The little-known peacekeepers on your network

Perhaps unbeknownst to you, a group of domain controllers in your Windows 2000 enterprise quietly works to keep the peace in your network. The functions that this group performs to ensure a serene network are called Operation Master roles. To best administer your Win2K network, you need to learn what Operation Masters do, where to place them throughout your network for optimal performance, and what to do if one fails.

Deal with Conflicts
Win2K Active Directory (AD) supports multimaster replication across all domain controllers. In multimaster replication, each domain controller holds a writable copy of an enterprise's AD, accepts changes to this copy, and replicates the changes to its replication partners. AD has mechanisms that resolve conflicts when users change the same attribute of an object on different domain controllers. For most operations, conflict resolution works well. However, for crucial tasks, such as schema updates, conflict prevention is a more effective process. To facilitate sensitive operations, Win2K provides Operation Masters (aka Flexible Single-Master Operation—FSMO—roles). Each Operation Master handles changes to a specific AD area. Every Win2K enterprise has five Operation Master roles: schema master, domain naming master, PDC emulator, infrastructure master, and Relative Identifier (RID) master. A server can host one or more Operation Master roles. In addition, an administrator can transfer Operation Master roles from one domain controller to another to optimize network operations, and a domain controller can seize a role in the event of a server failure.

Keep the Peace
The schema master and domain naming master are per-forest roles, which means that only one of each role exists in one Win2K forest. The PDC emulator, infrastructure master, and RID master roles are per-domain roles, which means that each domain in a forest requires that these three Operation Master roles are active. To calculate the total number of Operation Master roles for a forest, you can use the formula (n * 3) + 2, where n equals the number of domains. Thus, if you have five domains in your forest, the total number of Operation Master roles is 17 (\[5 * 3\] + 2 = 17).

By default, Win2K assigns all five roles to the first domain controller installed for the first domain in a new forest. If you add a domain to the forest, the first domain controller holds the three per-domain roles but the per-forest roles remain in the forest root until an administrator manually transfers them.

Schema master. The AD schema defines classes of objects and their attributes. Only one schema exists per forest, and all domains in one forest share the forest's schema. You must carefully plan and implement schema modifications. The schema master role exists to mitigate errors that result when the schema is incorrectly updated. The domain controller that hosts the schema master role is the only domain controller on which you can update the schema. However, you can use the Active Directory Schema Microsoft Management Console (MMC) snap-in on any domain controller to modify the schema as long as the snap-in connects to the schema master. By default, Win2K lets only members of the Schema Administrators group modify the schema.

Domain naming master. To add domains to or remove them from a forest, you must contact the domain naming master. If this Operation Master isn't available, you can't add new domains to or remove existing domains from the forest. The domain naming master is also responsible for the addition and removal of cross-references to domains in external directories, such as external Lightweight Directory Access Protocol (LDAP) directories.

PDC emulator. As its name suggests, the PDC emulator is the only Operation Master role that provides support for legacy Windows NT systems. Each Win2K domain hosts one PDC emulator. The PDC emulator is the preferred domain controller for processing password changes, replicating SAM updates to legacy NT BDCs, and acting as the domain master browser. In addition, the PDC emulator serves as the authoritative time source for all systems in a domain and as the default server for editing group policy and processing changes to the Dfs configuration.

Despite its name, the PDC emulator role doesn't disappear after you upgrade all your systems to Win2K—this role serves as a central reference for password updates in fully upgraded networks running in native mode. Users can change their passwords on any domain controller. After a user makes the change on the domain controller, that domain controller immediately replicates the change to that domain's PDC emulator. This replication takes place right away to ensure that password changes are immediately available to all domain controllers. When a logon attempt fails because of an incorrect password, domain controllers check logon attempts against the PDC emulator before denying the user authentication. Therefore, the PDC emulator needs to have the most recent password updates. However, the replication can cause increased network traffic and logon latency if the PDC emulator communicates with the authenticating domain controller across a WAN link. If this replication behavior is causing problems on your network, you can modify a Registry setting on the domain controllers that perform authentication. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry key, set the AvoidPdcOnWan entry of type REG_DWORD to 1. This value tells the domain controller not to send password changes and validation requests to the PDC emulator if it exists in a different AD site from the domain controller performing the authentication. If the PDC emulator resides in the same AD site, the domain controller still sends changes and validation requests immediately to the PDC emulator.

Infrastructure master. The infrastructure master ensures that domain controllers update cross-domain group-to-user references in a timely manner. Win2K can perform this function without the infrastructure master, but without it the process would take longer to execute. To illustrate the infrastructure master's responsibilities, suppose an administrator changes a user's name in a domain and that user is a member of a group in another domain. Without an infrastructure master, the Active Directory Users and Computers MMC snap-in on the domain controllers in the domain in which the user's group exists wouldn't immediately reflect the name change. The infrastructure master in the domain to which the user's group belongs is responsible for updating the cross-domain references and replicating the updates to the other domain controllers in the domain.

RID master. A unique SID represents each security principal (i.e., user, group, and computer) in AD. A security principal's SID consists of a RID and the domain's unique SID. The RID master allocates to each domain controller in a domain a pool of RIDs from which to create SIDs. When the number of available RIDs falls below a predetermined number (100 by default), the domain controller requests additional RIDs from the domain's RID master. If the RID master is unavailable and a domain controller exhausts its store of RIDs, the domain controller can't create additional security principals.

Operation Master Placement
Win2K will initially decide which domain controllers serve which roles. You'll need to modify the default configuration by transferring roles to other domain controllers (except in the simplest networks).

To start, you need to ensure that you have the appropriate permissions to change server roles. By default, only the Schema Administrators group has the right to change the schema master role owner. The Enterprise Administrators group manages the domain naming master role owner, and the Domain Administrators group has permissions to change role owners for each per-domain Operation Master role.

After you establish that you have the necessary permissions to change server roles, you can use the following guidelines to determine where to place Operation Master roles. First, if enough domain controllers are available in a domain, each domain controller should own only one per-domain role. This setup reduces the load on each domain controller.

Second, although the infrastructure master role needs to have good connectivity to a Global Catalog (GC) server, don't place the role on a GC server. The infrastructure master updates references from objects in its domain to objects in other domains. (The infrastructure master updates references of objects that users have moved or renamed.) The infrastructure master queries the GC server for current information. Therefore, if the infrastructure master and the GC are on the same server, the infrastructure master won't perform an update because the infrastructure master doesn't contain any references to objects that it doesn't hold locally.

Third, at the forest level, the schema master and domain naming master must always be on the same domain controller, and that domain controller must be a GC server. This setup is necessary because the domain naming master must check the GC server for name uniqueness when an administrator adds a new domain. Ensure that this server is physically secure and located near the administrators who are responsible for schema changes and adding and removing domains.

To illustrate the proper placement of Operation Masters, I'll use a fictitious company called Brady.com. It contains multiple domains and has three main locations: Headquarters, IT, and Manufacturing. WAN links connect the three locations. As Figure 1 illustrates, I placed the two forest-based Operation Masters, schema master and domain naming master, in the IT location to ensure that the administrators who are responsible for schema updates and domain management were well connected to those domain controllers. I also placed the PDC emulator and RID master at the IT location. I placed these Operation Master roles on separate servers to balance the load that communication to and from these servers creates and, in case of single-server failure, to prevent two Operation Masters from becoming unavailable. Finally, I placed the infrastructure master on a subnet that provided good connectivity to a GC server.

Failure Recovery
After you've placed your Operation Master roles, you shouldn't have to change which domain controllers host which roles unless a domain controller that hosts an Operation Master role fails or requires maintenance. Roles can either be transferred or seized. Role transfer is different from role seizure in that role transfer takes place with the cooperation of the current Operation Master. If you're taking a server offline for maintenance and the server will be unavailable for an extended time, initiate a role transfer before you take down the original role server. During role transfer, the original role server and the new server synchronize their directory databases to ensure that the new system's directory is current. Role transfer occurs automatically only when an administrator uses dcpromo.exe to demote a domain controller that holds one or more Operation Master roles.

Role transfer. You can use either command-line or GUI tools to transfer roles from one domain controller to another. The following example walks you through how to use the Ntdsutil command-line tool to transfer the schema master role from win2k-srv01.brady.com to win2k-srv02.marsha.brady.com:

  1. Use an account that is a member of the Schema Administrators group to log on to a domain controller.
  2. At a command prompt, type the following command:
    ntdsutil
  3. When prompted, type
    roles
  4. Next, type
    connections
  5. Type
    connect to server
  6. After server connections: type
    quit
  7. Type
    transfer schema master
  8. Click Yes in the Role Transfer Confirmation Dialog box, which Figure 2 shows, to confirm the transfer.

The resulting output, which Figure 3 displays, shows that the system transferred the schema master role from win2k-srv01 to win2k-srv02. The line that reads

Schema - CN=NTDS Settings,
CN=WIN2K-SRV02,CN=Servers,
CN=LA,CN=Sites,CN=Configuration,DC=brady,DC=com

confirms that the transfer took place.

Role seizure. Role seizure takes place when an Operation Master fails or becomes temporarily unavailable. When an Operation Master domain controller temporarily goes offline, alternative domain controllers can safely seize only the infrastructure master and the PDC emulator. These roles are the only roles that the original Operation Master domain controller can seize when it comes back online. If a domain controller seizes the schema master, domain naming master, or RID master roles, you must not bring the original Operation Master domain controller back online. If you bring the original schema master back online, recent schema updates might not be properly replicated to the enterprise. Bringing the original domain naming master back online might cause the other domain controllers to have trouble recognizing the correct domain naming master. This confusion could result in domain controller promotion or demotion errors. And if the original RID master came back online after a role seizure, it might distribute RIDs that the backup RID master had already assigned.

To seize a role, you can use the Ntdsutil tool and the same process (with one modification) that you use to transfer a role. In the previous example, you would replace the transfer schema master command in step 7 with the seize schema master command. To complete the seizure, click Yes in the Role Seizure Confirmation Dialog box, which Figure 4 shows.

After you complete role placement, you need to document which servers hold which roles in your forest. This important step will aid in troubleshooting Operation Master role problems.

Designate Standby Operation Masters
Win2K doesn't provide automatic backup or failover functionality for Operation Masters that go offline. Therefore, a good practice is to designate one or more standby Operation Masters to seize a role in the event of a server failure. Standby Operation Masters are domain controllers that are direct replication partners with the existing Operation Master domain controllers. You can use the Microsoft Windows 2000 Resource Kit Replmon and Repadmin tools to help manage replication, determine replication topology, and establish partners. Your Operation Master role documentation should include standby Operation Masters.

Tooling Around
In addition to transferring and seizing roles, the Ntdsutil command lets you view Operation Master roles. To view the forest-based and domain-based Operation Master roles, run the sequence of commands you use to transfer or seize a role, but in step 7 type

select operation target

and in step 8, type

list roles for connected server

The output will be similar to the information that Figure 3 shows.

You can also use GUI management tools to view and change Operation Master roles. To view domain-specific Operation Master role servers, run the Active Directory Users and Computers MMC snap-in by clicking Start, Run, Programs, Administrative Tools, Active Directory Users and Computers. In the left pane, right-click the name of the domain that you want to view, and select Operation Masters from the resulting drop-down menu. You can view the PDC emulator, RID master, or infrastructure master roles by clicking the appropriate tab, as Figure 5 shows. On each tab, you can transfer a role by clicking Change. However, before you use this method to initiate a transfer, you must connect to the target domain controller. You can do so from the main Active Directory Users and Computers window by right-clicking the domain name in the left pane, then selecting Connect to Domain Controller from the resulting drop-down menu.

To view the schema master, you must load the Active Directory Schema MMC snap-in. To discourage curious administrators from incorrectly modifying the schema, Win2K doesn't include this snap-in in the Administrative Tools folder by default. To load this snap-in, click Start, Run and type

mmc

in the Open text box. In the MMC window, select Add/Remove Snap-in from the Console menu, then click Add. Scroll down the list to find Active Directory Schema, highlight it, and click Add, Close, OK. After you right-click Active Directory Schema in the left pane and select Operations Masters, the Change Schema Master window, which Figure 6 shows, appears.

The process to view the domain naming Operation Master is a bit simpler. Click Start, Programs, Administrative Tools, and select Active Directory Domains and Trusts. In the left pane, right-click Active Directory Domains and Trusts and select Operations Masters from the resulting drop-down menu. The Change Operations Master window, which Figure 7 shows, will appear and show the forest's active domain naming master.

Quiet Mediators
During typical operation, Operation Masters don't require much attention. You need to jump into action only when a server requires offline maintenance or crashes. If you have up-to-date documentation that shows which servers host which roles and what servers you've designated as backups, you can respond quickly and effectively to any situation. To efficiently manage your Win2K network and ensure that domain controllers and users receive the services they require, you must understand what function each Operation Master role performs in AD, which tools you can use to troubleshoot Operation Master problems, and how to optimize Operation Master roles.