Today I will talk about these rules and what each role do as the following:
On each Windows Domain Forest, There are 5 roles that control your domain functionality.
Domain Naming Master:
Active Directory stores pointers to other domains in a CrossRef object located in a Partitions container in the Configuration naming context. This object contains attributes that describe the distinguished name, DNS name, the flat name and the name of the Domain naming context, along with the kind of trust relationship that binds the domain to the forest.
When you create a new domain in an existing forest, the new domain represents a separate naming context and a new CrossRef object must be created in a Partitions container. Only one domain controller in a forest, the Domain Naming Master, is allowed make changes to the Partitions container. This prevents two administrators from creating new domains with identical names during the same replication interval.
By default, the Domain Naming Master is the first domain controller in a forest, but the role can be transferred to any domain controller through the Active Directory Domains and Trusts snap-in. The Domain Naming Master should always reside in the root domain.
Q:What happens incase the Domain Naming Master Role Failed
A:This failure is not visible for the user not even for administrators unless you try to modify the domain forest like adding/removing domain. and to fix it you have to fix the server.
You can seize the role using NTDSUTIL, but use this as a final solution.
When you have user object from domain A placed in a group in domain B, it will be the Infrastructure Master role to translate the SID to Name.
Each domain have its own Infrastructure Master role, this role should not be placed on the same server that host Global Catalog (GC), why? read this http://support.microsoft.com/kb/248047
If its a single domain network, there will be no problem to have IM and GC in the same server.
Q:What happens incase the Infrastructure Master Role Failed
A:This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.
Repair the role can also be done by seizing the role to a non GC server (incase single domain forest then no problem to be in the same server)
Several Tasks assign to this role:
1- Group Policy use this server as the default server, this prevent two administrators making conflicting modification on the same GPO.
2- Time Sync to all DCs.
3- Its the DC that responsible to update user and computer password, when a password is changed on a DC, this is immediately replicated to the DC holding the PDC Emulator role, and then according to the normal replication scheduling, on the other DCs. When a user fails to authenticate on a DC, this DC will immediately check with the PDC Emulator to know if this failure is due to a password change not yet replicated if it is the case, and the authentication matches the new one, then the authentication succeeds. This reduces the latency for a password change to take effect.
4- Several custom application use the PDC by default as the primary server to make any AD modification.
Each domain have its own Domain ID, so Domain ID + RID = SID, This mean that SID can not be duplicated across the forest.
In Each Domain, there is only one RID Server, its also recommended to place the RID Master role on the PDC Server.
When adding new domain to the forest, the RID Master must be reachable so the new RID server take the RID Pack.
When domain controllers need more relative IDs in reserve, they request them from, and are assigned by, the domain controller with the RID master FSMO role.
Q:What happens incase of RID Failure?
A: The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.
A:Open CMD and write NTDSUTIL
You will need to connect to server you want to work with, usually it will be the same server you want to seize the role to, to connect to the server we need to use the Connection command.
use this command.
Connect to server
Now you use the command Seize
You can get a list of roles that you can seize using the HELP Command.
You will get a message stating that you will seize the role, press YES
When seizing the NTDSUTIL will attempt to safe transfer first, if failed it will seize the role.
Again: once you seize the role the old server should never be up again.
Also I wonld recommend to read this :
FSMO placement : http://support.microsoft.com/kb/223346/en-us?p=1
How SID Work: http://technet.microsoft.com/en-us/library/cc778824(v=ws.10).aspx