Lesson 2: Operations Master Roles

Previous page
Table of content
Next page

Operations master roles are special roles assigned to one or more domain controllers in an Active Directory domain. The domain controllers that are assigned these roles perform single-master replication. This lesson introduces you to operations master roles and the tasks involved with master role assignments.

After this lesson, you will be able to

  • Describe the forest-wide operations master roles
  • Describe the domain-wide operations master roles
  • Plan operations master locations
  • View operations master role assignments
  • Transfer operations master role assignments

Estimated lesson time: 15 minutes

Operations Master Roles

Active Directory supports multimaster replication of the Active Directory database between all domain controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one or more domain controllers can be assigned to perform single-master operations, or operations that are not permitted to occur at different places in a network at the same time. This is called an operations master role. Operations master roles are assigned to domain controllers to perform single-master operations.

In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest. You can change the assignment of operations master roles after setup, but in most cases this is not necessary. You must be aware of operations master roles assigned to a domain controller if problems develop on the domain controller or if you plan to take it out of service.

Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

  • Schema master
  • Domain naming master

These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.

Schema Master Role

The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.

Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest at any time.

Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

  • Relative identifier (ID) master
  • PDC emulator
  • Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only one relative ID master, PDC emulator, and infrastructure master.

Relative ID Master Role

The relative ID master allocates sequences of relative IDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the relative ID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID (which is the same for all SIDs created in the domain), and a relative ID that is unique for each SID created in the domain.

To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must initiate the move on the domain controller acting as the relative ID master of the domain that currently contains the object.

PDC Emulator Role

If the domain contains computers operating without Windows 2000 client software or if it contains Windows NT backup domain controllers (BDCs), the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the forest.

Even after all systems are upgraded to Windows 2000, and the Windows 2000 domain is operating in Native mode, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.

Infrastructure Master Role

The infrastructure master is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one domain controller acting as the infrastructure master in each domain.

When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multimaster replication.

There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

Planning Operations Master Locations

In a small Active Directory forest with only one domain and one domain controller, that domain controller is assigned all the operations master roles. When you create the first domain in a new forest, all of the operations master roles are automatically assigned to the first domain controller in that domain.

When you create a new child domain or the root domain of a new domain tree in an existing forest, the first domain controller in the new domain is automatically assigned the following roles:

  • Relative ID master
  • PDC emulator
  • Infrastructure master

Because there can be only one schema master and one domain naming master in the forest, these roles remain in the first domain created in the forest.

Figure 17.1 shows how the operations master roles are distributed throughout a forest by default.

Figure 17.1 Operations master role default distribution in a forest

In Figure 17.1, Domain A was the first domain created in the forest (also called the forest root domain). It holds both of the forest-wide operations master roles. The first domain controller in each of the other domains is assigned the three domain-specific roles.

The default operations master locations work well for a forest deployed on a few domain controllers in a single site. In a forest with more domain controllers, or in a forest that spans multiple sites, you might want to transfer the default operations master role assignments to other domain controllers in the domain or forest.

Planning the Operations Master Role Assignments by Domain

If a domain has only one domain controller, that domain controller holds all of the domain roles. Otherwise, choose two well-connected domain controllers that are direct replication partners. Make one of the domain controllers the operations master domain controller. Make the other the standby operations master domain controller. The standby operations master domain controller is used in case of failure of the operations master domain controller.

In typical domains, you assign both the relative ID master and PDC emulator roles to the operations master domain controller. In a very large domain, you can reduce the peak load on the PDC emulator by placing these roles on separate domain controllers, both of which are direct replication partners of the standby operations master domain controller. Keep the two roles together unless the load on the operations master domain controller justifies separating the roles.

Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. However, you should assign the infrastructure master role to any domain controller that is well connected to a global catalog (from any domain) in the same site. If the operations master domain controller meets these requirements, use it unless the load justifies the extra management burden of separating the roles.

If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. If all the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

Planning the Operations Master Roles for the Forest

Once you have planned all of the domain roles for each domain, consider the forest roles. The schema master and the domain naming master roles should always be assigned to the same domain controller. For best performance, assign them to a domain controller that is well connected to the computers used by the administrator or group responsible for schema updates and the creation of new domains. The load of these operations master roles is very light, so, to simplify management, place these roles on the operations master domain controller of one of the domains in the forest.

Planning for Growth

Normally, as your forest grows, you will not need to change the locations of the various operations master roles. But when you are planning to decommission a domain controller, change the global catalog status of a domain controller, or reduce the connectivity of parts of your network, you should review your plan and revise the operations master role assignments, as necessary.

Identifying Operations Master Role Assignments

Before you can revise operations master role assignments, you need to view the current operations master role assignments for your domain.

Follow these steps to identify the relative ID master, the PDC emulator, or the infrastructure master role assignments:

  1. Open the Active Directory Users and Computers console.
  2. In the console tree, right-click the Active Directory Users And Computers node, and then click Operations Masters.
  3. In the Operations Master dialog box, do one of the following:
    • Click the RID tab. The name of the relative ID master appears in the Operations Master box.
    • Click the PDC tab. The name of the PDC emulator appears in the Operations Master box.
    • Click the Infrastructure tab. The name of the infrastructure master appears in the Operations Master box.
  4. Click Cancel to close the Operations Master dialog box.

Follow these steps to identify the domain naming master role assignment:

  1. Open the Active Directory Domains And Trusts console.
  2. In the console tree, right-click the Active Directory Domains And Trusts node, and then click Operations Master.

    In the Change Operations Master dialog box, the name of the current domain naming master appears in the Domain Naming Operations Master box.

  3. Click Close to close the Change Operations Master dialog box.

Follow these steps to identify the schema master role assignment:

  1. Open the Active Directory Schema snap-in.

    NOTE

    The Active Directory Schema snap-in must be installed with the Windows 2000 Administration Tools using Add/Remove Programs in the Control Panel.

  2. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  3. In the Change Schema Master dialog box, the name of the current schema master appears in the Current Operations Master box.

Transferring Operations Master Role Assignments

Transferring an operations master role assignment means moving it from one domain controller to another, with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles.

Follow these steps to transfer the relative ID master, the PDC emulator, or the infrastructure master role assignments:

  1. Open the Active Directory Users And Computers console.
  2. In the console tree, right-click the Domain node that will become the new relative ID master, PDC emulator, or infrastructure master, and then click Connect To Domain.
  3. In the Connect To Domain dialog box, type the domain name or click Browse to select the domain from the list, and then click OK.
  4. In the console tree, right-click the Active Directory Users And Computers node, and then click Operations Masters.
  5. In the Operations Master dialog box, do one of the following:
    • Click the RID tab, and then click Change.
    • Click the PDC tab, and then click Change.
    • Click the Infrastructure tab, and then click Change.
  6. Click OK to close the Operations Master dialog box.

Follow these steps to transfer the domain naming master role assignment:

  1. Open the Active Directory Domains And Trusts console.
  2. In the Console tree, right-click the Domain Controller node that will become the new domain naming master, and then click Connect To Domain.
  3. In the Connect To Domain dialog box, type the domain name or click Browse to select the domain from the list, and then click OK.
  4. In the console tree, right-click the Active Directory Domains And Trusts node, and then click Operations Master.
  5. In the Change Operations Master dialog box, click Change.
  6. Click OK to close the Change Operations Master dialog box.

To transfer the schema master role assignment

  1. Open the Active Directory Schema snap-in.

    NOTE

    The Active Directory Schema snap-in must be installed with the Windows 2000 Administration Tools Using Add/Remove Programs in the Control Panel.

  2. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  3. In the Change Domain Controller dialog box, click one of the following:
    • Any DC. This lets Active Directory select the new schema operations master.
    • Specify Name. Then type the name of the new schema master to specify the new schema operations master.
  4. Click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  6. In the Change Schema Master dialog box, click Change.
  7. Click OK to close the Change Schema Master dialog box.

Responding to Operations Master Failures

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Generally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.

If an operations master is not available due to computer failure or network problems, you can seize the operations master role. This is also referred to as forcing the transfer of the operations master role.

Before forcing the transfer, first determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online.

In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never again be available. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following sections.

Important

A domain controller whose schema, domain naming, or relative ID master role has been seized must never be brought back online without the drives being refomatted and Windows 2000 reloaded first.

Schema Master Failure

Temporary loss of the schema operations master is not visible to network users. It will not be visible to network administrators either, unless they are trying to modify the schema or install an application that modifies the schema during installation.

If the schema master will be unavailable for an unacceptable length of time, you can seize the role to the standby operations master. However, seizing this role is a step that you should take only when the failure of the schema master is permanent.

Domain Naming Master Failure

Temporary loss of the domain naming master is not visible to network users. It will not be visible to network administrators either, unless they are trying to add a domain to the forest or remove a domain from the forest.

If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role to the standby operations master. However, seizing this role is a step that you should take only when the failure of the domain naming master is permanent.

Relative ID Master Failure

Temporary loss of the relative ID operations master is not visible to network users. It will not be visible to network administrators either, unless they are creating objects and the domain in which they are creating the objects runs out of relative IDs.

If the relative ID master will be unavailable for an unacceptable length of time, you can seize the role to the operations master. However, seizing this role is a step that you should take only when the failure of the relative ID master is permanent.

PDC Emulator Failure

The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available, you may need to immediately seize the role.

If the current PDC emulator master will be unavailable for an unacceptable length of time and its domain has clients without Windows 2000 client software, or if it contains Windows NT backup domain controllers, seize the PDC emulator master role to the standby operations master. When the original PDC emulator master is returned to service, you can return the role to the original domain controller.

Infrastructure Master Failure

Temporary loss of the infrastructure master is not visible to network users. It will not be visible to network administrators either, unless they have recently moved or renamed a large number of accounts.

If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any domain), ideally in the same site as the current global catalog. When the original infrastructure master is returned to service, you can transfer the role back to the original domain controller.

Lesson Summary

In this lesson you learned about the two forest-wide operations master roles, the schema master, and the domain naming master. You also learned about the three domain-wide operations master roles, the relative ID master, the PDC emulator, and the infrastructure master.

You learned the default operations master locations and some strategies for planning locations. You also learned how to view operations master role assignments and how to transfer operations master role assignments if necessary.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
MySQL Stored Procedure Programming
Lotus Notes and Domino 6 Development (2nd Edition)
Adobe After Effects 7.0 Studio Techniques
C & Data Structures (Charles River Media Computer Engineering)
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy