Designating Operations Masters

In Active Directory, five distinct operations master roles are defined, each of which has a critical part in ensuring network operations. Although certain roles can be assigned only once in a domain forest, others must be defined once in each domain.

The forestwide roles that must be assigned are schema master and domain naming master. The schema master controls updates and modifications to directory schema. The domain naming master controls the addition or removal of domains in the forest. As these forestwide roles must be unique in the forest, you can assign only one schema master and domain naming master in a forest.

The domain roles that must be assigned are relative ID master, PDC emulator master, and infrastructure master. As the name implies, the relative ID master allocates relative IDs to domain controllers. Whenever you create a user, group, or computer object, domain controllers assign a unique security ID to the related object. The security ID consists of the domain’s security ID prefix and a unique relative ID, which was allocated by the relative ID master. The PDC emulator master acts as a Windows NT PDC when the network is using mixed or interim mode operations. Its job is to authenticate Windows NT logons, process password changes, and replicate updates to the BDCs. The infrastructure master updates object references by comparing its directory data with that of a global catalog. If the data is outdated, the infrastructure master requests the updated data from a global catalog and then replicates the changes to the other domain controllers in the domain. These domainwide roles must be unique in each domain. This means you can assign only one relative ID master, PDC emulator master, and infrastructure master in each domain.

Finding Operations Masters

When you install a new network, the first domain controller in the first domain is assigned all the operations master roles. If you later create a new child domain or a root domain in a new tree, the first domain controller in the new domain is assigned operations master roles automatically as well. In a new domain forest, the domain controller is assigned all operations master roles. If the new domain is in the same forest, the assigned roles are relative ID master, PDC emulator master, and infrastructure master. The schema master and domain naming master roles remain in the first domain in the forest. Operations master roles can be transferred by administrators if necessary.

You can determine which domain controllers in a forest or domain have a designated operation’s master role using the –Hasfsmo parameter of the DSQUERY server command. Use the following values with this parameter:

• Schema Returns the DN for the schema master of the forest.

• Name Returns the DN for the domain naming master of the forest.

• Infr Returns the DN for the infrastructure master of the domain. If no domain is specified with the –Domain parameter, the current domain is used.

• Pdc Returns the DN for the PDC emulator master of the domain. If no domain is specified with the –Domain parameter, the current domain is used.

• Rid Returns the DN for the relative ID master of the domain. If no domain is specified with the –Domain parameter, the current domain is used.

Schema master and domain naming master are forestwide roles. When you type dsquery server –hasfsmo schema or dsquery server –hasfsmo name, you always obtain the DN for the related operations master in the Active Directory forest.

Infrastructure master, PDC emulator master, and relative ID master are domainwide roles. When you type dsquery server –hasfsmo infr, dsquery server – hasfsmo pdc, or dsquery server –hasfsmo rid, you always obtain the DN for the related operations master in your logon domain. If you want the DN for an operations master in another domain, you must use the –Domain parameter. Consider the following example:

dsquery server -hasfsmo rid -domain tech.cpandl.com

Here, you obtain the DN for the relative ID master in the tech.cpandl.com domain. If there are multiple domains in the forest, you might also want a list of all the domain controllers that have a particular role on a per domain basis. To do this, use the –Forest parameter, such as

dsquery server -hasfsmo rid -forest

Configuring Operations Master Roles Using the Command Line

Although you can use the directory services commands to check where the operations masters are located, you cannot use them to configure operations master roles. To configure operations master roles, you must use NTDSUtil. NTDSUtil is a text-mode command interpreter that you invoke so that you can manage directory services using a separate command prompt and internal commands. You invoke the NTDSUtil interpreter by typing ntdsutil in a command window and pressing Enter.

Using NTDSUtil, you can transfer operations master roles from one domain controller to another and seize roles when a role cannot be transferred gracefully. For example, a domain controller acting as the infrastructure master might have a drive failure that takes down the entire server. If you’re unable to get the server back online, you might need to seize the infrastructure role and assign this role to another domain controller. You should never seize a role on a domain controller you plan to bring back online eventually. Once you seize a role, the old server is permanently out of service and the only way to bring the original server master back online is to format the boot disk and reinstall Windows Server 2003.

You can transfer roles at the command line by following these steps:

1. Log on to the server you want to assign as the new operations master, then start a command prompt.

2. At the command prompt, type ntdsutil to invoke the text-mode command interpreter for NTDSUtil.

3. At the ntdsutil prompt, type roles. This puts the utility in Operations Master Maintenance mode and the prompt changes to

   fsmo maintenance: 

4. At the fsmo maintenance prompt, type connections to get to the server connections prompt. Then type connect to server followed by the fully qualified domain name of the current schema master for the role, such as

   connect to server corpdc01.eng.cpandl.com

5. Once a successful connection is established, type quit to exit the server connections prompt, and then at the fsmo maintenance prompt, type transfer and then type the identifier for the role to transfer. The identifiers are

   • pdc—For the PDC emulator master role

   • rid master—For the relative ID master role

   • infrastructure master—For the infrastructure master role

   • schema master—For the schema master role

   • domain naming master—For the domain naming master role

6. The role is transferred. Type quit at the fsmo maintenance prompt and type quit at the ntdsutil prompt.

If you can’t transfer the role gracefully because the current server holding the role is offline or otherwise unavailable, you can seize the role by following these steps:

1. Ensure that the current domain controller with the role you want to seize is permanently offline. If the server can be brought back online, don’t perform this procedure unless you intend to completely reinstall this server.

2. Log on to the server you want to assign as the new operations master, then start a command prompt.

3. At the command prompt, type ntdsutil to invoke the text-mode command interpreter for NTDSUtil.

4. At the ntdsutil prompt, type roles. This puts the utility in Operations Master Maintenance mode and the prompt changes to:

   fsmo maintenance:

5. At the fsmo maintenance prompt, type connections and then, at the server connections prompt, type connect to server followed by the fully qualified domain name of the current schema master for the role, such as

   connect to server corpdc01.eng.cpandl.com

6. Once a successful connection is established, type quit to exit the server connections prompt and then, at the fsmo maintenance prompt, type seize and then type the identifier for the role to seize. The identifiers are

   • pdc—For the PDC emulator master role

   • rid master—For the relative ID master role

   • infrastructure master—For the infrastructure master role

   • schema master—For the schema master role

   • domain naming master—For the domain naming master role

7. The role is seized. Type quit at the fsmo maintenance prompt and type quit at the ntdsutil prompt.