Structure : Physical structure and replication (3)

Although most operations, such as creating a user, are multi-mastered, and can be made by connecting to any available domain controller, some operations are still handled only by designated domain controllers. Microsoft sometimes calls this the Flexible Single Master Operation (FSMO) roles. There are five FSMO roles. Two of these are per forest: There is only one DC in the forest acting as the Schema Master. It holds the master copy of the Schema. There is only one DC in the forest acting as the Domain Naming Master. It authorizes the creation and deletion of domains in the forest. Within each domain there are three further roles. Each domain has a PDC emulator. As its name suggests it provides compatibility with legacy (NT4) DCs and clients. It also functions as the domain master browser, source for time synchronization within the domain, and the single mastering of Group Policies. Each domain also has a RID Master. The RID Master generates a pool of Relative IDentifiers and allocates them to other DCs in its domain. Each DC can use a RID from its pool whenever it needs to generate a SID (Security IDentifier) for any new security principals object (users, groups or computers) that is created. A SID is a globally unique identifier for a security principal. The RID master is also used to single master the movement of security principals from one domain to another. Finally, each domain has an Infrastructure Master (IM). The IM periodically looks up references to external objects by consulting the global catalog. An example of an 'external object' would be if you added a user from one DomainA to a group in DomainB. As far as Domain B is concerned the user is an external object. The IM is checking to see if any details about that foreign object (such as its distinguished name or SID) have changed.

All these roles can be held by a single DC if necessary. The role of GC and IM are incompatible and should not be on the same machine. There are two exceptions to this rule: if the forest contains only one domain, or if all DCs in the domain are configured as GCs. The Domain Naming Master should be on the same machine as a GC. These roles can also be transferred. If the current FSMO has failed beyond repair, the roles can be seized at another DC. However, there is no automatic failover. Administrators must manually transfer or seize roles.