The following table describes the servers used to deploy centralized management and the associated DNS service.

Table: Centralized Management Servers

Role Installed software

Domain controller for the fabrikam.com domain
  • Microsoft Windows Server 2003 R2, Standard Edition or Windows Server 2003 R2, Enterprise Edition
  • DNS (internal Domain Resolution)
  • Latest updates from Microsoft Windows Update

Domain controller for the fabrikam.com domain
  • Windows Server 2003 R2, Standard Edition or Windows Server 2003 R2, Enterprise Edition
  • DNS (internal Domain Resolution)
  • Latest updates from Windows Update

External DNS servers
  • Windows Server 2003 R2, Standard Edition (not a member of the fabrikam.com domain)
  • DNS (external Domain Resolution)
  • Latest updates from Windows Update

Active Directory Global Catalogs

Every Active Directory forest has at least one Global Catalog (GC) server. In order to make UPN logons and directory searches more efficient, GCs contain a subset of the attributes of all objects in every domain in the forest.

The first domain controller that you build (AD01) is automatically a GC. The second domain controller (AD02) will not be a GC by default. To ensure that UPN logons can continue to work if the first domain controller were to fail, you will also make the second domain controller a GC during the deployment.

Active Directory Operations Masters

Active Directory uses a style of replication called multiple master, or multi-master replication. This means that any domain controller can be considered authoritative for the domain - additions, deletions, and changes can occur on any domain controller.

There are, however, a few special Active Directory roles that by their design cannot operate in multi-master mode. Each of these roles, called operations masters or flexible single-master operation (FSMO) roles, live on only one server. However, all of these FSMO roles do not have to live on the same server.

All roles will initially live on the first domain controller you build. After the second domain controller is built, you should move some of the roles there to spread out the workload. See Microsoft Windows Server 2003 R2 online help for instructions on how to move roles using Microsoft Management Console (MMC).

You will leave these roles on the first domain controller:

  • Relative ID master (RID) - Assigns IDs to security principals (one per domain).
  • Primary Domain Controller (PDC) emulator - Identifies which domain controller performs Microsoft Windows NT 4.0 Server-type PDC functions to support earlier version servers and clients (one per domain).

Move these roles to the second domain controller:

  • Infrastructure master - Maintains referential integrity of distinguished names (one per domain).
  • Schema master - Accepts schema changes (one per forest).
  • Domain naming master - Defines domains (one per forest).