed frequently and therefore the additional load placement on a server containing this role is insignificant. So, schema operations master role can be placed with other FSMO roles on a domain controller. However, this role must be placed in such a way so that it is available to all the administrators who need to make schema changes.
• Domain Naming Master: The Domain Naming Master controls the addition and removal of domains to and from the forest. Only one domain naming master can exist per forest. It should be placed on a global catalog server because the domain naming master needs to contact the global catalog server each time a new domain is created. While placing this role, you also need to ensure that it is accessible from any subnet in your network.

Identify Operation Masters

To identify the operation masters that are running on a server, you need to:

1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
2. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears, as shown in Figure 3-26.

The Operations Masters dialog box appears displaying the operations masters’ role in each tab of the dialog box, as shown in Figure 3-27.

Beside this, you can use the Netdom tool to see the server on which all the five FSMO server roles are installed in just one go.

You need to type netdom query fsmo on the command prompt to see the results, as shown in Figure 3-28.

Transfer an Operation Master Role

To transfer an operation master role, you need to take the operations master offline, transfer the role to another domain controller and then bring it online. To transfer the operations master role, you need to:

1. Open Active Directory Users and Computers snap-in by clicking Start- >Administrative Tools-> Active Directory Users and Computers.
2. Right-click the domain name (inscription.com) node and select Change Domain Controller option from the menu that appears.The Change Directory Server window appears, as shown in Figure 3-29. The window allows you to select the domain controller on which you want to transfer the role.
3. Select the domain controller from the list and click OK.
   

   

4. Right-click the domain name (inscription.com) node and select Operations Masters option from the menu that appears.
5. Click the tab of the role that you want to transfer. For example click on PDC tab.
6. Click Change. Confirm the transfer by clicking Yes on the confirmation dialog box that appears.The role is successfully transferred.
7. Click OK and then click Close.
8. Shut down and Restart the server.