Ad Operations Master Description _win Server

The ad defines five types of operations master roles (FSMO), respectively:

Schema Master schema master works at the forest level (only one schema master in a forest)

Domain naming master domain naming master works at the forest level

Relative identification number (RID) master RID master is scoped to the domain level (only one schema master in a domain)

The primary domain controller emulator (PDC) acts on the domain level

Infrastructure master Infrastructure master works at the domain level

Schema Master (schema master) acts on the forest level

Functions: Controls the definition of all objects/attributes within the Active Directory

Tip: Regsvr32 schmmgmt.dll (registered schema master) belongs to the Schema Admins group

Failure Impact: Update schema is affected, in the short term generally does not see the impact

Typical issues such as: Unable to install Exchange

Fault handling: Only seizure operations can be used and cannot be reversed to ensure that the original PDC is down

If you modify the schema for AD, you can only operate from the schema master. Many advanced server products need to modify the schema of the AD , such as Exchange, at deployment time . If you cannot contact the schema master online when you deploy Exchange in a domain, the deployment of exchange cannot continue. MCSE Questions have been tested this knowledge point

domain naming master (naming master) acts on the forest level

Functions: Controlling the addition and deletion of forest domains, adding and removing cross-references to external directories

Tip: It is recommended that the GC be configured to belong to the Enterprise Admins group

Failure impact: Changing the domain structure is affected and generally does not see the impact in the short term

Typical issues such as: adding/removing domains

Fault handling: Only seizure operations can be used and cannot be reversed to ensure that the original PDC is down

The main responsibility is to control the addition or deletion of domains in the domain forest, where add a new domain in the forest domain, the domain name master must be judged to be legal, the operation can continue. If the domain name master is not in line, the new domain creation within the forest domain cannot be completed. In addition to the domain name to do interpretation.

It is also responsible for adding or removing cross-reference objects that describe external directories .

The RID master (RID master) acts on the domain level

Function: Manage object relative identifier (RID) pool in domain

Object security Identifier (SID) = Domain security identifier + relative identifier (RID) *

such as: S-1-5-21-1343024091-879983540-3 ...

S-1-5-21-d1-d2-d3-rid,s is the abbreviation for SIDS, 1 is the version number of the SID, 5 is the authorization authority, 21 is a child authorization, D1-D2-D3 is three digits, represents the domain or computer where the object resides, and the RID is the relative number of the object in the domain or computer. The administrator's SID is s-1-5-21-3855104193-3464347045-3256418734-500, where the RID is 500.

Failure Impact: Unable to get new RID pool allocation

Typical issues such as: Unable to create a new (large number of) user accounts
Fault handling: Only seizure operations can be used and cannot be reversed to ensure that the original PDC is down

A RID is part of a SID that provides an available RID pool for AD (the default 500) and automatically fills up when the RID in the pool is consumed to a certain extent. If the RID master fails, it is obvious that we are having trouble creating a large number of user accounts.

PDC emulation master (PDC emulator) acts at the domain level
Features: Emulates Windows NT PDC, Default domain master browser, Default domain authoritative time service source, unified Admin domain account password update, validation, and lockdown

Tip: PDC simulation Master is not only the simulation NT PDC, the general load is larger

Failure impact: The bottom of the customer can not access the ad, can not change the domain account password, browse service issues, time synchronization issues.

Troubleshooting: Need to recover in time, you can use the transfer operation, the PDC is transferred to other hosts online.

Compatible NT4 server; priority becomes the master browser (that is, a computer role in the network: Maintaining a list of computers in your Net-place); Priority replication rights for AD (replicated to the PDC when the ad content changes), act as authoritative time sources within the domain, and the preferred storage location for Group Policy.

The infrastructure master (Infrastructure master) works at the domain level

Function: Responsible for updating Cross-domain object references

Tip: The infrastructure master does not need to work in a single domain case and cannot be configured together with GC (except for single DC)
Failure Impact: The Outland account is not recognized, marked as Sid

Troubleshooting: A more timely recovery is required, and the PDC can be transferred to other hosts on line, using a transfer operation.

The role of the infrastructure master is to update the reference for Cross-domain objects. If a user of a domain joins a group of B domains, the structure master of Domain B will be responsible for whether the user in domain A has changed, such as whether it has been deleted, and the work of the structure master can ensure the operability of the object reference between the domains.

As a single domain, basically do not need to do what the structure master does.

If the structure master is not placed on the same DC as the GC (global catalog) in a multi-domain forest environment, the structure master will not function properly.

Placement recommendations for manipulating Masters
Default: Schema Master on the first DC in the root domain, domain naming master on the first DC in the root domain, and three other master (RID master, PDC emulation master, infrastructure master) roles on the first DC in the respective domain

Issues to consider: conflict with GC, performance considerations

Manual optimization: The infrastructure master is not put together with the GC; the domain naming master is put together with the GC; The schema master is placed with the domain naming master; the PDC emulation master recommends that it be placed separately.