Acts as the authority for changes to the Active Directory schema (the specification of the object types and properties stored in the Directory). One server per forest acts as the schema master.

Manages additions, deletions, and changes to the domains contained within the Active Directory forest. One server per forest acts as domain naming master.

Manages the identifiers used to associate objects with containers and allows objects to be moved between containers. One server per domain acts as relative ID master.

Emulates a Windows NT 4.0 PDC for compatibility with older systems. One server per domain acts as PDC emulator.

Manages associations between users and groups. One server per domain acts as infrastructure master.

If you are using Active Directory, this is the master CA. It issues the certificates for the enterprise subordinate CA servers, so its security must not be compromised. Otherwise, your whole certificate system can be compromised by hijacked or impersonated CA servers. The enterprise CA requires both Active Directory and Windows 2000 DNS.

If you’re not using Active Directory, this is the master CA. It issues the certificates for the standalone subordinate CA servers, so its security must not be compromised. Otherwise, your whole certificate system can be compromised by hijacked or impersonated CA servers.

Receives its authorization certificate from the enterprise CA and can issue certificates to users. An enterprise root CA can be responsible for many enterprise subordinate CA servers.

Receives its authorization from the standalone root CA or another standalone subordinate CA. It can issue certificates to users or issue a certificate to authorize other standalone subordinate CA servers.