This action might not be possible to undo. Are you sure you want to continue?
A domain is a concept used in NT server operating systems whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
NT4: actual PDCs
Such domains have at least a Primary Domain Controller, and will often have one or more Backup Domain Controllers (BDCs). The PDC has the master copy of the user accounts database which it can access and modify. The BDC computers have a copy of this database, but these copies are read-only. The PDC will replicate its account database to the BDCs on a regular basis. The BDCs exist in order to provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the first domain controller that was created unless it was replaced by a promoted BDC.
Windows 2000: PDC emulation
In later releases of Windows, such as Windows 2000, NT 4 type domains have been superseded by Active Directory. In Active Directory domains, the concept of Primary and Backup Domain Controllers doesn't exist. Instead, the domain controllers in these domains are all considered to be equal in that all controllers have full access to the accounts databases stored on their machines. However, in these later releases of Windows, an Active Directory FSMO role named PDC emulator master does exist in each domain. This PDC emulator master does not have the same special role in replication as the Primary Domain Controller in pre-Windows 2000 systems, but does have certain additional responsibilities:
• • The PDC emulator master acts in place of the Primary Domain Controller if there are Windows NT 4.0 domain controllers (BDCs) remaining within the domain, acting as a source for them to replicate from. The PDC emulator master receives preferential replication of password changes within the domain. As password changes take time to replicate across all the domain controllers in an Active Directory domain, the PDC emulator master receives notification of password changes immediately, and if a logon attempt fails at another domain controller, that domain controller will forward the logon request to the PDC emulator master before rejecting it. The PDC emulator master also serves as the machine to which all domain controllers in the domain will synchronise their clocks. It, in turn, should be configured to synchronise to an external NTP time source.
PDC has been faithfully recreated on the Samba emulation of Microsoft's SMB client/server system. Samba has the capability to emulate an NT 4.0 domain, running on a Linux machine.
In Windows NT 4 server domains, the Backup Domain Controller (BDC) is a computer that has a copy of the user accounts database. Unlike the accounts database on the Primary Domain Controller (PDC), the BDC database is a read only copy. When changes are made to the master accounts database on the PDC, the PDC pushes the updates down to the BDCs. Most domains will have at least one BDC, often there are several BDCs in a domain. These domains exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user logon requests - and take some of the authentication load from the PDC. When Windows 2000 was released, the NT domain as found in NT 4 and prior versions was replaced by Active Directory. In Active Directory domains running in native mode the concept of the primary and backup domain controllers do not exist. In these domains, all domain controllers are considered to be equal. A side-effect of this change is the loss of ability to create a "read-only" domain controller. Windows Server 2008 reintroduces this capability.
Flexible Single Master of Operation (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). As of 2005, the term FSMO has been deprecated in favor of operations masters. FSMOs are specialized domain controller (DC) tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database, are the FSMOs
Description of FSMO Roles
 Once per domain • • The Relative ID Master allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains. The Infrastructure Master maintains security identifiers, GUIDs, and DN for objects referenced across domains. Most commonly it updates user and group links.This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed. Because of this, the hardware requirements for machines holding this role are relatively small. The PDC Emulator operations master role processes all password changes in the domain. Failed authentication attempts due to a bad password at other domain controllers are forwarded to the PDC Emulator before rejection. This ensures that a user can immediately login following a password change from any domain controller, without having to wait several minutes for the change to be replicated. The PDC Emulator Operations Master role must be carefully sited in a location to best handle all password
reset and failed-authentication forwarding traffic for the domain. The PDC emulator role holder retains the following functions: 1. Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. 2. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. 3. Account lockout is processed on the PDC emulator. 4. backward compatibility,The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.  Once per forest • • The Schema Master maintains all modifications to the schema of the forest. The schema determines the types of objects permitted in the forest and the attributes of those objects. The Domain Naming Master tracks the names of all domains in the forest and is required to add new domains to the forest or delete existing domains from the forest. It is also responsible for group membership.
Moving FSMO Roles Between Domain Controllers
By default AD assigns all operations master roles to the first DC created in a forest. If new domains are created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. When a FSMO role is transferred to a different DC, the original FSMO holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the original FSMO holder experienced an unrecoverable failure, you can force another DC to seize the lost roles; however, there is a risk of data loss because of the lack of communications. If you seize an FSMO role instead of transferring the role, that domain controller can never be allowed to host that FSMO role again,except for the PDC emulator Master operation and the Infrastructure Master Operation. Corruption can occur within Active Directory. FSMO roles can be easily moved between DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool. Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. For example, the Infrastructure Master role must not be housed on a domain controller which also houses a copy of the global catalog in a multi-domain forest (unless all domain controllers in the domain are also global catalog servers), while the Domain Name Master role should be housed on a DC which is also a GC. When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The Global Catalog provides several functions. The GC stores object data information, manages queries of these data objects and their attributes as well as provides data to allow network logon. The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Name Master should also be on the same DC. To provide fault tolerance, there should be at least 2 domain controllers available within each domain of the Forest. Furthermore, the Infrastructure Master role holder should not also be a Global Catalog Server, as the combination of these two roles on the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain environment. 
Active Directory support tools
Note: These tools are not restricted to FSMO administration.
Several additional tools that can be used to configure, manage, and debug Active Directory are available as command-line tools. These tools are known as the Support Tools and are available on the installation CD in the \Support\Tools folder.
List and description of tools
In addition, the Active Directory Migration Tool (ADMT) is available to help you migrate user accounts, groups, and computer accounts from Windows NT 4.0 domains to Active Directory domains. The Active Directory Migration Tool is a Microsoft Management Console (MMC) snap-in and is available on the installation compact disk in the \i386\ADMT folder. Tool Description
• • • • • • • • • • • • • • • • • Movetree: Move objects from one domain to another. SIDWalk: Set the access control lists on objects previously owned by accounts that were moved, orphaned, or deleted. LDP: Allows LDAP operations to be performed against Active Directory. This tool has a graphical user interface (GUI). Dnscmd: Enables administrator to check presence of domain controller locator records in DNS, add or delete such records and perform configuration of DNS servers, zones and records. DSACLS: View or modify the access control lists of directory objects. Netdom: Batch management of trusts, joining computers to domains, verifying trusts and secure channels. NETDiag: Check end to end network and distributed services functions. NLTest: Check that the locator and secure channel are functioning. Repadmin: Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation. Replmon: Display replication topology, monitor replication status (including group policies), force replication events and knowledge consistency checker recalculation. This tool has a graphical user interface (GUI). DSAStat: Compare directory information on domain controllers and detect differences. ADSI Edit: A Microsoft Management Console (MMC) snap-in used to view all objects in the directory (including schema and configuration information), modify objects and set access control lists on objects. SDCheck: Check access control list propagation and replication for specified objects in the directory. This tool enables an administrator to determine if access control lists are being inherited correctly and if access control list changes are being replicated from one domain controller to another. ACLDiag: Determine whether a user has been assigned or denied access to a directory object. It can also be used to reset access control lists to their default state. DFSUtil: Command-line utility for managing all aspects of Distributed File System (DFS), checking the configuration concurrency of DFS servers, and displaying the DFS topology. Dcdiag: Analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. Active Directory Migration Tool (ADMT): A Microsoft Management Console (MMC) snap-in used to migrate user accounts, groups, and computer accounts from Windows NT 4.0 domains to Active Directory domains (available on the installation compact disk in the \i386\ADMT folder).
Note: The Global Catalog task is not restricted to a single host within a domain or forest. It is not a FSMO task.
The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprise wide forest search only on the properties in the GC, whereas you can search for any property in a user’s domain tree. Only Directory Services (DS) or Domain Controller (DC) can hold a copy of the GC. Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows NT sets servers as GCs as necessary, so you don’t need to configure additional GCs unless you notice slow query response times. Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC. By default, the first DC in the First Domain in the First Tree in the AD Forest (the root domain) will be configured as the GC. You can configure another DC to become the GC, or even add it as another GC while keeping the first default one. Reasons for such an action might be the need to place a GC in each AD Site. To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following steps: Start the Microsoft Management Console (MMC) Active Directory Sites and Services Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager). Select the Sites branch. Select the site that owns the server, and expand the Servers branch. Select the server you want to configure. Right-click NTDS Settings, and select Properties. Select or clear the Global Catalog Server checkbox, which the Screen shows. Click Apply, OK. You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15 minutes to even several days, all depending on your AD infrastructure.
Windows 2000 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000 incorporates methods to prevent conflicting Active Directory updates from occurring.
Back to the top
Windows 2000 Single-Master Model
To prevent conflicting updates in Windows 2000, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 3.51 and 4.0), in which the PDC is responsible for processing all updates in a given domain.
The Windows 2000 Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows 2000 there are five FSMO roles:
• • • • •
Schema master Domain naming master RID master PDC emulator Infrastructure daemon
Back to the top
Schema Master FSMO Role
The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory. Back to the top
Domain Naming Master FSMO Role
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. Back to the top
RID Master FSMO Role
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. Back to the top
PDC Emulator FSMO Role
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000 domain, the PDC emulator role holder retains the following functions:
• • • •
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC emulator still performs the other functions as described in a Windows 2000 environment.
The following information describes the changes that occur during the upgrade process:
Windows 2000 clients (workstations and member servers) and down-level clients that have installed
the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain.
Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the
PDC emulator receives no down-level replica requests. Windows 2000 clients (workstations and member servers) and down-level clients that have installed
the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.
Back to the top
Infrastructure FSMO Role
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.