Domain controller roles are not defined during the installation of Windows Server 2003 but rather by running the Active Directory Installation Wizard. (For a little more information about the Active Directory Installation Wizard, see Chapter 11.) Windows Server 2003 does borrow the concept of a primary domain controller (PDC) from Windows NT through the use of the PDC emulator domain controller for certain domain functions, but it has jettisoned Windows NT's concept of a backup domain controller (BDC). In Windows 2003, all domain controllers are equal and share
peer-to-peer relationships, rather than acting either as a master (PDC) or a slave (BDC) in a master/slave relationship. REMEMBER To support older Windows NT Server 4.0 and 3.51 BDCs in a mixed-mode environment, one of the
Windows Server 2003 domain controllers must emulate the actions of a Windows NT Server 4.0 PDC. Then it has to replicate changes to those old-fashioned BDCs so that they can make the necessary changes, such as password modifications.
Having all these peers around can cause problems if you don't watch out. (Ever hear the expression, "Too many cooks spoil the broth"?) Windows Server 2003 utilizes five special roles to keep all these peers in line. One role was
specifically designed to support any Windows NT vintage clients and domain controllers. The other four roles work to eliminate the risk of multiple domain controllers making changes to the same object and losing attribute modifications. These roles are called Flexible Single Master of Operations (FSMO) roles, where each of the five roles manages a particular aspect of a domain or forest. Some of the Flexible Single Master of Operation domain controllers, sometimes referred to as Operations Masters, have a role that is domain wide, so their effect is throughout the given domain. When a forest has multiple domains, each domain has a domain-wide FSMO domain controllers. Other FSMO domain controllers have a forest-wide role. Each forest-wide FSMO domain controller is the only one of its type in the entire forest, regardless of how many domains are within the forest.
The flexibility of the Flexible Single Master of Operation domain controllers comes from the fact that these roles can be moved between domain controllers within a domain if the role of the original FSMO DC was domain wide, or between other domain controllers in the forest if the role of the original FSMO DC was forest wide. However, it does take a bit of effort on your part to move them.
You assign the FSMO roles using the NTDSUTIL utility. For more information on the NTDSUTIL utility, see the Windows Server 2003 Server help files or the Resource Kit.
The following list gives you an idea how these five roles work with domains in Active Directory:
Schema master: At the heart of Active Directory, the schema is a blueprint for all objects and containers. Because the schema has to be the same throughout an entire forest, only one domain controller can be used to make modifications to the schema. If the domain controller that holds the role of Schema Master can't be reached, no updates to the Active Directory schema are performed. You must be a member of the Schema Administrators group to make changes to the schema. (See
Domain naming master: To add a domain to a forest, its name has to be verifiably unique. The domain naming master of the forest oversees the domain name operation and ensures that only verifiably unique names are assigned. It also functions to add and remove any cross-references to domains in external directories, such as external Lightweight Directory Access Protocol (LDAP) directories. Only one domain naming master exists per forest, and you must be a member of the Enterprise
Administrators group to make changes to the domain naming master, such as transferring the FSMO role or adding domains to or removing domains from the forest.
Relative ID (RID) master: Any domain controller can create new objects (such as user, group, and computer accounts). The domain controller contacts the RID master when fewer than 100 RIDs are left. This means that the RID master can be unavailable for short periods of time without causing object creation problems. This ensures that each object has a unique RID. There can be only one RID master per domain.
PDC emulator: The PDC emulator domain controller acts as a Windows NT primary domain controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs or Windows 2003 DCs (or both). It processes all NT4 password changes from clients and replicates domain updates to the down-level BDCs. After upgrades to the domain controllers have been performed and the last of the BDCs are upgraded or removed from the environment, the Windows 2000 domain or Windows Server 2003 domain (or both) can be switched to native mode. After the domain is in native mode, the PDC emulator still performs certain duties that no other DCs in the domain handle.
Each domain in the forest, including child domains, has only one PDC emulator domain controller. Infrastructure master: When a user and a group are in different domains, there can be a lag between changes to the user profile (a user-name, for example) and its display in the group. The infrastructure master of the group's domain is responsible for fixing the group-to-user reference to reflect the rename. The infrastructure master performs its fix-ups locally and relies on replication to bring all other replicas of the domain up to date. (For more information on replication, see the "When replication happens" section, later in this chapter.)