In Windows Server 2003, as with Windows 2000, domain controllers support multimaster replication. In essence, all domain controllers in these environments are peers distributing Active Directory access throughout an organization. This distribution also provides redundancy by eliminating the single point of failure present in the single master domain model of Windows NT. Although domain controllers distribute most of the functionality available in managing an Active Directory forest, there are five unique functions that require the use of a single server to support because these particular functions are impractical to distribute. For each of these functions, there is only one domain controller that is the operation master. There are two forestwide Flexible Single Master Operation (FSMO) roles that must appear in any forest. Also, there are three domainwide roles that must appear in any domain. The FSMO roles are outlined as follows :
Proper Placement of Operation Master RolesBecause each Operation Master role can only reside on a single domain controller, it is important to understand the ramifications of each role in order to determine its proper placement with a forest or domain. Changes in Windows Server 2003 also affect some placement restrictions present in Windows 2000 forests. This section provides some best practices for FSMO role assignments. Firstly, the Infrastructure Master role should be assigned to a domain controller that is not a global catalog server. This is true even in single domain models because there is always the possibility that new domains will be added to the forest. In a multidomain model, if the Infrastructure Master has a local copy of the global catalog, it will never find data that is out of date, and therefore never replicate new information about other domains to the other domain controllers in its own domain. Placement of the PDC Emulator domain controller might affect logon times in some organizations. Even for companies that no longer support pre-Windows 2000 clients on the network, the PDC Emulator gets preferential treatment with regards to password change replication. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt. Also, the PDC Emulator should get special consideration when setting up time synchronization. This FSMO role is responsible for the synchronization of time for all domain controllers in its domain. The PDC Emulator in the parent domain in a forest should be synchronized with an external time source. Finally, there is a limitation of Windows 2000 functional level forests that requires the Domain Naming master role resides on a domain controller that is also a global catalog server. In a Windows Server 2003 functional level, this limitation is removed, so this forestwide role can exist on a DC that is not a GC. Moving Operation Master RolesThere might be occasion to move particular FSMO roles between servers after Active Directory is installed and distributed across several domain controllers. Also, in cases of disaster recovery or demotion of domain controllers serving these roles, it might become necessary to move FSMO roles. This section explains how to transfer the roles. In cases where the FSMO role merely needs to be transferred between two functioning domain controllers, a GUI interface or the NTDSUtil command-line tool can be used. In disaster recovery situations where the operation master is lost, the FSMO roles must be seized using the NTDSUtil command line tool. Transfer of the Schema Master role is performed by using the Active Directory Schema snap-in. This snap-in must be installed and executed by a member of the Schema Admins group in the forest. See the section "Using the Active Directory Schema Snap-in" for instructions on how to install the snap-in. To transfer the Schema Master role, perform the following steps:
Transferring the Domain Naming master role is a similar procedure performed using Active Directory Domains and Trusts. Transferring the PDC Emulator, RID Master, or Infrastructure Master roles can all be performed using Active Directory Users and Computers. Change the Focus of Active Directory Users and Computers To transfer a role to another domain controller, change the focus of Active Directory Users and Computers to the target domain controller. To do this, right-click Active Directory Users and Computers, click Connect to Domain Controller, and then click the target domain controller. In cases where the operation master is lost and cannot be recovered, the NTDSUtil command line tool can be used to seize the role from a functioning domain controller. To seize the RID master role, for example, follow these steps:
Seizing FSMO Roles Do not seize FSMO roles if they can be transferred instead. Seizing the RID master is a drastic step that should be considered only if the current operations master will never be available again. The Operation Master Role The servername is the domain controller that will seize the operation master role. |