Planning Operations Master Role Placement
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Planning Operations Master Role Placement
Active Directory supports multimaster replication of directory data, which means any domain controller can accept directory changes and replicate the changes to all other domain controllers. However, certain changes, such as schema modifications, are impractical to perform in a multimaster fashion. For this reason certain domain controllers, known as operations masters, hold roles responsible for accepting requests for certain specific changes.
Three operations master roles exist in each domain:
The primary domain controller (PDC) emulator processes all replication requests from Microsoft® Windows NT® 4.0 backup domain controllers (BDCs) and processes all password updates for clients that are not running Active Directory client software.
The relative identifier (RID) master allocates RIDs to all domain controllers to ensure that all security principals have a unique identifier.
The infrastructure master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain.
In addition to the three domain-level operations master roles, two operations master roles exist in each forest:
The schema master governs changes to the schema.
The domain naming master adds and removes domains to and from the forest.
Place the domain controllers hosting these operations master roles in areas where network reliability is high, and ensure that the PDC emulator and the RID master are consistently available.
Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. Additionally, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain.
Place the first domain controller for a domain in a location that has the largest number of users for that domain. Designate a standby operations master for a domain controller that hosts the operations master roles. The standby operations master is a domain controller that you identify as the computer that assumes the operations master role if the original role holder fails. Ensure that the standby operations master is a direct replication partner of the actual operations master.
Place the domain controllers that host these operations master roles in areas where the network is reliable and where the operations masters can be accessed by all other domain controllers in the forest. For more information about how certain operations might be affected if an operations master role holder is not reachable, see "Operations Master Placement for Networks with Limited Connectivity" later in this section.
Operations Master Placement for Single Domain Forest
In addition to hosting the operations master roles, the first domain controller created in a forest also hosts the global catalog. In a single domain forest, the database of a global catalog server is identical to that of a domain controller. Therefore, configure all domain controllers as global catalog servers because it does not cause any additional workload for the domain controllers. In a single domain forest where all domain controllers are configured as global catalog servers, leave all operation master roles on the first domain controller that is created in the forest and use the second domain controller as a standby operations master.
Operations Master Placement for Forest Root Domain
In a forest hosting multiple domains, if all domain controllers in the forest root domain are also global catalog servers, leave all the operations master roles on the first domain controller. Use the second domain controller deployed in the forest as the standby operations master.
However, if all domain controllers in the forest root domain are not also global catalog servers, move all the operations master roles to the second domain controller deployed in the forest root domain and ensure that this domain controller is never configured as a global catalog server. This is because the first domain controller is always a global catalog server and the infrastructure master should not be placed on a domain controller that is also a global catalog server unless all domain controllers are global catalog servers. To simplify the environment, keep all the operations master roles on the second domain controller. Configure the third domain controller deployed in the forest root domain as the standby operations master and ensure that this domain controller will also never be configured as global catalog server.
Operations Master Placement for Regional Child Domain
The three domain-level roles are assigned to the first domain controller in the domain by default. If any domain controllers in the regional domain will not host the global catalog, leave the three-domain-level operations master roles on the first domain controller and ensure that the first domain controller is never configured as a global catalog server. Configure the second domain controller deployed in this domain to be the standby operations master.
Planning the PDC emulator placement
The PDC emulator acts as a Windows NT 4.0 PDC if the domain contains pre–Active Directory clients or if it contains Windows NT 4.0 BDCs. It processes password changes from clients and replicates updates to the BDCs. Only one domain controller acts as the PDC emulator in each domain in the forest.
Even if all the domain controllers are upgraded to Windows 2000 or Windows Server 2003 and the domain is operating at the Windows 2000 native functional level, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
Place the PDC emulator in a location that contains a large number of users from that domain for password forwarding operations if needed. In addition, ensure that the location is well connected to other locations to minimize replication latency.
Use the Domain Controller Placement worksheet to document the information about where you plan to place PDC emulators and the number of users for each domain that is represented in each location. For an example of a completed Domain Controller Placement worksheet, see "Example: Determining Domain Controller Placement" later in this chapter.
You need to refer to the information about locations in which you need to place PDC emulators when you deploy regional domains. For information about deploying regional domains, see "Deploying Windows Server 2003 Regional Domains" in this book.
Requirements for infrastructure master placement
The infrastructure master updates the names of security principals from other domains that are added to groups in its own domain. For example, if a user from one domain is a member of a group in a second domain and the user’s name is changed in the first domain, then the second domain is not notified that the user’s name must be updated in the group’s membership list. Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change in the absence of the infrastructure master.
The infrastructure master constantly monitors group memberships, looking for security principals from other domains. If it finds one, it checks with the security principal’s domain to verify that the information is updated. If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain.
Two exceptions apply to this rule. First, if all domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs replicate the updated information regardless of the domain to which they belong. Second, if the forest has only one domain, the domain controller that hosts the infrastructure master role is insignificant because security principals from other domains do not exist.
Do not place the infrastructure master on a domain controller that is also a global catalog server. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
Operations Master Placement for Networks with Limited Connectivity
Be aware that if your environment does have a central location or hub site in which you can place operations master role holders, certain domain controller operations that depend on the availability of those operations master role holders might be affected.
For example, suppose that an organization creates sites A, B, C, and D. Site links exist between A and B, between B and C, and between C and D. Network connectivity exactly mirrors the network connectivity of the sites links. In this example, all operations master roles are placed in site A and the option to Bridge all site links is not selected.
Although this configuration results in successful replication between all of the sites, the operations master role functions have the following limitations:
Domain controllers in sites C and D cannot access the PDC emulator in site A to update a password or to check it for a password that has been recently updated.
Domain controllers in sites C and D cannot access the RID master in site A to obtain an initial RID pool after Active Directory installation and to refresh RID pools thereafter as they become depleted.
Domain controllers in sites C and D cannot add or remove directory, Domain Name System (DNS), or custom application partitions.
Domain controllers in sites C and D cannot make schema changes.
Document the information about operations master roles placement. You need to refer to this information when you create the forest root domain and regional domains. For more information about deploying the forest root domain, see "Deploying the Windows Server 2003 Forest Root Domain" in this book. For more information about deploying regional domains, see "Deploying Windows Server 2003 Regional Domains" in this book.
Use the Domain Controller Placement worksheet to document information about where you plan to place operations master role holders. For an example of a completed Domain Controller Placement worksheet, see "Example: Determining Domain Controller Placement" later in this chapter.
For a worksheet to assist you in planning operations master role placement, see "Domain Controller Placement" (DSSTOPO_4.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Domain Controller Placement" on the Web at http://www.microsoft.com/reskit).