11.3. Planning Flexible Operations Master Role PlacementUnlike Windows NT domains, Active Directory domains use a multimaster replication model. In this model, there are no primary or backup domain controllers. Every domain controller in a domain has its own copy of the directory. Every domain controller is equally accountable, and any domain controller can be used to make changes to the standard directory data. However, some Active Directory operations can only be performed by a single authoritative domain controller, called an operations master . A designated operations master has a flexible single-master operations (FSMO) role. Operations performed by an operations master are not permitted to occur at different places on the network at the same time. 11.3.1. Understanding Operations Master RolesFive operations master roles are designated. These roles are:
The schema master and domain-naming master roles are assigned on a per-forest basis. There is only one schema master and only one domain-naming master in a forest. The RID master, infrastructure master, and PDC emulator are assigned on a per-domain basis. Each domain in a forest has an RID master, an infrastructure master, and a PDC emulator. The schema master and domain-naming master are critical to forest operations. The schema master maintains the only writeable copy of the schema container and is the only domain controller in the forest on which you can make changes to the schema. There can be just one schema master in the entire forest. The domain-naming master is responsible for adding or removing domains from the forest. If the domain-naming master cannot be contacted when you are trying to add or remove a domain, you will not be able to add or remove the domain. There can be only one domain-naming master in the entire forest. The RID master, PDC emulator, and infrastructure master are critical for domain operations. The relative ID (RID) master allocates blocks of relative IDs. Every domain controller in a domain is issued a block of relative IDs by the RID master; these IDs are used to build the security IDs, which uniquely identify security principals in a domain. If a domain controller cannot contact the RID master and runs outs of RIDs, no new objects are able to be created on the domain controller and object creation fails. There can be only one RID master in a domain. In a domain using the Windows 2000 mixed or Windows Server 2003 interim functional level, the PDC emulator master acts as the primary domain controller (PDC) for all Windows NT 4.0 backup domain controllers (BDCs) and is required to authenticate Windows NT logons, process password changes, and replicate domain changes to BDCs. It also runs the domain master browser service. In a domain using the Windows 2000 native or Windows Server 2003 functional level, the PDC emulator master is responsible for processing password changes. When a user changes his password, the change is first sent to the PDC emulator, which in turn replicates the change to all of the other domain controllers in the domain. There can be only one PDC emulator master in a domain. Tip: When a user tries to log on to the network but provides an incorrect password, the logon domain controller checks the PDC emulator to see whether there is a recent password change for the user's account. If so, the domain controller retries the logon authentication on the PDC emulator. This ensures that if a user has recently changed his password, he is not denied logon with the new password. The infrastructure master is responsible for updating group-to-user references across domains. When you rename or move a member of a group, the infrastructure master is responsible for ensuring that changes to the common name are correctly reflected in the group membership information for groups in other domains in the forest. The infrastructure master maintains group-to-user references by comparing its directory data with that of a global catalog. As necessary, it updates references and replicates the changes to other domain controllers in the domain. There can be only one infrastructure master in a domain. 11.3.2. Planning Operations Master Role PlacementWhen you install Active Directory and create the first domain controller in a new forest, all five roles are assigned to that domain controller. When you add domains, the first domain controller installed in a new domain is automatically designated as the RID master, infrastructure master, and PDC emulator for that domain. As part of domain design, you should consider:
You should have at least two domain controllers in each domain in the forest. As you add sites and domains to the network, consider whether to transfer the operations master roles. You might want to transfer an operations master role to balance the workload or to improve performance. You might need to transfer an operations master role to accommodate maintenance or failure recovery. Some recommendations for planning operations master roles follow:
11.3.3. Locating and Transferring the Operations Master RolesYou can determine the current operations masters for your logon domain by typing the following at a command prompt: netdom query fsmo As shown here, the output lists each role owner by its fully qualified domain name: Schema owner corpsvr64.domain.local Domain role owner corpsvr64.domain.local PDC role corpsvr21.tech.domain.local RID pool manager corpsvr21.tech.domain.local Infrastructure owner corpsvr15.tech.domain.local From the output in this example, you can also determine that the forest root domain is domain.local and the current logon domain is tech.domain.local. If you want to determine the operations masters for a specific domain, use the following command: netdom query fsmo /d:DomainName where DomainName is the name of the domain, such as eng.domain.local. Operations master roles can be changed in two ways:
You can view and transfer the location of domain-wide operations master roles by completing the following steps:
You can view or transfer the location of the domain-naming master by completing the following steps:
You can view or transfer the location of the schema master by completing the following steps:
11.3.4. Seizing Operations Master RolesWhen an operations master fails and is not coming back online, you need to seize the role to forcibly transfer it to another domain controller. Seizing a role is a drastic step that should only be performed when the previous role owner will never be available again. Tip: Do not seize an operations master role when you can transfer it gracefully using the normal transfer procedure. Seize only a role as a last resort. Before you seize a role and forcibly transfer it, you should determine how up to date the domain controller that will take over the role is with respect to the previous role owner. Active Directory tracks replication changes using Update Sequence Numbers (USNs). Because of replication latency, domain controllers might not all be up to date. If you compare a domain controller's USN to that of other servers in the domain, you can determine whether the domain controller is the most up to date with respect to changes from the previous role owner. If the domain controller is up to date, you can transfer the role safely. If the domain controller isn't up to date, you can wait for replication to occur, and then transfer the role to the domain controller. The Windows Support Tools includes Repadmin for working with Active Directory replication. To display the highest sequence number for a specified naming context on each replication partner of a designated domain controller, type the following at a command prompt: repadmin /showutdvec DomainControllerName NamingContext where DomainControllerName is the fully qualified domain name of the domain controller and NamingContext is the distinguished name of the domain in which the server is located, such as: repadmin /showutdvec engsvr18.domain.local dc=domain,dc=local The output shows the highest USN on replication partners for the domain partition: Main-Site\engsvr21 @ USN 321348 @ Time 2006-06-12 21:32:32 Main-Site\engsvr32 @ USN 324113 @ Time 2006-06-12 21:34:17 In this example, if Engsvr21 is the previous role owner and the domain controller you are examining has an equal or larger USN for Engsvr21, the domain controller is up to date. However, if Engsvr21 is the previous role owner and the domain controller you are examining has a lower USN for Engsvr21, the domain controller is not up to date and you should wait for replication to occur before seizing the role. You could also use Repadmin /Syncall to force the domain controller that is the most up to date with respect to the previous role owner to replication with all of its replication partners. To seize an operations master role, follow these steps:
Tip: After seizing operations master role, you may need to remove the related data from Active Directory. |