In this post I will tell you about the Operations Master Roles in Active Directory Domain Services (AD DS). If you are a System Administrator working with Active Directory Domain Services (AD DS) it is important that you understand the 5 Operation Master Roles in Active Directory. When you work with multiple domain controllers or maybe even a multidomain Active Directory installation it is important that you know how the 5 master roles in AD works. The 5 roles can be put into 2 categories: Forestwide, and Domainwide. The forest-wide roles only exist once in the entire AD forest, but the Domain-wide roles as the name says only valid for each domain in the Active Directory database.
The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.
Forestwide Roles
Schema Master
The schema master is performing updates to the AD DS schema. The schema master is the only domain controller that can perform write operations to the directory schema.
Domain Naming Master
The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest. The Domain Naming Master has to be available in order to do the following:
- Add new domains or application directory partitions to the forest.
- Remove existing domains or application directory partitions from the forest.
- Add replicas of existing application directory partitions to additional domain controllers.
- Add or remove cross-reference objects to or from external directories.
- Prepare the forest for a domain rename operation.
Domainwide Roles
The domain-wide Operations Masters roles exist exclusive for each domain. Each domain in a forest has its own RID master, PDC Emulator and Infrastructure Master
RID Master
The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain.
PDC Emulator
The PDC emulator operations master acts as a Windows NT PDC in domains that contain client computers operating without AD DS client software or Windows NT backup domain controllers (BDC). In addition, the PDC emulator processes password changes from clients and replicates the updates to the Windows NT BDCs. Even after all Windows NT domain controllers are upgraded to AD DS, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain.
If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
Infrastructure Master
The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.
If you want to learn more about Operation Master Roles I can recommend the MCTS Exam 70-640 – Configuring Windows Server 2008 Active Directory.
One thing that I think you miss in the PDC emulator role is that it also works as NTP clock synch server for all clients in a domain,
Hi Jay
You are absolutely right. That is actually a pretty important part of the PDC emulator role. Thank you for reminding me about that one. Hope to see you back on my blog soon 🙂