Section 11.3. Planning Flexible Operations Master Role Placement


11.3. Planning Flexible Operations Master Role Placement

Unlike Windows NT domains, Active Directory domains use a multimaster replication model. In this model, there are no primary or backup domain controllers. Every domain controller in a domain has its own copy of the directory. Every domain controller is equally accountable, and any domain controller can be used to make changes to the standard directory data.

However, some Active Directory operations can only be performed by a single authoritative domain controller, called an operations master . A designated operations master has a flexible single-master operations (FSMO) role. Operations performed by an operations master are not permitted to occur at different places on the network at the same time.

11.3.1. Understanding Operations Master Roles

Five operations master roles are designated. These roles are:

  • Schema master

  • Domain-naming master

  • Relative ID (RID) master

  • PDC emulator

  • Infrastructure master

The schema master and domain-naming master roles are assigned on a per-forest basis. There is only one schema master and only one domain-naming master in a forest.

The RID master, infrastructure master, and PDC emulator are assigned on a per-domain basis. Each domain in a forest has an RID master, an infrastructure master, and a PDC emulator.

The schema master and domain-naming master are critical to forest operations. The schema master maintains the only writeable copy of the schema container and is the only domain controller in the forest on which you can make changes to the schema. There can be just one schema master in the entire forest.

The domain-naming master is responsible for adding or removing domains from the forest. If the domain-naming master cannot be contacted when you are trying to add or remove a domain, you will not be able to add or remove the domain. There can be only one domain-naming master in the entire forest.

The RID master, PDC emulator, and infrastructure master are critical for domain operations. The relative ID (RID) master allocates blocks of relative IDs. Every domain controller in a domain is issued a block of relative IDs by the RID master; these IDs are used to build the security IDs, which uniquely identify security principals in a domain. If a domain controller cannot contact the RID master and runs outs of RIDs, no new objects are able to be created on the domain controller and object creation fails. There can be only one RID master in a domain.

In a domain using the Windows 2000 mixed or Windows Server 2003 interim functional level, the PDC emulator master acts as the primary domain controller (PDC) for all Windows NT 4.0 backup domain controllers (BDCs) and is required to authenticate Windows NT logons, process password changes, and replicate domain changes to BDCs. It also runs the domain master browser service.

In a domain using the Windows 2000 native or Windows Server 2003 functional level, the PDC emulator master is responsible for processing password changes. When a user changes his password, the change is first sent to the PDC emulator, which in turn replicates the change to all of the other domain controllers in the domain. There can be only one PDC emulator master in a domain.


Tip: When a user tries to log on to the network but provides an incorrect password, the logon domain controller checks the PDC emulator to see whether there is a recent password change for the user's account. If so, the domain controller retries the logon authentication on the PDC emulator. This ensures that if a user has recently changed his password, he is not denied logon with the new password.

The infrastructure master is responsible for updating group-to-user references across domains. When you rename or move a member of a group, the infrastructure master is responsible for ensuring that changes to the common name are correctly reflected in the group membership information for groups in other domains in the forest.

The infrastructure master maintains group-to-user references by comparing its directory data with that of a global catalog. As necessary, it updates references and replicates the changes to other domain controllers in the domain. There can be only one infrastructure master in a domain.

11.3.2. Planning Operations Master Role Placement

When you install Active Directory and create the first domain controller in a new forest, all five roles are assigned to that domain controller. When you add domains, the first domain controller installed in a new domain is automatically designated as the RID master, infrastructure master, and PDC emulator for that domain.

As part of domain design, you should consider:

  • How many domain controllers you need for each domain

  • Whether you need to transfer operations master roles to other domain controllers

You should have at least two domain controllers in each domain in the forest. As you add sites and domains to the network, consider whether to transfer the operations master roles. You might want to transfer an operations master role to balance the workload or to improve performance. You might need to transfer an operations master role to accommodate maintenance or failure recovery.

Some recommendations for planning operations master roles follow:

  • In most cases, you want the forest-wide rolesschema master and domain naming masterto be on the same domain controller. These roles use few resources and have little overhead. The server acting as the domain naming master should also be a global catalog server.

  • In most cases, the RID master and PDC emulator master roles should be on the same domain controller. The key reason for this is that the PDC emulator uses more relative IDs than most other domain controllers. If the RID master and PDC emulator master roles aren't on the same domain controller, the domain controllers on which these roles are placed should be in the same Active Directory site with a reliable connection between them.

  • Except for a single domain forest or a multidomain forest where all domain controllers are global catalog servers, the infrastructure master should not be placed on a domain controller that is also a global catalog. If the infrastructure master and the global catalog are on the same server, the infrastructure master doesn't see that group membership changes have been made and thus doesn't replicate them.

11.3.3. Locating and Transferring the Operations Master Roles

You can determine the current operations masters for your logon domain by typing the following at a command prompt:

 netdom query fsmo 

As shown here, the output lists each role owner by its fully qualified domain name:

 Schema owner                corpsvr64.domain.local Domain role owner           corpsvr64.domain.local PDC role                    corpsvr21.tech.domain.local RID pool manager            corpsvr21.tech.domain.local Infrastructure owner        corpsvr15.tech.domain.local 

From the output in this example, you can also determine that the forest root domain is domain.local and the current logon domain is tech.domain.local. If you want to determine the operations masters for a specific domain, use the following command:

 netdom query fsmo /d:DomainName 

where DomainName is the name of the domain, such as eng.domain.local.

Operations master roles can be changed in two ways:

  • If the current operations master is online, you can perform a role transfer, gracefully shifting the role from one domain controller to another.

  • If the current operations master has failed and will not be coming back online, you can seize the role and forcibly transfer it to another domain controller.

You can view and transfer the location of domain-wide operations master roles by completing the following steps:

  1. Start Active Directory Users And Computers from the Administrative Tools menu.

  2. In the console tree, right-click Active Directory Users And Computers, and then select Connect To Domain. In the Connect To Domain dialog box, type the fully qualified domain name of the domain for which you want to view or transfer roles, and then click OK.

  3. In the console tree, right-click Active Directory Users And Computers, and then select Connect To Domain Controller. In the Connect To Domain Controller dialog box, select the domain controller to which you want to transfer a domain-wide operations master role, and then click OK.

  4. In the console tree, right-click Active Directory Users And Computers and then click All Tasks Operations Masters. This opens the Operations Masters dialog box as shown in Figure 11-10.

  5. On the PDC tab, the current PDC Emulator master is listed. To change the role to the previously selected domain controller, click Change.

  6. On the Infrastructure tab, the current Infrastructure master is listed. To change the role to the previously selected domain controller, click Change.

  7. Click Close.

    Figure 11-10. Transferring domain-wide operations master roles.

You can view or transfer the location of the domain-naming master by completing the following steps:

  1. Start Active Directory Domains And Trusts from the Administrative Tools menu.

  2. In the console tree, right-click Active Directory Domains And Trusts, and then select Connect To Domain. In the Connect To Domain dialog box, type the fully qualified domain name of the domain for which you want to view or transfer roles, and then click OK.

  3. In the console tree, right-click Active Directory Domains And Trusts, and then select Connect To Domain Controller. In the Connect To Domain Controller dialog box, select the domain controller to which you want to transfer a domain-wide operations master role, and then click OK.

  4. In the console tree, right-click Active Directory Domains And Trusts, and then click Operations Master. This opens the Change Operations Masters dialog box as shown in Figure 11-11.

  5. The current domain-naming master is listed. To change the role to the previously selected domain controller, click Change.

  6. Click Close.

    Figure 11-11. Transferring the domain-naming master role.

You can view or transfer the location of the schema master by completing the following steps:

  1. Type mmc at a command prompt.

  2. Click File Add/Remove Snap-in.

  3. Click Close, and then click OK.

  4. In Active Directory Schema, right-click the Active Directory Schema node, and then click Change Domain Controller. In the Change Domain Controller dialog box, click Specify Name, type the fully qualified domain name of the domain controller to which you want to transfer the role, and then click OK.

  5. In Active Directory Schema, right-click the Active Directory Schema node and then click Operations Master. This opens the Change Schema Master dialog box as shown in Figure 11-12.

    Figure 11-12. Transferring the schema master role.

  6. The current schema master is listed. To change the role to the previously selected domain controller, click Change.

  7. Click Close.

11.3.4. Seizing Operations Master Roles

When an operations master fails and is not coming back online, you need to seize the role to forcibly transfer it to another domain controller. Seizing a role is a drastic step that should only be performed when the previous role owner will never be available again.


Tip: Do not seize an operations master role when you can transfer it gracefully using the normal transfer procedure. Seize only a role as a last resort.

Before you seize a role and forcibly transfer it, you should determine how up to date the domain controller that will take over the role is with respect to the previous role owner. Active Directory tracks replication changes using Update Sequence Numbers (USNs). Because of replication latency, domain controllers might not all be up to date. If you compare a domain controller's USN to that of other servers in the domain, you can determine whether the domain controller is the most up to date with respect to changes from the previous role owner. If the domain controller is up to date, you can transfer the role safely. If the domain controller isn't up to date, you can wait for replication to occur, and then transfer the role to the domain controller.

The Windows Support Tools includes Repadmin for working with Active Directory replication. To display the highest sequence number for a specified naming context on each replication partner of a designated domain controller, type the following at a command prompt:

 repadmin /showutdvec DomainControllerName NamingContext 

where DomainControllerName is the fully qualified domain name of the domain controller and NamingContext is the distinguished name of the domain in which the server is located, such as:

 repadmin /showutdvec engsvr18.domain.local dc=domain,dc=local 

The output shows the highest USN on replication partners for the domain partition:

 Main-Site\engsvr21    @ USN    321348 @ Time 2006-06-12 21:32:32 Main-Site\engsvr32    @ USN    324113 @ Time 2006-06-12 21:34:17 

In this example, if Engsvr21 is the previous role owner and the domain controller you are examining has an equal or larger USN for Engsvr21, the domain controller is up to date. However, if Engsvr21 is the previous role owner and the domain controller you are examining has a lower USN for Engsvr21, the domain controller is not up to date and you should wait for replication to occur before seizing the role. You could also use Repadmin /Syncall to force the domain controller that is the most up to date with respect to the previous role owner to replication with all of its replication partners.

To seize an operations master role, follow these steps:

  1. Open a command prompt.


    Tip: Microsoft recommends that you log on to the console of the server you want to assign as the new operations master locally or via Remote Desktop.

  2. List current operations masters by typing neTDom query fsmo.

  3. Type ntdsutil.

  4. At the ntdsutil prompt, type roles.

  5. At the fsmo maintenance prompt, type connections.

  6. At the server connections prompt, type connect to server, followed by the fully qualified domain name of the domain controller to which you want to assign the operations master role.

  7. Once you've established a connection to the domain controller, type quit to exit the server connections prompt.

  8. At the fsmo maintenance prompt, type one of the following:

     seize pdc seize rid master seize infrastructure master seize schema master seize domain naming master 

  9. At the fsmo maintenance prompt, type quit.

  10. At the ntdsutil prompt, type quit.


Tip: After seizing operations master role, you may need to remove the related data from Active Directory.



MCSE Core Required Exams in a Nutshell
MCSE Core Required Exams in a Nutshell: The required 70: 290, 291, 293 and 294 Exams (In a Nutshell (OReilly))
ISBN: 0596102283
EAN: 2147483647
Year: 2006
Pages: 95

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net