Active Directory Logical Structure |
A domain controller is a computer that is running Windows 2000 Server and hosts Active Directory. Domain controllers run the KDC service, which is responsible for authenticating domain user logons. A domain controller stores directory partitions. Directory partitions (also known as "naming contexts") correspond to the logically distributed segments of Active Directory that are replicated as discrete units. These segments correspond to the following directory partitions:
In addition to the domain directory partition that it stores, every domain controller stores a replica of the schema directory partition and the configuration directory partition. (For more information about directory partitions, see "Active Directory Data Storage" in this book.)
A domain can deploy many domain controllers, and all domain controllers can accept Active Directory changes. Earlier versions of Windows NT used multiple domain controllers, only one of which was allowed to update the directory database. This single-master scheme required all changes to be replicated from the primary domain controller to the backup domain controllers.
In Windows 2000, every domain controller can receive changes, and the changes are replicated to all other domain controllers. The day-to-day operations that are associated with managing users, groups, and computers are typically multimaster operations — that is, changes to these objects can be made on any domain controller. There are some operations, however, that are not performed as multimaster operations because they must occur at only one place and time. For these operations, there are specially designated domain controllers that manage the operations singly.
Most operations can be made at any domain controller and the effects of these operations (for example, deleting a user object) are replicated to all other domain controllers that store a replica of the same directory partition in which the change occurred. However, there are certain operations that must occur at only one domain controller.
The domain controllers that are assigned to manage single-master operations are called role owners for the operations. (For more information about managing single-master operations, see "Managing Flexible Single-Master Operations" in this book.) The single-master operations include the following:
Relative ID Pool Allocation One domain controller per domain is responsible for assigning "pools" of relative identifiers to other domain controllers in that domain. Relative identifiers (also known as "RIDs") are identifiers that are used in association with a domain identifier to make up the security identifier (also known as a "SID") for each security principal created in Active Directory. To ensure uniqueness in a domain, a single domain controller has the relative ID master role. The relative ID master assigns relative identifiers from a single pool of these identifiers for the domain.
Schema Modification Changes to the same schema objects on different domain controllers can result in an inconsistent directory schema and corrupt data. For this reason, a single domain controller in a forest has the schema master role. The schema master is responsible for all changes to the schema directory partition.
Primary Domain Controller Emulation For compatibility with Windows NT 3.51–based and Windows NT 4.0–based servers, which can operate as backup domain controllers in a mixed-mode Windows 2000 domain but still require a primary domain controller (also known as the "PDC"), a specific Windows 2000–based domain controller, the PDC emulator, is assigned to emulate the role of the primary domain controller. This domain controller is perceived by the Windows NT 3.51–based and Windows NT 4.0–based servers as a primary domain controller. In a Windows 2000 domain, one domain controller is assigned to be the PDC emulator and performs the role of the primary domain controller.
For information about upgrading Windows NT 3.51 and Windows NT 4.0 domains to Windows 2000 domains, see "Determining Domain Migration Strategies" in the Deployment Planning Guide.
Certain Infrastructure Changes When objects are moved or deleted, a single domain controller per domain, the infrastructure master, is responsible for updating the security identifiers and distinguished names in cross-domain object references in that domain.
Domain Naming A single domain controller per forest, the domain naming master, is assigned the responsibility of ensuring that domain names are unique in the forest and that cross-reference objects to external directories are maintained.
For more information about managing single-master roles, see "Managing Flexible Single-Master Operations" in this book.