Five operation master roles in Window server 2003
I) Forest-Wide Operations Master Roles
Every Active Directory forest must have the following roles:
¦ Schema master
¦ Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest, there can be only one schema master and one domain naming master.
1) Schema Master Role
The domain controller assigned the schema master role controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.
2) Domain Naming Master Role
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.
II) Domain-Wide Operations Master Roles
Every domain in the forest must have the following roles:
¦ Relative identifier (RID), or relative ID, master
¦ Primary domain controller (PDC) emulator
¦ Infrastructure master
These roles must be unique in each domain. This means that each domain in the fores can have only one RID master, PDC emulator master, and infrastructure master.
1) RID Master Role
The domain controller assigned the RID master role allocates sequences of relative ID to each of the various domain controllers in its domain. At any time, there can be onl one domain controller acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Objec Manager), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
2) PDC Emulator Role
If the domain contains computers operating without Windows Server 2003 client soft-ware or if it contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest.
Even after all systems are upgraded to Windows Server 2003, and the Windows Server 2003 domain is operating at the Windows Server 2003 functional level, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at
another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
3) Infrastructure Master Role
The domain controller assigned the infrastructure master role is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the infrastructure master in each domain. When you rename or move a member of a group (and the member resides in a different domain from the group), the group might temporarily appear not to contain that member.
The infrastructure master of the group’s domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.
(10 votes, average: 4.5 out of 5)
Loading ...