Active Directory Physical Structure

Besides the Global Catalog server role, there are 5 special roles that a domain controller might have, referred to as Operations Masters. These are outlined below:

Schema Master – In a forest, one domain controller holds the role of the Schema Master. The Schema Master maintains the Active Directory schema, and holds the only writable copy of the schema. There is only one Schema Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

Domain Naming Master – This domain controller keeps track of domains that are added or removed from the forest, ensuring integrity of the forest structure as these changes take place. There is only one Domain Naming Master per forest, and by default it will be the first domain controller created in the root domain of the forest.

PDC Emulator – The PDC emulator exists for a couple of reasons, one of which is backwards compatibility with NT 4 domain controllers. When upgrading a domain to Windows 2000, the first system upgraded should be the PDC, and this new Windows 2000 DC emulates the old PDC for remaining NT 4 BDCs. The PDC Emulator is also preferentially passed password changes, and is consulted prior to failing a client logon request. By default downlevel clients such as those running NT 4 and Windows 9x will continue to make password changes at the PDC Emulator (unless they have the Active Directory client installed). There is one PDC Emulator per domain, by default the first domain controller created in the domain.

Relative Identifier (RID) Master – In Windows NT 4, the PDC was responsible for creating all SIDs, since it was responsible for creating all security principals. In Windows 2000, any domain controller can create a security principal. A SID is actually made up of two parts, a SID (which identifies the domain) and a RID (which identifies a unique object within that domain). In order to ensure that all SIDs are unique, one domain controller per domain is assigned the role of the RID Master, who is responsible for creating the domain pool of RIDs, and allocating these RIDs to other domain controllers in the domain. This helps ensure that no duplication of object SIDs will occur. Each Active Directory domain will have one RID Master, by default the first domain controller created in that domain.

Infrastructure Master – The infrastructure Master is responsible for keeping track of which users (from another domain) are members of groups in a domain, and keeping track of any changes that may take place. This ensures consistency of user to group references in Active Directory. Each Active Directory domain will have one Infrastructure Master, by default the first domain controller created in that domain.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.