Managing Flexible Single-Master Operations |
The first step in responding to the unavailability of a domain controller that is an operations master role owner is to determine the anticipated duration of the outage.
If the outage is expected to be brief, the recommended response is simply to wait for the role owner to become available before performing a role-related function.
If the outage is longer, the correct response might be to seize the operations master role from a domain controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles. The decision to seize an operations master role depends upon the role and the expected length of the outage.
The loss of a domain controller that is the primary domain controller emulator role can be visible to any user, either users or administrators. Specifically, an end user running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their password without communicating with the primary domain controller emulator. If the user's password has expired, the user is not able to log on. Therefore, you might need to repair a primary domain controller emulator failure quickly.
If the primary domain controller emulator is offline for a significant period of time and the domain has users running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, or domain controllers running earlier versions of Windows NT, you should seize the primary domain controller emulator role to the "Standby operations master domain controller."
The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know the current primary domain controller emulator will be offline for a significant period. Later, when the original primary domain controller emulator domain controller comes back online, transfer the role back to the original role owner.
Temporary loss of a domain's infrastructure master is not visible to end users, and is not visible to you, as an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a problem worth fixing.
If you anticipate a long outage of a domain's infrastructure master and you need to repair it, first select a domain controller that is not a Global Catalog server and that has good network connectivity to a Global Catalog server located in any domain. Ideally, the domain controller you have chosen should be within the same site as a Global Catalog server. It is not important that the new infrastructure master be near the previous one. When you have selected the domain controller, seize the infrastructure master role to this domain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know that the current infrastructure master will be offline for a very long period. Later, when the original infrastructure master comes back online, transfer the role back to the original role owner.
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing.
However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the "Standby operations master domain controller." But, seizing any of these roles is a drastic step; one that you would take only when the outage is permanent, as in the case when a domain controller is physically destroyed and cannot be restored from backup media.
A domain controller whose schema master, domain naming master, or RID master role is seized must never come back online. Before proceeding with the role seizure, you must ensure that the outage of this domain controller is permanent by physically disconnecting the domain controller from the network.
The domain controller that seizes the role should be fully up-to-date with respect to updates performed on the previous role owner. Because of replication latency, it is possible that the domain controller might not be up-to-date.
To check the status of updates for a domain controller, you can use the Repadmin command-line tool. The Repadmin command-line tool is a Resource Kit tool that performs replication diagnostics. It is available on the Microsoft® Windows® 2000 Server installation CD. Repadmin can determine whether a domain controller has the most current updates. For more information about using the Repadmin tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server CD and "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.
For example, to make sure a domain controller is fully up-to-date, suppose that "server05" is the RID master of the domain "reskit.com," "server10" is the "Standby operations master domain controller," and "server12" is the only other domain controller in the "reskit.com" domain. Using the Repadmin tool, you would issue the following commands:
C:\>repadmin /showvector dc=reskit,dc=com server10.reskit.com
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
C:\>repadmin /showvector dc=reskit,dc=com server12.reskit.com
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
Note
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10's up-to-date status value with respect to server05 (server05 @ USN 2604) is larger than server12's up-to-date status value with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly held by server05. If the up-to-date status value for server10 was less than the value for server12, you would wait for normal replication to update server10, or use the Repadmin tool's /sync/force commands to make the replication happen immediately.
After you have determined that the role owner is fully up-to-date, you can seize the operations master role using the Ntdsutil tool as in the following example:
C:\>ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com ...
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server "server10.reskit.com" knows about 5 roles
Schema - CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain - CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC - CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID - CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure - CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more convenient for operations master transfers and seizures than the graphical user interface tools, because it is simpler and quicker to enter commands than to use multiple windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool is the required method. When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs the seizure.
The Ntdsutil tool provides help information when you type a question mark (?). The following is an example showing the transfer of the domain naming master role (with user input shown in bold type):
C:\>ntdsutil
ntdsutil: ?
? - Print this help information
Authoritative restore - Authoritatively restore the DIT database
Domain management - Prepare for new domain creation
Files - Manage NTDS database files
Help - Print this help information
IPDeny List - Manage LDAP IP Deny List
LDAP policies - Manage LDAP protocol policies
Metadata cleanup - Clean up objects of decommissioned servers
Popups %s - (en/dis)able popups with "on" or "off"
Quit - Quit the utility
Roles - Manage NTDS role owner tokens
Security account management - Manage Security Account Database - Duplicate SID Cleanup
Semantic database analysis - Semantic Checker
ntdsutil: roles
fsmo maintenance: ?
? - Print this help information
Connections - Connect to a specific domain controller
Help - Print this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and Naming Contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master
fsmo maintenance: connections
server connections: ?
? - Print this help information
Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Print this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds%s % s %s - Set connection creds as domain, user, pwd
Use "NULL" for null password
server connections: connect to server reskit1
Binding to reskit1 ...
Connected to reskit1 using credentials of locally logged on user
server connections: quit
fsmo maintenance: transfer domain naming master
Server "reskit1" knows about 5 roles
Schema - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1 ...
C:\>
In the previous example, the available Ntdsutil tool commands display after entering a question mark (?). To transfer an operations master role, the roles command is entered, which displays the fsmo maintenance menu. Entering a question mark (?) displays the subcommands within the fsmo maintenance menu. Before transferring the operations master role, you must connect to the domain controller that will receive the role ("reskit1" in the example above) by entering the connect to server subcommand. Then, after leaving the server connections mode by entering "quit", issue the transfer domain naming master command. A confirmation pop-up window (not shown) displays for the transfer domain naming master operation.
Note
You must have sufficient permissions to execute commands using the Ntdsutil tool. For more information about controlling access to operations master role placements, see "Controlling Access to Role Placements" later in this chapter.
It is also possible to view the current operations master role owner using the Ntdsutil command-line tool from the Select Operation Target menu located under the Roles option. By using the List roles for connected server command, a list displays of all of the current operations master role owners.
For more information about using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.