Operation Master Roles

Operation Master Roles or Flexible Single Master Operations (FSMO) are special roles assigned to one or more domain controllers. There are five of them. Two are forest wide and three are domain wide.

The forest wide are Schema Master and Domain Naming Master,the domain wide are Relative ID Master or RID Master,Primary Domain Controller Emulator(PDC)and Infrastructure Master.

So what are these roles doing? The Schema Master controls all updates and modifications to the schema.Domain Master controls additions or removal of domains in the forest.The RID Master allocates sequences or relative id's to each domain controller.

The PDC emulator role operates as a primary domain controller (PDC) for pre-Windows 2000 operating systems. The PDC emulator has an important role in replicating passwords.So even if no pre-Windows 2000 member servers or client computers exist in the domain, the PDC emulator is responsible in maintaining password updates. All password changes made on other domain controllers in the domain are sent to the PDC emulator

The Infrastructure Master is responsible for updating the group-to-group references when members of groups are renamed or changed.

Throughout the entire forest there can be only one schema master and one domain naming master,and each domain in a forest can only have one RID Master,PDC Emulator,and Infrastructure Master.

Managing Operation Masters

You have two ways of manage the Operation Masters: Transfer or Seizing. Transfers are used when you want to move the role from one server to another.There is only one restriction to this,and that is you should not install the Infrastructure Master on a dc that is also a global catalog server if the forest have muliple domains, unless that every dc is also a global catalog.

Seizing is used when a server holding the role has a failure and you intend not to restore it back.To seize the role you use the Ntdsutil tool.You can also use Active Directory Users And Computers to seize the PDC Emulator and Infrastructure Master roles.

How to seize the role

Open a command prompt type ntdsutil press enter.Then type roles and enter.At the prompt type connections and enter. Type connect to server,(where ServerName is the name of the server that you want to place the operations master role on) and press Enter.Type quit and Enter.Then type seize role (where role is the operations master role you want to seize)and Enter. Accept the warning message. The server will now first try to perform a normal transfer,when that fails the role will be seized. Type quit to exit Ntdsutil.

Operation Master Disaster Recovery

PDC Emulator

Failure of the PDC emulator can affect users immediately, you should seize the PDC emulator role as soon as possible.When a PDC emulator is unavailable, Windows NT 4.0 backup domain controllers,are unable to synchronize directory changes, and pre-Windows 2000 clients are unable change passwords. When the original PDC emulator is restored and connected to the network again, it will detect the presence of the new PDC emulator and give up the PDC emulator role. If desired, the PDC emulator role can be moved back to the original server after it is restored.

Schema Master

The schema master has an essential role in a Windows Server domain,but that is not used very often. The schema master is the only domain controller in which the schema can be changed. If the server fails, you will not be able to make changes to the schema,until it is restored,or until the role has been seized.Failure of a schema master does not affect users. You should wait and restore the schema master rather than seizing it. If you do seize the schema master role to another domain controller, the original schema master should never be restored on the network.

Domain Naming Master

The operations master is required only when adding or removing domains. The failure of this role does not affect users. Administrators are only affected if a new domain is being added to the forest or an old domain is being removed from the forest.You should wait for the original domain naming master to be restored.If you must add or remove a domain and you do not have time to restore the domain naming master, you can seize the role. If you do seize the domain naming master role to another domain controller, the original domain naming master should never be restored on the network

Infrastructure Master

The infrastructure master role is maybe least important in a disaster recovery perspective. The infrastructure master monitors display-name changes for user and group accounts across multiple domains. This becomes an issue only when administrators are viewing group memberships.You should wait and restore the infrastructure master role rather than seizing. If you seize an infrastructure role to another domain controller in a multiple-domain environment, you should ensure that the destination domain controller is not a GC server. An infrastructure master placed on a global catalog server does not function properly. If you seize the role,you can restore the original infrastructure master.

RID Master

The RID master assigns RID pools to other domain controllers as new security principals are created. If the RID master is not available for a long period, the domain controllers might run out of RIDs to assign to new security principals. This role only needs to be seized if you are planning to create a large number of security principals before the original RID masteris restored, or if you are not planning to restore the original RID master. If you seize the RID master role to another domain controller, the original RID master should never be restored on the network.