Identifying Operations Master Roles

Microsoft® Windows® 2000 Scripting Guide

microsoft windows 2000 scripting guide

« Previous | Next »   

Active Directory includes five operations master roles (also known as flexible single master operation or FSMO) that delegate particular responsibilities to particular computers.

Understanding operations master roles and knowing which computers hold these roles is very important. If an operations master role holder is unavailable, you cannot carry out certain Active Directory activities. For example, in order to modify the schema, the schema master must be available. To know if the schema master is available, you need to know which computer holds this role.

In addition, before you assign a computer certain roles, you need to determine whether that computer holds a conflicting role. For example, in a multidomain forest, the infrastructure master must never be placed on a global catalog server. If a given domain controller is the infrastructure master, you must not promote that domain controller to a global catalog server.

To help identify operations master role holders, you can use the searching capabilities available through ADSI. The five operations master roles and their associated ADSI object class are listed in Table 9.5. The object classes are used to search Active Directory for the operations master role holder. The search connects to the object class and then retrieves the value of the FSMORoleOwner attribute.

Table 9.5   ADSI Object Classes and Operations Master Roles

ADSI Object ClassOperations Master Role
domainDNSPrimary domain controller (PDC) emulator. Serves two essential functions. First, it acts as a primary domain controller to provide compatibility with Windows NT domains. Second, password changes performed within a domain are replicated immediately to the PDC emulator. This ensures that new password changes take effect right away. If a user is unable to log on to a domain due to a password error, the authenticating domain controller contacts the PDC emulator to see if the user s password has been changed but not yet replicated throughout the domain. If the PDC has a new password, that password is used to authenticate the user.

The PDC emulator is often referred to as the primary domain controller.

rIDManagerRID master. Replenishes the relative IDs (RIDs) for domain controllers.

When a new security principal such as a user or computer account is created, the domain controller used to create the security principal assigns the new object a security identifier (SID). A SID consists of two parts: an identification number that is given to all the objects created in that domain and a unique RID. Together, the two parts uniquely identify any object in the domain.

Each domain controller is allocated 512 RIDs. When a domain controller has approximately 100 RIDs remaining, it contacts the RID master and requests an additional 512 RIDs to replenish its supply. If the RID master is unavailable and a domain controller runs out of relative IDs, you will no longer be able to use that computer to create new Active Directory objects.

infrastructureUpdateInfrastructure master. Synchronizes group-to-user references.

The infrastructure master is particularly important in a scenario such as this: a user from domain A is a member of a security group in domain B. If you rename the user account, the security group membership is not updated until replication occurs. The infrastructure master is responsible for identifying and correcting issues such as this.

If the infrastructure master fails, you can transfer the role to another domain controller. However, you must ensure that the previous infrastructure master never comes back online.

dMDSchema master. Updates the schema for the forest. (There is only one schema master per forest.) You must connect to the schema master in order to update the schema.

If the schema master fails, you can transfer the role to another domain controller. However, you must ensure that the previous schema master never comes back online.

crossRefContainerDomain naming master. Adds or removes a domain from the forest. (There is only one domain naming master per forest.) You cannot add or remove a domain unless the domain naming master is available.

If the domain naming master fails, you can transfer the role to another domain controller. However, you must ensure that the previous domain naming master never comes back online.

Scripting Steps

Listing 9.16 contains a script that identifies operations master roles in Active Directory. To carry out this task, the script must perform the following steps:

  1. Create an instance of the Active Directory connection object (ADODB.Connection).
  2. Set the Provider property of the connection object to the Active Directory provider (ADsDSOObject). This is the OLE database provider for ADSI.
  3. Set the active connection to the Active Directory connection.
  4. Create a command string that searches Active Directory from the root down (LDAP://DC=fabrikam, DC=com). The command string must specify the object class to search for (domainDNS) and the attribute to return (FSMORoleOwner).

    To search for a different operations master role holder, replace domainDNS with the appropriate object class. For example, to locate the RID manager, set the object class to rIDManager.

  5. Execute the search command.
  6. Retrieve the value of the operations master role holder. This value will be returned as a globally unique identifier (GUID).
  7. Connect to the operations master role holder, using the GUID as part of the connection string.
  8. Echo the DNS host name of the operations master role holder.

Listing 9.16   Identifying FSMO Roles

1 2 3 4 5 6 7 8 9 10 11 12 
Set objADOConnection = CreateObject("ADODB.Connection") objADOConnection.Provider = "ADSDSOObject" objADOConnection.Open "ADs Provider" strADOQueryString = _     "<LDAP://DC=fabrikam,DC=com>;(&(objectClass=domainDNS)" _         & "(fSMORoleOwner=*));adspath;subtree" Set RSObj = objADOConnection.Execute(strADOQueryString) Set objFSMO = GetObject(RSObj.Fields(0).Value) Set objNTDS = GetObject("LDAP://" & objFSMO.fSMORoleOwner) Set objComputer = GetObject(objNTDS.Parent) WScript.Echo "The Primary Domain Controller FSMO is: " & _     objComputer.dnsHostName

send us your feedback Send us your feedback « Previous | Next »   


Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 635

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net