Active Directory

Operations Masters
Overview
 Active Directory updates generally multimaster
 Changes can be made on any DC

 Some exceptions — single master

 Sometimes better to prevent conflict than to resolve
later
 E.g. schema updates
 Exceptions managed by Operations Masters
Operations Master Roles
 Five roles in total
 Two roles where there is one per forest
 Schema master
 Domain naming master
 Three roles where there is one per domain
 Relative Identifier (RID) master
 Primary Domain Controller (PDC) Emulator
 Infrastructure master
Schema Master

 Responsible for schema updates

 Only DC that can process schema
updates
 After update, replicates changes to other
DCs
 If this Operations master is unavailable,
no schema changes can be made
Domain Naming Master
 Responsible for changes to configuration
naming context
 Adding and removing domains
 Adding and removing cross references to domains
in external directories
 After update, replicates to other DCs
 If unavailable, cannot add or remove domains
 Domain Naming Master must also be a global
catalog server
 May be unnecessary in single-domain forest?
RID Master
 Objects e.g. users and groups, each have a
unique security identifier (SID)
 Consists of domain SID and unique relative
identifier (RID)
 RID master allocates each DC a pool of RIDs
 When a DC’s RID pool falls too low, it requests
additional RIDs from RID master
 RID master also controls moving objects
between domains
 With no RID master, when a DC runs out of
RIDs, new security principals (i.e. users, groups
etc.) cannot be created on that DC
Infrastructure Master
 Object in domain referencing object in another
domain uses GUID, SID and DN
 E.g. group in one domain referencing user or group
in another domain
 Infrastructure master updates SID and DN in
cross-domain references
 E.g. if referenced object moves
 Multiple-domain, infrastructure master role must
not be held by GC server
 Not a problem in single-domain forests (because
no external references)
PDC Emulator
 Mixed Mode
 Acts as NT PDC to NT BDCs
 Supports Netlogon replication

 Native and Mixed Modes

 Password changes replicated preferentially to PDC
emulator
 Authentication failures due to bad password at
another DC forwarded to PDC emulator before
failing completely
 Manages password changes from 95, 98, NT
clients
PDC Emulator cont.

 Native and Mixed Modes

 By default, Group Policy snap-in runs on
PDC emulator
 Reduces potential for Group Policy replication
conflicts
 Can be changed
PDC Emulator cont.

 Miscellaneous
 All DCs synchronize their clock to that of
the PDC emulator
 PDC emulator of forest root domain should
be synchronized to external time source
 In multi-domain forest, PDC emulator for
domain synchronizes with PDC emulator of
forest root domain
 Acts as Domain Master Browser
Default Placement of Roles

 First DC in a forest holds all roles

 First DC in a new domain within existing
forest holds all domain roles
 RID master
 Infrastructure master
 PDC emulator
Guidelines for the Placement
of Roles
 Keep schema master and domain naming
master roles on same DC
 DC should also be a global catalog server
 Put RID master and PDC emulator roles on the
same DC
 In multi-domain forest, the infrastructure master
must not be a global catalog server
 Should have good connection to global catalog
server
Guidelines for the Placement
of Roles cont.
 Single-domain forest
 Keep all five roles on same DC which
should also be a global catalog server
 Multiple-domain forest
 Move infrastructure master role to a DC
that is not a global catalog server
Determining Role Placement
 Replication Monitor
 Easiest — Support Tools (2000 CD)
 Active Directory Users and Computers
 PDC Emulator, Infrastructure master, RID master
 Active Directory Domains and Trusts
 Domain Naming master
 Active Directory Schema Snap-In
 Schema master
 NB Schmmgmt.dll must be registered before first use
 Dumpfsmos
 Resource kit
 NTDSUTIL
 Command line tool included with 2000 server
User Rights to Change Roles
 By default, certain groups only have rights to
change role holders
 Schema Administrators
 Schema master
 Enterprise Administrators
 Domain naming master
 Domain Administrators
 All domain role holders
 NB By default, Administrator of forest root
domain is a member of all these groups
Modifying Permissions to
Change Roles
 Adsiedit (support tools) tool allows all
permissions to be changed
Transferring Roles

 Transfer only when source and

destination DCs are up and running
 Domain-specific roles
 Active Directory Users and Computers
 Schema Master
 Schema Manager Snap-In
 Domain Naming Master
 Active Directory Domains and Trusts
When to Transfer Roles
 Initial setup of domain
 E.g. in a multi-domain forest, move Infrastructure
master off global catalog server
 Permanently demoting a DC
 Roles held by the DC transferred automatically but
manual transfer gives control over location
 Temporarily taking down a DC
 Probably unnecessary to transfer schema and
domain naming masters (little used); also
infrastructure master in single-domain forest
 Always transfer the PDC emulator; may be wise to
transfer RID master, but probably unnecessary for
short downtime
Seizing Roles

 Generally only seize when originally role

holder has failed irrecoverably and will
not be restored from backup
 Exception — can fairly safely seize PDC
emulator role
 Strangely, this is also the role that you can
least do without
References — Overview
 Managing Flexible Single-Master Operations
 http://www.microsoft.com/WINDOWS2000/techinfo/reski

 Windows 2000 Active Directory FSMO Roles

 http://support.microsoft.com/support/kb/articles/Q19
References — Placement

 Windows 2000 Active Directory FSMO

Roles
 http://support.microsoft.com/support/kb/arti

 FSMO Placement and Optimization on

Windows 2000 Domain Controllers
 http://support.microsoft.com/support/kb/articles/
References — User Rights

 Setting User Rights for Designating

FSMO Roles in an Enterprise
 http://support.microsoft.com/support/kb/articles/
References — Determining
Operations Masters
 How to Use the Replication Monitor to
Determine the Operations Master and
Global Catalog Roles
 http://support.microsoft.com/support/kb/articles/
 How to Find FSMO Role Holders
(Servers)
 http://support.microsoft.com/support/kb/articles/
References — Transferring
and Seizing Roles
 How to View and Transfer FSMO
Roles in the Graphical User Interface
 http://support.microsoft.com/support/kb/articles/
 Using Ntdsutil.exe to Seize or
Transfer FSMO Roles to a Domain
Controller
 http://support.microsoft.com/support/kb/articles/
References — Transferring
and Seizing Roles
 How to Change the Role Owner of the
Operations Master After a Successful
Seizure
 http://support.microsoft.com/support/kb/articles/