Replication Technologies
In distributed computing environments, networked computers and other devices communicate over
remote connections to accomplish tasks through client/server applications. Distributed environments
require a central repository of information and integrated services that provide the means to manage
network users, services, devices, and additional information that administrators want to store.
Organizations operating a distributed environment need to have a way to manage network resources
and services. As the organization grows, the need for a secure and centralized management system
becomes more critical.
Internal directory. Used within the corporate network for publishing information about users and
resources within the enterprise. A company’s internal directory may be accessible to employees when
they are outside the company network using a secure connection such as a virtual private network (VPN)
connection, but it is not accessible to non-employees.
External directory. These are directories typically located on servers in the perimeter network or
demilitarized zone (DMZ) at the boundary between the corporate local area network (LAN) and the
public Internet. External directories are typically used to store information about customers, clients, and
business partners who access external applications or services. They are also made available to
customers, clients, and business partners to provide them with selected business information such as
catalogs and so on.
Application directory. Application directories store “private” directory data that is relevant only to the
application in a local directory, perhaps on the same server as the application, without requiring any
additional configuration to Active Directory. The personalization data, which is only interesting to the
portal application and does not need to be widely replicated, can be stored solely in the directory
associated with the application. This solution reduces replication traffic on the network between domain
controllers.
Information security and single sign-on for user access to network resources. Tight integration with
security eliminates costly tracking of accounts for authentication and authorization between systems. A
single user name and password combination can identify each network user, and this identity follows the
user throughout the network.
Scalability. Active Directory includes one or more domains, each with one or more domain controllers,
enabling you to scale the directory to meet any network requirements.
Flexible and global searching. Users and administrators can use desktop tools to search Active Directory.
By default, searches are directed to the global catalog, which provides forest-wide search capabilities.
Storage for application data. Active Directory provides a central location to store data that is shared
between applications and with applications that need to distribute their data across entire Windows
networks.
Systematic synchronization of directory updates. Updates are distributed throughout the network
through secure and cost-efficient replication between domain controllers.
Remote administration. You can connect to any domain controller remotely from any Windows-based
computer that has administrative tools installed.
Single, modifiable, and extensible schema. The schema is a set of objects and rules that provide the
structure requirements for Active Directory objects. You can modify the schema to implement new types
of objects or object properties.
Integration of object names with Domain Name System (DNS), the Internet-standard computer location
system. Active Directory uses DNS to implement an IP-based naming system so that Active Directory
services and domain controllers are locatable over standard IP both on intranets and the Internet.
Lightweight Directory Access Protocol (LDAP) support. LDAP is the industry standard directory access
protocol, making Active Directory widely accessible to management and query applications. Active
Directory supports LDAPv3 and LDAPv2.
The logical structure of Active Directory includes a two-dimensional definition that can be viewed as a
hierarchy, even though the objects themselves are stored in a flat database file. In addition to its own
name, each object stores the name of the container directly above it in the hierarchy. That container
object stores the name of its superior container, and so on, up to the root container. In this way, a logical
structure is imposed that can be viewed by using Active Directory tools as a tree of containers. By virtue
of a hierarchical naming system, the objects in the tree appear to be nested inside (contained by) other
objects.
The Active Directory schema defines the types of objects that are available to the directory service. The
schema is stored in the schema partition, which is also defined as an object in the directory. The
attributes and classes in Active Directory are stored in the schema partition as directory objects called
schema objects. It is possible for Administrators to add their own classes or attributes to an existing
object type. However, the default schema provides all of the classes and attributes that Active Directory
needs to function.
Active Directory uses objects to store and reference data in the directory. The Active Directory database
file (Ntds.dit) provides the physical storage of all Active Directory objects for a single forest. Although
there is a single directory, some directory data is stored within domains while other data is distributed
throughout the forest, without regard for domain boundaries. In Windows Server 2003, data can also be
distributed to domain controllers according to applications that use the data, where the scope of
distribution can be set according to the needs of the application.
Any updates made to data in the directory are automatically distributed to the appropriate domain
controllers by means of Active Directory replication. By replicating data according to directory partitions,
Active Directory provides a data repository that is logically centralized (maintains a single point of
administration) but physically distributed (is synchronized on multiple domain controllers throughout the
network).
Replication Technologies
Objects in the directory are distributed among the domain controllers in a forest, and all domain
controllers can be updated directly. Active Directory replication is the process by which the changes that
are made on one domain controller are automatically synchronized with other domain controllers. Data
integrity is maintained by tracking changes on each domain controller and updating other domain
controllers in a systematic way. By default, Active Directory replication uses a connection topology that is
created automatically. This replication topology makes optimal use of physical network connections and
frees administrators from having to determine which domain controllers replicate with one another. The
replication topology can also be created manually. Active Directory replication is designed to maximize
directory consistency and minimize the impact to network traffic.
Note
Implementations of Microsoft Windows NT 3.51 and Microsoft Windows NT 4.0 operating systems also
have domain controllers, but they do not support Active Directory.
When you install Windows Server 2003 or Windows 2000 Server on a computer, you can choose to
configure a server role for that computer. When you want to create a new forest, a new domain, or an
additional domain controller in an existing domain, you configure the server as a domain controller by
installing Active Directory.
By default, a domain controller stores one domain directory partition consisting of information about the
domain in which it is located, plus the schema and configuration directory partitions for the entire forest.
A Windows Server 2003 domain controller can also store one or more application directory partitions.
Whereas every domain controller stores the objects for only one domain, a domain controller that is
designated as a global catalog server stores the objects from all domains in the forest. For each object
that is not in the domain for which the global catalog server is authoritative as a domain controller, a
limited set of attributes is stored in a partial replica of a corresponding domain. The partial replicas on a
global catalog server are not writable — you cannot update an object in a partial replica on a global
catalog server, but only on a domain controller that stores a full replica. Thus a global catalog server
stores its own full, writable domain replica (all objects and all attributes) plus a partial, read-only replica
of every other domain in the forest. The attributes that are replicated to the global catalog servers are
the attributes that are most likely to be used to search for the object in Active Directory. These attributes
are identified by default in the schema as being included in the partial attribute set of the global catalog.
The global catalog makes it possible for clients to search Active Directory without having to be referred
from server to server until the domain controller that has the domain that stores the requested object is
found. By default, Active Directory searches are directed to global catalog servers. The first domain
controller in a forest is automatically created as a global catalog server. Thereafter, you can designate
other domain controllers to be global catalog servers if they are needed.
All domain controllers can receive updates to any writable object that they store (with the exception of
schema updates, which can be made only on the one domain controller in the forest that has the role of
schema master). The day-to-day operations that are associated with managing users, groups, and
computers are typically multimaster operations — that is, changes to these objects can be made on any
domain controller. When a client application updates an object on a domain controller, the domain
controller automatically replicates the change to all other domain controllers in the same domain if the
change is a domain change or to all other domain controllers in the forest if the change is a configuration
or schema change.
There are some operations, however, that are not performed as multimaster operations because they
must occur at only one place and time. For these operations, there are specially designated domain
controllers that manage the operations singly. Some master operations, required at the forest level,
include the schema master and the domain naming master. Others, required at the domain level, include
the PDC emulator, RID master and infrastructure master. Domain controllers that hold these special roles
are called operations masters.
After a domain controller has been located, LDAP is used to retrieve information from the directory.
Active Directory stores objects that provide information about the real objects that exist in an
organization’s network and that are associated with one or more domains, such as users, specific groups
of users, computers, applications, services, files, and distribution lists. Active Directory makes this
information available to administrators, network users, and applications throughout the organization
through LDAP. LDAP enables clients to query, create, update, and delete information stored in a directory
service. The LDAP protocol is the Active Directory core protocol, and is the preferred and most common
way of interacting with Active Directory.
The creation, storage, and maintenance of information in Active Directory is called service publication.
Directory-enabled services and applications can publish globally useful information, such as service
availability and properties, in Active Directory. This allows client processes to find and connect to any
directory-enabled service as needed, and network clients and administrators to find, connect to, and
manage services.
Part of the directory configuration process includes configuring the Active Directory schema. The schema
contains a master list of all classes (object types) and attributes that can be used in the directory. The
Active Directory Preparation Tool (ADPrep) is used to prepare a Windows 2000 Active Directory forest
and domain for a newer version of the directory service. One of several tasks accomplished by ADPrep is
updating the Active Directory schema. If you do not prepare your Active Directory infrastructure, the
upgrade will fail.
After installing or upgrading to Windows Server 2003 Active Directory, you can enable the appropriate
Active Directory domain or forest functional level based on an assessment of your current environment.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows
Server 2003 Active Directory features that are available in that domain or forest. The functional level of a
domain or forest also defines the set of Windows operating systems that can run on the domain
controllers in that domain or forest. Functional levels provide configuration support for the Active
Directory features in Windows Server 2003 and ensure compatibility with domain controllers running
Windows 2000 Server and Windows NT 4.0.
Depending on the design of your environment, you might opt to restructure it instead of upgrading. For
example, if your Windows NT 4.0 environment consists of multiple domains, rather than upgrading each
domain it might be more productive to restructure the environment by consolidating some of those
domains. Or if your Windows 2000 environment was poorly designed and you are upgrading your
environment to Windows Server 2003, it might benefit you to restructure your existing environment
before or after the upgrade takes place. You can perform either of these tasks by using the Active
Directory Migration Tool (ADMT). ADMT includes wizards that automate migration tasks such as copying
users, groups, and service accounts; moving computers; migrating trusts; and performing security
translation. When you use ADMT to restructure Windows NT 4.0 domains, ADMT copies the accounts
that are migrated, so that when the accounts are created in the target domain, they continue to exist in
the source domain. The primary security identifiers (SIDs) for the accounts can be migrated to the SID
history in the target domain. SID history maintains resource permissions when you migrate accounts,
thus enabling access to resources in the source domain.
Another method for restructuring an Active Directory environment is to rename a domain. You can use
the domain rename process to change the names of your domains, and you can also use it to change the
structure of the domain trees in your forest. This process involves updating the Domain Name System
(DNS) and trust infrastructures as well as Group Policy and service principal names (SPNs).
The ability to rename domains provides you with the flexibility to make important name changes and
forest structural changes as the needs of your organization change. Using domain rename, you can not
only change the name of a domain, but you can change the structure of the domain hierarchy and
change the parent of a domain or move a domain located in one domain tree to another domain tree.
The AD framework that holds the objects can be viewed at a number of levels. At the top of the
structure is the forest. The forest is a collection of every object, its attributes, and rules (attribute
syntax) in the AD. The forest, tree, and domain are the logical parts in an AD network.
The AD forest contains one or more transitive, trust-linked trees. A tree is a collection of one or
more domains and domain trees, again linked in a transitive trust hierarchy. Domains are
identified by their DNS name structure, the namespace.
The objects held within a domain can be grouped into containers called Organizational Units
(OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the
structure of the AD's company in organizational or geographical terms. OUs can contain OUs -
indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft
recommends as few domains as possible in AD and a reliance on OUs to produce structure and
improve the implementation of policies and administration. The OU is the common level at
which to apply group policies, which are AD objects themselves called Group Policy Objects
(GPOs), although policies can also be applied to domains or sites (see below). The OU is the
level at which administrative powers are commonly delegated, but granular delegation can be
performed on individual objects or attributes as well.
AD also supports the creation of Sites, which are physical, rather than logical, groupings defined
by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g.,
WAN, VPN) and high-speed (e.g., LAN) connections. Sites are independent of the domain and
OU structure and are common across the entire forest. Sites are used to control network traffic
generated by replication and also to refer clients to the nearest domain controllers. Exchange
2007 also uses the site topology for mail routing. Policies can also be applied at the site level.
The actual division of the company's information infrastructure into a hierarchy of one or more
domains and top-level OUs is a key decision. Common models are by business unit, by
geographical location, by IT Service, or by object type. These models are also often used in
combination. OUs should be structured primarily to facilitate administrative delegation, and
secondarily, to facilitate group policy application. Although OUs form an administrative
boundary, the only true security boundary is the forest itself and an administrator of any domain
in the forest must be trusted across all domains in the forest.
Physically the Active Directory information is held on one or more equal peer domain controllers
(DCs), replacing the NT PDC/BDC model. Each DC has a copy of the AD; changes on one
computer being synchronized (converged) between all the DC computers by multi-master
replication. Servers joined in to AD, which are not domain controllers, are called Member
Servers. The AD database is split into different stores or partitions. Microsoft often refers to
these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object
classes and attributes within the Forest. The 'Configuration' partition, contains information on the
physical structure and configuration of the forest (such as the site topology). The 'Domain'
partition holds all objects created in that domain. The first two partitions replicate to all domain
controllers in the Forest. The Domain partition replicates only to Domain Controllers within its
domain. A subset of objects in the domain partition are also replicated to domain controllers that
are configured as global catalogs.
Unlike earlier versions of Windows which used NetBIOS to communicate, Active Directory is
fully integrated with DNS and TCP/IP — indeed DNS is required. To be fully functional, the
DNS server must support SRV resource records or service records.
AD replication is 'pull' rather than 'push'. The Knowledge Consistency Checker (KCC) creates a
replication topology of site links using the defined sites to manage traffic. Intrasite replication is
frequent and automatic as a result of change notification, which triggers peers to begin a pull
replication cycle. Intersite replication intervals are less frequent and do not use change
notification by default, although this is configurable and can be made identical to intrasite
replication. A different 'cost' can be given to each link (e.g., DS3, T1, ISDN etc.) and the site link
topology will be altered accordingly by the KCC. Replication between domain controllers may
occur transitively through several site links on same-protocol site link bridges, if the 'cost' is low,
although KCC automatically costs a direct site-to-site link lower than transitive connections.
Site-to-site replication can be configured to occur between a bridgehead server in each site,
which then replicates the changes to other DCs within the site.
In a multi-domain forest the AD database becomes partitioned. That is, each domain maintains a
list of only those objects that belong in that domain. So, for example, a user created in Domain A
would be listed only in Domain A's domain controllers. Global catalog (GC) servers are used to
provide a global listing of all objects in the Forest. The Global catalog is held on domain
controllers configured as global catalog servers. Global Catalog servers replicate to themselves
all objects from all domains and hence, provide a global listing of objects in the forest. However,
in order to minimize replication traffic and to keep the GC's database small, only selected
attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can
be modified by modifying the schema and marking attributes for replication to the GC.
Replication of Active Directory uses Remote Procedure Calls (RPC over IP [RPC/IP]). Between
Sites you can also choose to use SMTP for replication, but only for changes in the Schema or
Configuration. SMTP cannot be used for replicating the Domain partition. In other words, if a
domain exists on both sides of a WAN connection, you must use RPCs for replication.
The AD database, the directory store, in Windows 2000 uses the JET Blue-based Extensible
Storage Engine (ESE98), limited to 16 terabytes and 1 billion objects in each domain controller's
database. Microsoft has created NTDS databases with more than 2 billion objects.[citation needed]
(NT4's Security Account Manager could support no more than 40,000 objects). Called
NTDS.DIT, it has two main tables: the data table and the link table. In Windows 2003 a third
main table was added for security descriptor single instancing.[4]
Active Directory is a necessary component for many Windows services in an organization such
as Exchange.
5 FSMO Roles
Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally
problems arise if two administrators perform duplicate operations before the next replication cycle. For
example, you created an OU called Accounts last week, today at the same instant you create new users
in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best to
obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in
the OU because it was deleted, the result is the users are added to the orphaned objects in the
'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in
Active Directory Users and Computers.
It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is
that a few operations are so critical that only one domain controller can carry out that process. Imagine
what would happen if two administrators tried to make different changes to the same schema object -
chaos. That is why administrators can only change the schema on one Domain Controller. Emulating a
PDC is the most famous example of such a Single Master Operation; creating a new child domain would
be another example.
PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two
other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time
service and creating group policies. I admit that it is confusing that these two jobs have little to do with
PDCs and BDCs.
RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each
domain controller issues unique numbers when you create objects such as users or computers. For
example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
Infrastructure Master - Responsible for checking objects in other other domains. Universal group
membership is the most important example. To me, it seems as though the operating system is paranoid
that, a) You are a member of a Universal Group in another domain and b) that group has been assigned
Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be
a security breach.
Domain Naming Master - Ensures that each child domain has a unique name. How often do child
domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not
impact on normal domain activity. My point is it's worth the price to confine joining and leaving the
domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned
domains.
Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep
which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is
a rare event. However if you have a team of Schema Administrators all experimenting with object
properties, you would not want there to be a mistake which crippled your forest. So its a case of
Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.
(There is a also an important Global Catalog Role, however its not a FSMO role as you can have more
than one Global Catalog. See more on Global Catalog Server)
Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire
forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.
You can discover which server holds the Operation Master by opening
Active Directory Users and Computers, Right click your Domain and
select Properties, Operations Masters.
To see the Domain Naming Master (4.), navigate to the little used,
Active Directory Domains and Trusts, Right click your Domain and
select Properties, Operations Masters.
The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by
default. Perhaps is this is Microsoft saying - don't mess with the object definitions. However, you can
reveal the Schema and its FSMO settings thus:
1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll
Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") roles are also
known as operations master roles. Although the AD domain controllers operate in a multi-master
model, i.e. updates can occur in multiple places at once, there are several roles that are
necessarily single instance:
PDC Emulator
Relative Id Master
Infrastructure Master
Troubleshooting FSMO
Schema Master
If you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or
extend the schema. However, short term no-one will notice a missing Schema Master, so try and repair
the old one rather than seize the role.
You must not allow the original Domain Naming Master to return, rebuild before you let the machine
back in the forest.
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC's complain, but
also there will be no time synchronization. Another problem is that you probably will not be able to
change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group
policy master.
If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles.
Quickly seize PDC role from another machine.
RID Master
One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique
numbers so that no two new objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing Domain Controllers will have enough
unused RIDs to last a week or so do not be in a hurry to seize.
You must not allow two RID masters, as the possibility of two objects with the same RID would be
disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group memberships may be incomplete. If
you only have one domain, then there will be no impact as the Infrastructure Master is responsible for
updating your user's membership in other domains in the forest.
The Relative ID Master allocates security RIDs to DCs to assign to new AD security
principals (users, groups or computer objects). It also manages objects moving between
domains.
The Infrastructure Master maintains security identifiers, GUIDs, and DNS for objects
referenced across domains. Most commonly it updates user and group links.This is
another domain-specific role and its purpose is to ensure that cross-domain object
references are correctly handled. For example, if you add a user from one domain to a
security group from a different domain, the Infrastructure Master makes sure this is done
properly. As you can guess however, if your Active Directory deployment has only a
single domain, then the Infrastructure Master role does no work at all, and even in a
multi-domain environment it is rarely used except when complex user administration
tasks are performed, so the machine holding this role doesn't need to have much
horsepower at all.
The PDC Emulator operations master role processes all password changes in the
domain. Failed authentication attempts due to a bad password at other domain controllers
are forwarded to the PDC Emulator before rejection. This ensures that a user can
immediately login following a password change from any domain controller, without
having to wait several minutes for the change to be replicated. The PDC Emulator
Operations Master role must be carefully sited in a location to best handle all password
reset and failed-authentication forwarding traffic for the domain.
The Schema Master maintains all modifications to the schema of the forest. The schema
determines the types of objects permitted in the forest and the attributes of those objects
for.
The Domain Naming Master tracks the names of all domains in the forest and is
required to add new domains to the forest or delete existing domains from the forest.
Trust
To allow users in one domain to access resources in another, AD uses trusts. Trusts inside a forest
are automatically created when domains are created. The forest sets the default boundaries of
trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As
well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees,
transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or
nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect
to other forests or non-AD domains.
Trusting domain - The domain that allows access to users from a trusted domain.
Trusted domain - The domain that is trusted; whose users have access to the trusting domain.
Transitive trust - A trust that can extend beyond two domains to other trusted domains in the
tree.
Intransitive trust - A one way trust that does not extend beyond two domains.
Explicit trust - A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust - An explicit trust between domains in different trees or in the same tree when a
descendant/ancestor (child/parent) relationship does not exist between the two domains.
Shortcut
Windows 2003 offers a new trust type - the forest root trust. This type of trust can be used to
connect Windows 2003 forests if they are operating at the 2003 forest functional level.
Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts
are also transitive for all the domains in the forests that are trusted.
Troubleshooting FSMO
Symptoms of FSMO Problems
I find that the first sign of a problem with a FSMO is that Active Directory Users and Computers is slow to
initialize. Moreover, if you try to even view Group Policies, you get an error such as:
The cause of these symptoms is that the FSMO master holding the PDC emulator is unavailable. Fingers
crossed it's a temporary problem, however the problem persists then you need to investigate which
Domain Controller holds, or held the PDC emulator role.
Troubleshooting Toolkit
DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also provides information on
Active Directory replication. As ever with troubleshooting, you want to get to the root cause not merely
treat one of the symptoms.
NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the answer partly depends on
whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support
tools.
From the command line type netdom query fsmo. You should see a list of the of the 5 roles with the
corresponding Domain Controller.
DNS - Excuse what may seem like a digression, but it never ceases to amaze me how often faulty DNS
configuration is the source of an Active Directory problem. Therefore, head for the DNS snap-in and
observe that all settings are as expected. Remember the Monitor to tab. Make sure that each DNS
server is registering itself and registering with other DNS Servers.
DCPROMO - Rather drastic, but sometimes just running this program to demote a Domain Controller
creates error messages, which are handy additional sources of information. If there are no error
messages, you may just choose to cancel. However, if you go ahead and run DCPROMO to demote a
domain controller, watch out for a check box that says 'This is the last domain controller in the domain'.
If that box is UNchecked the wizard will automatically move any FSMO roles to another domain
controller.
Remember that in the acronym FSMO, the word Flexible means that you can move the role to a more
suitable domain controller. There are two scenarios for transferring the FSMO roles, the first is a planned
transfer where the original FSMO Operations Master is up and running. Alternatively, if the original
FSMO master has been stolen, corrupted or otherwise unavailable then you need NTDSUTIL
NTDSUTIL
As a matter of planning strategy, decide if this move is a short term fix, or part of a long term transfer of
role. Another consideration is do you want all the roles on the same Domain Controller. The answer is
probably not, for example, best practice suggests that the Infrastructure master should not be on a
Global Catalog.
If the Global Catalog server and Infrastructure Master are on the same server, the Global Catalog no
longer updates information. You can either just accept this peculiarity, or research why it thinks it knows
best and does not need to replicate. This is only a problem in a multi-domain forest.
Your planning should also take into account the fact that each domain has its own RID, PDC and
Infrastructure Master, while there is only one Schema and one Domain Naming Master for the entire
Active Directory Forest.
Finally a minor consideration, have you the correct rights, for example, do you have access to an
account, which is and Enterprise Administrator and Schema Administrator.
Three of the FSMO Operational Masters are found under the domain in
Active Directory Users and Computers. The FSMO roles found here are:
RID, PDC and Infrastructure masters. Right click on the domain name
(cp.com in diagram) then select Operations Masters.
The Domain Naming Master is tucked away under the Active Directory
Domains and Trusts. While the hardest FSMO master to find is the
Schema Master, the reason being you first have to register the schema
snap in with the command: Start, Run Start, regsvr32 schmmgmt.dll.
Now that you have located the 5 Operation Masters, the technique to
transfer ownership is the same in each case.
The key concept is Pull. Make sure that you are connected to the
destination server. This is really such a simple point but once you have
grasped the concept, the knack transferring FSMO roles will be
easy. Sorry to harp on, but unless you make the new FSMO domain controller the focus for the MMC
snap in, trust me, you will be frustrated.
Now that you have the 'focus' on the new Operations Master, your transfer will proceed smoothly. After
double checking that the server names are the correct way around, just click on the Change Button.
NTDSutil
When you are configuring FSMO with NTDSutil, the command that is,
Seize PDC (or Seize RID etc). However, as soon as you execute NTDSutil you realize how many different
jobs this utility has.
Before you learn the knack of transferring the FSMO or Operations Master, take a minute to plan which
Domain Controllers should hold which roles. It is possible that existing servers have inappropriate roles,
for example if your forest has grown, the Schema master is best in the Root domain.
(There is a also an important Global Catalog Role, however its not a FSMO as you can have more than
one Global Catalog. See more on Global Catalog Server)
Schema Master
Responsible for schema updates
The Windows Server 2003 Schema Snap-in is not available by default. There lies a clue that ordinary
administrators are not meant to change the Schema. However, to complete your understanding of
Active Directory take time to appreciate the object model that underpins Windows Server 2003.
Getting Started
Recommendations
It us useful to understand the nature of the Schema. Active Directory is an object based system. The
schema keeps a list of the definitions for each object such as Computer or User. The list is divided into
Classes and Attributes and the Schema recycles attributes like location and applies an instance to the
site, printer or computer object.
Flexible Master
The Schema is one of the five single master operations, this means that only one domain controller has a
read / write copy of the schema. Take the time to find out which machine hold the Schema Master role.
Right Click the Schema Snap-in, select Operations Master from the short cut menu.
Exchange 2003 relies on Active Directory for definitions of the users mailboxes. When you install
Exchange 2003, firstly you have to be a member of the Schema Admin Global group; secondly Exchange
extends the schema to include these extra attributes like mailbox server. While it is possible to add
attributes and classes yourself - resist. Modifying the schema affects the entire forest and in my opinion
should only be done by a developer when there is a clear business need.
The Global Catalog server keeps track of a subset of the most important attributes, and the Global
Catalog replicates this information to other Global Catalog servers. Be aware that you can add extra
attributes to the list, for example, information on department could be replicated. The benefit is you
could search on department or any other attribute that you added.
Deactivating attributes
Active Directory will not allow you to delete classes or attributes but you can deactivate them if you are
sure they will not be needed.
Improved replication
In Windows Server 2003, only changes in attributes are replicated, the benefit is less replication traffic
and less change of a conflict.
ADPREP
Active Directory preparation allows you to extend the schema ready for an installation of the NTDS.dit
database files. ADPREP uses /forestprep and /domainprep switches rather like Exchange 2000/3.
Getting Started
To make the Schema Snap-in appear, first you need to register a dll.:
Start, Run, regsvr32 schmmgmt.dll. Next I add the Schema snap-
in to my MMC. Run, MMC if you need to create a blank shell for
the snap-ins, then its File (Menu) Add/Remove Snap-in.
The schema shows all the Objects that exist in Active Directory.
Examples of Active Directory Schema Classes include: computer,
printer and user
While knowledge of the object based systems builds a picture of Active Directory; there is practical value
in understanding the role of the schema in Active Directory. For instance, when you install Exchange
2000 you need to be member of the Schema Admins otherwise your install will fail. You should also be
aware that Exchange 2000 alters the schema so that 4 new Email tabs are added to users' property tabs.
Once you have registered the Active Directory Schema you can
check out the Classes and Attributes; this will give you an idea
of how objects like users are built up of attributes. Do not
worry about the X500 OID, but do inspect the Attributes
Properties to see which are published in the Global Catalog.
The Global Catalog is a subset of the Schema containing the
most useful attributes which are used in the Search menus.
Recommendations
Take the time to understand what the schema does for Active Directory.
Normally you will not need to alter the schema. The only time the Schema is extended is when you
install Active Directory aware programs like Exchange 2003.
Schema Issues
The most common schema issues encountered are with upgrading the schema. The first place to
look when you receive an error message while upgrading is the Schupgr.log file located in the
system32 folder.
Some common problems reported with the Schema upgrade process are the following:
•
Insufficient rights error: Usually Schema Upgrade LDIF files contain changes for both the
schema and configuration directory partitions. By default, only Schema Admins can modify
objects in the schema directory partition, and only enterprise administrators or root domain
administrators can modify objects in the configuration directory partition.
Note
The user must be logged in as a member of Schema Admins and Enterprise Admins because
Schupgr.exe runs within the security context of the current logged-on user.
The user needs to be logged on as a member of both because schupgr runs with current logged
in user credentials. Sometimes the user is logged in as a member of both, but still reports an
insufficient rights error. This is usually caused by the unavailability of a global catalog when the
user logged in. Schema/Enterprise admin group membership evaluation requires a global catalog.
If a global catalog is not available, those might not be in the user's token. Make sure the Global
Catalog is running, and then log off and log on again.
•
Error in importing: ldifde.exe generates two files, ldif.log and ldif.err (in case of an error only).
Check the files to see which entry is in error and what error code is returned. You can then try to
import it manually through ldp or a separate ldif file that contains only this entry. Next capture a
sniffer trace, and figure out from the error information what the problem is.
•
Schupgr runs but doesn't update the schema version: The version number. is updated as the last
entry in the ldif file. If anything else fails before, the version is not updated. If no errors are
reported from Schupgr.log file, and the version number is still not updated, it is usually a
problem with ldifde. Make sure ldifde is running correctly. The instances when this occurs is
when ldifde access violates when loading.
•
Schupgr error: Cannot obtain schema version to upgrade to:
You are missing a file that winnt32 would have copied to your computer when running schupgr
to upgrade to the current build. To resolve the problem, run winnt32 to upgrade; it blocks
detecting the schema mismatch and copies down the two to three files that you need. Then run
schupgr.
•
"ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable)" in the schupgr log. This
means the current domain controller is not the schema FSMO role owner, and trying to transfer
the role from the other domain controller (whoever is the FSMO role owner) to this domain
controller failed. The error unavailable can come for various reasons; it can't reach the other
domain controller or the other domain controller didn't respond and so on. You can retry after
some time if there is any temporary network problems and so on.
To check who is the current schema fsmo role owner, use either the Schema snap-in or the
ntdsutil tool to view the current Schema FSMO role owner.
Note
If the previous suggestions do not yield the Schema FSMO role owner use the LDP or ADSIEdit
tool to look at the fsmo-role-owner attribute on the schema container
(cn=schema,cn=configuration,...). The fsmoRoleOwner attribute contains the name of the server
that is the schema-fsmo role owner.
To increase the DS diagnostics logging level (which logs schema failures to the event log,
sometimes providing clues as to why a schema operation is rejected) increase the value of the
Internal Processing entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics to
Level 3.
DOMAIN NAMING MASTER
Article ID : 254933
Revision : 2.2
IMPORTANT: This article contains information about modifying the registry. Before you modify the
registry, make sure to back it up and make sure that you understand how to restore the registry if a
problem occurs. For information about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
On This Page
SUMMARY
MORE INFORMATION
SUMMARY
The domain naming master Flexible Single Master Operations (FSMO) role holder is assigned to the
domain controller that is responsible for making changes to the CN=Partitions,CN=Configuration,
DC=domain configuration container in Active Directory. The configuration naming context is shared and
replicated by all Windows 2000-based domain controllers in the same forest.
This article describes issues that can occur when Windows 2000-based servers that are being promoted
or demoted are unable to contact the domain naming master FSMO role holder during Active Directory
promotion or demotion.
MORE INFORMATION
The domain naming master FSMO role holder is the only computer that can add or remove a domain
in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active
Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote
replica domain controllers in an existing domain.
Investigate Domain Name System (DNS) name resolution, network connectivity, and consistency in Active
Directory for the current domain naming master FSMO role holder when "naming master" or "FSMO"
error messages occur during Dcpromo operations.
To perform the requested operation, the directory service needs to contact the Domain Naming Master
(server servername). The attempt to contact it failed. The specified server cannot perform the requested
operation.
A related message can occur when information about a new domain in the forest has not yet been
replicated to the computer that is the intended holder of the domain naming FSMO role for the forest:
Active Directory Installation Failed. The operation failed because: The Directory Service failed to create
the object CN=servername,CN=Partitions,CN=Configuration,DC=Y,DC=Z,DC=com. Please check the event
log for possible system errors. The directory cannot validate the proposed naming context name because
it does not hold a replica of the naming context above the proposed naming context. Please ensure that
the domain naming master role is held by a that is server configured as a global catalog server, and that
that server is up to date with its replication partners.
This behavior can be caused by inconsistency in the domain naming master role owner as seen by
different domain controllers in the forest because of replication latency or problems. Use the following
troubleshooting steps to determine if a problem exists:
Confirm that the domain naming master is replicating Active Directory. Type repadmin
/showreps at a command prompt.
Domain controllers in the forest are consistent about the computer name that is designated as
the current domain naming master.
Confirm that the domain naming master is a global catalog server. Type nltest
/dsgetdc:domainname /server:servername to see if the server is advertising the "GC" flag. New
global catalog servers also register event 1119 ("This Windows domain controller is a now a
global catalog server"). For additional information, click the article numbers below to view the
articles in the Microsoft Knowledge Base:
234790 (http://support.microsoft.com/kb/234790/EN-US/) How to Find FSMO Role Holders
If the domain naming master FSMO role holder is not a global catalog server, it locates another
global catalog server to check for the creation. Determine whether the global catalog servers
have finished promotion. Global catalog servers require a successful synchronization with a
source for each domain. If there are error messages in the Event log about incomplete global
catalog server promotion, try to correct the communication problem with all domains in the
forest. Type nltest /dsgetdc:root.domain.name /server:servername, where servername is the
correct server. Determine whether the server is advertising the "GC" entry in the flags section of
the Nltest output.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Set the logging verbosity for the Global Catalog entry under the
HKLM\SYSTEM\CCS\Services\NTDS\DIAGNOSTICS registry key to 5, and then examine the
directory service Event log.
The destination and installed parent domain are created on the domain naming master/global
catalog server. Using Ldp.exe, connect to the global catalog server port (port 3268 ) on the
domain naming master and search for objects in the appropriate domain(s) by navigating the
tree. If they are not visible, examine the directory service Event logs to see why replication has
not occurred.
PDC EMULATOR
The PDC emulator is one of the five operations master roles in Active Directory. It is used in a domain
containing non-Active Directory computers. It processes the password changes from both users and
computers, replicates those updates to backup domain controllers, and runs the Domain Master
browser. When a domain user requests a domain controller for authentication, and the domain
controller is unable to authenticate the user due to bad password, the request is forwarded to the PDC
emulator. The PDC emulator then verifies the password, and if it finds the updated entry for the
requested password, it authenticates the request.
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to
ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not
permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external source.
All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the
PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain
controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC
emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in
the forest.
Mixed Mode
Can be changed
Miscellaneous
RID Master
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the
object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is
unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that
DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request
by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At
any one time, there can be only one domain controller acting as the RID master in the domain.
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all
DCs within a given domain. It is also responsible for removing an object from its domain and putting it in
another domain during an object move.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting
DC. There is one RID master per domain in a directory.
When a DC’s RID pool falls too low, it requests additional RIDs
from RID master
Infrastructure Master
When an object in one domain is referenced by another object in another domain, it represents the reference by
the GUID, the SID (for references to security principals), and the DN of the object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in
a cross-domain object reference. At any one time, there can be only one domain controller acting as the
infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog
server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references
in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the
domain controllers in a domain also host the global catalog, all the domain controllers have the current data,
and it is not important which domain controller holds the infrastructure master role.
When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that effect will be logged
on that DC's event log.
If all the domain controllers in a domain also host the global catalog, all the domain controllers have the
current data, and it is not important which domain controller holds the infrastructure master role.
At any time, there can be only one domain controller acting as the infrastructure master in each
domain. The infrastructure master is responsible for updating references from objects in its
domain to objects in other domains. The infrastructure master compares its data with that of a
global catalog. Global catalogs receive regular updates for objects in all domains through
replication, so the global catalog data will always be up to date. If the infrastructure master finds
data that is out of date, it requests the updated data from a global catalog. The infrastructure
master then replicates that updated data to the other domain controllers in the domain.
Important
Unless there is only one domain controller in the domain, the infrastructure master role
should not be assigned to the domain controller that is hosting the global catalog. If the
infrastructure master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will never find data that
is out of date, so it will never replicate any changes to the other domain controllers in the
domain.
In the case where all of the domain controllers in a domain are also hosting the global
catalog, all of the domain controllers will have the current data and it does not matter
which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever
the members of groups are renamed or changed. When you rename or move a member of a
group (and that member resides in a different domain from the group), the group may
temporarily appear not to contain that member. The infrastructure master of the group's domain
is responsible for updating the group so it knows the new name or location of the member. This
prevents the loss of group memberships associated with a user account when the user account is
renamed or moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group
update. Only an administrator looking at that particular group membership would notice the
temporary inconsistency.
For information about transferring operations master roles, see Transferring operations master
roles. For information about what to do when an operations master fails, see Responding to
operations master failu
Because the FSMOs are automatically created when the first domain controller is
installed, you might need to transfer OM roles to a more robust server. You would also
need to transfer OM roles to a different server before demoting the domain controller
hosting them.
When a lost domain controller cannot be recovered, you would to need any seize OM
roles assigned to the particular domain controller.
Transferring an Operations Master role, involves moving it from one server to a different server.
To transfer the Schema Master role, you need to have Schema Admins rights, and to transfer the
Domain Naming Master role, you need to have Enterprise Admin rights.
You can use an Active Directory console or a command-line utility to transfer OM roles. The
Active Directory MMC consoles that can be utilized to transfer the different FSMOs are outlined
below:
Active Directory Schema MMC snap-in: For transferring the Schema Master role
Active Directory Domains and Trusts console: For transferring the Domain Naming
Master role
Active Directory Users and Computers console: For transferring the RID Master role,
PDC Emulator role, and Infrastructure Master role.
When you seize an OM role, you do it without the cooperation of the existing domain controller
that is assigned with the particular OM role. When an OM role is seized, it is basically
reassigned to a different domain controller. Before you attempt to seize any OM roles, first try to
determine what the reason is for the failure of the existing domain controller which is assigned
with the particular OM role. Certain network issues which are likely to be corrected in short time
fames are well worth enduring through. Before you seize OM roles, first ensure that the domain
controller you are planning to shift these roles to; is indeed powerful enough to uphold these
roles. In summary, you should only really seize an OM role if the existing OM cannot be
recovered again. You would need to use the Ntdsutil tool command-line tool to seize OM roles.
1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll
on the computer.
2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
3. From the File menu, select Add/Remove Snap-in and then select Add.
4. In the list of available snap-ins, double-click Active Directory Schema.
5. Click Close. Click OK
1. Open the Active Directory Domains And Trusts console from the Administrative Tools
menu.
2. In the console tree, right-click Active Directory Domains And Trusts and select Connect
To Domain Controller from the shortcut menu.
3. The Connect To Domain Controller dialog box opens. This is where you specify the
name of the new domain controller that should be assigned the Domain Naming Master
role.
4. Click OK
5. In the console tree, right-click Active Directory Domains And Trusts and select
Operations Masters from the shortcut menu.
6. When the Change Operations Master dialog box opens, click Change
7. Click Close
Verify that the new domain controller for the role is completely updated with changes
performed on the existing domain controller of the particular role. You can use the
Replication Diagnostics command-line utility for this verification. Repadmin.exe is
included with the Windows Support Tools on the Windows Server 2003 CD-ROM.
You would not use the Ntdsutil tool to seize the particular OM role. The Ntdsutil tool first
attempts to transfer the role before it actually proceeds to seize the role.
However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can use the
Active Directory Users and Computers console. The Ntdsutil tool has to though be used to seize
the other FSMOs – Schema Master role, Domain Naming Master role, and RID Master role. You
can however also use the Ntdsutil tool to seize the PDC Emulator role or Infrastructure Master
role.
To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users and
Computers console,
RID master
Infrastructure master
PDC emulator
Single-domain forest
Multiple-domain forest
Replication Monitor
Dumpfsmos
Resource kit
NTDSUTIL
Schema Administrators
Schema master
Enterprise Administrators
Domain Administrators
Transferring Roles
Transfer only when source and destination DCs are up and running
Domain-specific roles
Schema Master
Permanently demoting a DC
Seizing Roles
Strangely, this is also the role that you can least do without
References — Overview
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/
en/default.asp?
PP=/windows2000/techinfo/reskit/en/toc/w2rkbook-0-2-1-
6.xml&tocPath=w2rkbook-0-2-1-
6&URL=/windows2000/techinfo/reskit/en/distrib/dsbl_fsm_
djnw.htm
http://support.microsoft.com/support/kb/articles/Q197/1
/32.ASP
http://support.microsoft.com/support/kb/articles/Q197/1
/32.ASP
FSMO Placement and Optimization on Windows 2000 Domain
Controllers
http://support.microsoft.com/support/kb/articles/Q223/3/4
6.ASP
http://support.microsoft.com/support/kb/articles/Q228/7/7
6.ASP
http://support.microsoft.com/support/kb/articles/Q234/7/9
0.ASP
http://support.microsoft.com/support/kb/articles/Q255/6/9
0.ASP
http://support.microsoft.com/support/kb/articles/Q255/5/0
4.ASP