Active Directory basic 3

Operations master roles

==================================

When a change is made on the domain, the change will be copied to all domain controllers in the domain. some modifications, such as schema modifications, will be copied to the entire forest. this type of replication is calledMulti-body replication (Multimaster replication ).

 

During the multimaster replication process, if the update source occurs on both domain controllers and the same attribute of the same object is modified, a replication conflict occurs. to avoid replication conflicts, Active Directory usesSingle-master replication (Single master replication) mechanism, which indicates that the modification can only be performed on a specified domain controller. in this way, it is impossible to modify an object at the same time in different places on the network. active Directory uses single-master replication for important modifications, such as adding a new domain or modifying a schema in the forest range.

 

The operations for using single-master replication in the domain or forest will be arranged together and placed in a specific role. these roles are called operations master roles. for each operations master role, only when the domain controller assumes this role can it make relevant directory modifications. the domain controller responsible for playing a specific role is called the operation master of that role. active Directory stores information about the role played by the domain controller.

 

Active Directory defines five Operation Master roles, each of which has a default location. The Operation Master roles can be forest-level or domain-level.

 

Forest Range-level role

====================

Forest Range-level role is unique for a forest, including:

• Schema master
• Controls All Schema updates. schema contains the main object class tables and main attribute tables. These object classes and attributes are used to create all active directory objects, such as users, computers, and printers.
• Domain naming master
• Control the addition and deletion of domain in the forest. When you add a new domain to the forest, only the domain controller playing the domain naming master role can be used to add a new domain.

Within the entire forest, there can be only one schema master and only one domain naming master.

 

Domain-level role

====================

Domain-level role is unique in each domain, including:

• Primary Domain Controller emulator (PDC)
• It plays a role similar to Windows nt pdc and supports any standby domain controller running in Microsoft Windows NT hybrid mode domain. these domains contain Domain Controllers Running Windows NT 4.0. PDC emulator is the first domain you created in the new domain.
• Relative identifier master (RID)
• When a new object is created, the domain controller creates a new security subject, which represents the new object, the domain controller will assign this new object a unique security identifier (SID )). this Sid contains the SID of the domain. the SID of this domain is the same as the Security Identifier created in this domain. another part of the SID of this object is the RID, which is unique among all security principal created in the domain. the RID master allocates the RID block for the domain controller in the domain. the Domain Controller then assigns the RID to the newly created object.
• Infrastucture master
• When an object is transferred from one domain to another, the Infrastructure Master updates the object references in the domain. the object reference contains the Globally Unique Identifier (guid) of the object, which is used for distinguishing names and Sid. active Directory regularly updates the names used for distinguishing objects in object references, as well as Sid. In this way, it reflects changes to objects, such as moving objects within or between domains, or delete the object.

Each domain in forest has its own PDC emulator, RID master, and infrastructure master.