Managing Flexible Single-Master Operations |
Windows 2000 performs an initial placement of operations master roles on domain controllers. This placement works well for a forest deployed on a few domain controllers in a single site. In a forest with more domain controllers or multiple sites, you need to plan the placement of operations master roles to match your replication and network topologies.
It is best to perform your planning of operations master role placements on a domain-by-domain basis. If a domain has only one domain controller, that domain controller holds all the per-domain roles. If a domain has more than one domain controller, choose two domain controllers that are direct replication partners and that are well-connected to the network. In a mixed-mode domain, it is recommended that these two domain controllers be located within the same site. For the rationale behind this guideline, see "Examining Operations Master Technical Details" later in this chapter.
To find the direct replication partners of a domain controller, use the Active Directory Sites and Services snap-in. Locate the domain controller by browsing to the Sites container to find the site containing the domain controller. Then, through the Servers container, go to the domain controller's Server object. Expand the Server object to view the NTDS Settings object beneath it, and click the NTDS Settings object. The details pane displays a list of Connection objects. The "From-Server" attribute of each Connection object identifies the direct replication partner of the domain controller.
If the two direct replication partner domain controllers you choose are in the same site, they are probably well connected. If they are in different sites, it is best for their sites to be connected through a network that is always available for replication; not one that is available for replication only at certain times of the day.
You can name one of the two domain controllers you have chosen as the "Operations master domain controller" for the domain, and another, the "Standby operations master domain controller" for the domain. (As described in "Responding to Operations Master Failures," later in this chapter, you will use the "Standby operations master domain controller" if the "Operations master domain controller" fails.)
In domains that are not large, place both the RID master and primary domain controller emulator roles on the "Operations master domain controller." In a very large domain, you can reduce the peak workload on the primary domain controller emulator by placing the RID master and primary domain controller emulator roles on separate domain controllers, which need to be direct replication partners of the "Standby operations master domain controller." Keep the two roles together unless the workload on your "Operations master domain controller" justifies the extra management burden of separating the roles.
Place the infrastructure master role on a domain controller that does not host a Global Catalog and that has a good network connection to a Global Catalog server (from any domain). Ideally, the infrastructure master needs to be within the same site as a Global Catalog server. If the "Operations master domain controller" meets these requirements, use it unless the infrastructure master role creates an unmanageable workload; in which case, separate domain controllers are justified.
Note
The infrastructure master role needs to be held by a domain controller that is not a Global Catalog server. If the infrastructure master role is held by a domain controller that is a Global Catalog server, cross-domain object references in that domain will not be updated. If all domain controllers in a domain are Global Catalog servers, it does not matter which domain controller holds the infrastructure master role.
When you have planned all of the per-domain roles, it is recommended you plan the per-forest roles next. The schema master and domain naming master roles should always be placed on the same domain controller. Place both roles on a domain controller that is close to the person or group responsible for schema updates and the creation of new domains. This domain controller must be a Global Catalog server because the domain naming master requires it. To simplify management, you can place these roles on the "Operations master domain controller" of a domain, if that domain controller is a Global Catalog server.
In most cases, your role placement plan does not require changes as your forest grows, which means that role placements do not require revisions. However, when you plan to decommission a domain controller, reduce the connectivity of your network, or change the Global Catalog server status of a domain controller, you need to review your plan and revise it as necessary.
To transfer an operations master role is to move it with the cooperation of its current owner. Given a role placement plan, you need to transfer each role from its default location to its planned location. Depending upon the role, you can perform role transfers using one of three Active Directory snap-ins:
To transfer a role, first focus the Active Directory snap-in on the domain controller that needs to receive the role. Then, right-click the snap-in node in the console tree and select Operations Master. For per-domain roles, you then select the tab corresponding to the specific role you want to transfer. The property page displays the Current Focus (the domain controller on which the snap-in is focused), the Current Operations Master (the domain controller that is the current role owner), and the online/offline status of the current role owner. Click Change and then click OK to complete the operation.
If the current role owner is available, the transfer completes within a few seconds. If the transfer is not completed within a short period of time, the domain controller is not available. In this case, you need to follow the recommendations for responding to failures, which is explained in the next section.
For more information about procedures for performing operations master role transfers, see Windows 2000 Server Help.
Additionally, you can use the Active Directory snap-ins to view the actual roles that a domain controller owns. To accomplish this, you would choose one of the Active Directory snap-ins, right-click the root node of the snap-in in the consoler tree, and select Operations Master. The Operations dialog box displays the name of the domain controller that is the current focus and its status.