
An operations master is a domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers that are assigned these roles perform single-master operations, or operations that are not permitted to occur at different places in the network simultaneously.
The domain controller that controls the particular operation owns the operations master role for that operation. The ownership of these operations master roles can be transferred to other domain controllers. However, only one domain controller can own an operations master role at one time.
Every Active Directory forest must have domain controllers that fulfill each of the five operations master roles. The roles are:
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.
The domain naming master controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.
There is one domain controller that acts as the RID master in each domain in the forest. The RID master allocates sequences of RIDs to each of the various domain controllers in its domain.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID). The SID consists of a domain SID (that is the same for all SIDs that are created in the domain) and a RID that is unique for each SID that is created in the domain.
Each domain in the forest must have one domain controller that acts as the PDC emulator. If the domain contains computers that are not running Windows 2000 client software, or if it contains domain controllers running Windows NT, the PDC emulator processes password changes and replicates updates to the backup domain controllers running Windows NT.
In a Windows 2000 domain in native mode, the PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.
There must be one infrastructure master in each domain. The infrastructure master is responsible for updating the group-to-user references whenever group memberships are changed.
If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that you rename a user account and the time that a group that contains that user will display the new name of the user account. The infrastructure master of the group's domain is responsible for this update; it distributes the update through multi-master replication.