Operations master roles are assigned to domain controllers to perform single-master operations.

Every Active Directory forest must have the schema master and domain naming master roles. Every domain in the forest must have the RID master, the PDC emulator, and the infrastructure master roles.

There are two ways to manage operations master roles: transfer and seizure.

To transfer an operations master role is to move it with the cooperation of its current owner. You transfer an operations master role to other domain controllers in the domain or forest to balance the load among domain controllers, or accommodate domain controller maintenance and hardware upgrades.

To seize an operations master role is to move it without the cooperation of its current owner. You seize an operations master role assignment when a server holding the role fails and you do not intend to restore it. If the cause of the failure is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. Do not seize an operations master role if you can transfer it instead. Seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable.

Lesson 4: Managing Trust Relationships

This lesson introduces you to trust relationships and the tasks involved in the management of trusts. In Chapter 1, you learned that a trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. Trust relationships can be created automatically (implicitly) or manually (explicitly). Trust relationships created implicitly do not need management. In this lesson you learn how to plan, create, and administer explicit trust relationships.

After this lesson, you will be able to

•       Name the trust protocols used in Windows Server 2003

•       Describe the trust types used in Windows Server 2003

•       Explain when it is necessary to create a shortcut, realm, external, or forest trust

•       Create shortcut, realm, external, and forest trusts

•       Administer shortcut, realm, external, and forest trusts

Estimated lesson time: 30 minutes

Trust Relationships

A trust relationship is a logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. There are two domains in a trust relationship—the trusting and the trusted domain.

In Windows NT, trusts are one-way and nontransitive, and can require a great deal of administrator maintenance. Trusts were limited to the two domains involved in the trust and the trust relationship was one-way. In Windows Server 2003, trusts have three characteristics.

•       Trusts can be created manually (explicitly) or automatically (implicitly).

•       Trusts can be either transitive (not bound by the domains in the trust relationship)

or nontransitive (bound by the domains in the trust relationship).

•       Trusts can be one-way or two-way.