Domain Controller Roles
- Global Catalog Server
- Single Master Operations
Global Catalog Server – A global catalog server is a DC that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
The global catalog performs three key functions:
- It enables users to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
- It enables finding directory information regardless of which domain in the forest actually contains the data.
- It resolves UPNs when the authenticating domain controller does not have knowledge of the account.
Single Master Operations
Every Active Directory forest must have domain controllers that fulfill two of the five single master operations roles. The forest-wide roles are:
- Schema master
- Domain naming master
Every Active Directory domain must have domain controllers that fulfill three of the five single master operations roles. The domain-wide roles are:
- Relative identifier (RID) master
- Primary domain controller (PDC) emulator
- Infrastructure master
Global Catalog Server 3268(TCP), 3269(TCP)
LDAP 389(TCP and UDP)
Schema Master – controls all updates and modifications to the schema. To update the schema of a forest, you must be a member of the schema Administrator group, and you must enable the schema to be modified in the schema console.
Domain Naming Master – controls the addition or removal of domains in the forest.
RID Master – allocates sequences of RIDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID). The SID consists of a domain SID that is the same for all SIDs that are created in the domain and a RID that is unique for each SID that is created in the domain.
PDC Emulator -In a Windows Server 2003 domain in native mode, the PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.
Infrastructure Master – is responsible for updating the group-to-user references whenever group memberships are changed.
If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that you rename a user account and the time when a group that contains that user will display the new name of the user account. The infrastructure master of the group’s domain is responsible for this update; it distributes the update through multimaster replication.