Responding to Operations Master Failures

  • Article

The first step in responding to the unavailability of a domain controller that is an operations master role owner is to determine the anticipated duration of the outage.

If the outage is expected to be brief, the recommended response is simply to wait for the role owner to become available before performing a role-related function.

If the outage is longer, the correct response might be to seize the operations master role from a domain controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles. The decision to seize an operations master role depends upon the role and the expected length of the outage.

Primary Domain Controller Emulator Failures

The loss of a domain controller that is the primary domain controller emulator role can be visible to any user, either users or administrators. Specifically, an end user running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their password without communicating with the primary domain controller emulator. If the user's password has expired, the user is not able to log on. Therefore, you might need to repair a primary domain controller emulator failure quickly.

If the primary domain controller emulator is offline for a significant period of time and the domain has users running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, or domain controllers running earlier versions of Windows NT, you should seize the primary domain controller emulator role to the "Standby operations master domain controller."

The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know the current primary domain controller emulator will be offline for a significant period. Later, when the original primary domain controller emulator domain controller comes back online, transfer the role back to the original role owner.

Infrastructure Master Failures

Temporary loss of a domain's infrastructure master is not visible to end users, and is not visible to you, as an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a problem worth fixing.

If you anticipate a long outage of a domain's infrastructure master and you need to repair it, first select a domain controller that is not a Global Catalog server and that has good network connectivity to a Global Catalog server located in any domain. Ideally, the domain controller you have chosen should be within the same site as a Global Catalog server. It is not important that the new infrastructure master be near the previous one. When you have selected the domain controller, seize the infrastructure master role to this domain controller.

The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know that the current infrastructure master will be offline for a very long period. Later, when the original infrastructure master comes back online, transfer the role back to the original role owner.

Other Operations Master Failures

Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing.

However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the "Standby operations master domain controller." But, seizing any of these roles is a drastic step; one that you would take only when the outage is permanent, as in the case when a domain controller is physically destroyed and cannot be restored from backup media.

A domain controller whose schema master, domain naming master, or RID master role is seized must never come back online. Before proceeding with the role seizure, you must ensure that the outage of this domain controller is permanent by physically disconnecting the domain controller from the network.

The domain controller that seizes the role should be fully up-to-date with respect to updates performed on the previous role owner. Because of replication latency, it is possible that the domain controller might not be up-to-date.

To check the status of updates for a domain controller, you can use the Repadmin command-line tool. The Repadmin command-line tool is a Resource Kit tool that performs replication diagnostics. It is available on the Microsoft® Windows ®  2000 Server installation CD. Repadmin can determine whether a domain controller has the most current updates. For more information about using the Repadmin tool, see Windows   2000 Support Tools Help, which is included on the Windows   2000 Server CD and "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.

For example, to make sure a domain controller is fully up-to-date, suppose that "server05" is the RID master of the domain "reskit.com," "server10" is the "Standby operations master domain controller," and "server12" is the only other domain controller in the "reskit.com" domain. Using the Repadmin tool, you would issue the following commands:

C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com

New-York\server05 @ USN 2604

San-Francisco\server12 @ USN 2706

C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com

New-York\server05 @ USN 2590

Chicago\server10 @ USN 3110

note-iconNote

In the previous example, user input is in bold type.

Ignore all output lines except those for server05. Server10's up-to-date status value with respect to server05 (server05 @ USN 2604) is larger than server12's up-to-date status value with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly held by server05. If the up-to-date status value for server10 was less than the value for server12, you would wait for normal replication to update server10, or use the Repadmin tool's /sync/force commands to make the replication happen immediately.

After you have determined that the role owner is fully up-to-date, you can seize the operations master role using the Ntdsutil tool as in the following example:

C:\> ntdsutil

ntdsutil: roles

fsmo maintenance: connections

server connections: connect to server10.reskit.com

binding to server10.reskit.com ...

Connected to server10.reskit.com

using credentials of locally logged on user

server connections: quit

fsmo maintenance: seize RID master

Server "server10.reskit.com" knows about 5 roles

Schema - CN=NTDS Settings,CN=server04,CN=Servers,

CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com

Domain - CN=NTDS Settings,CN=server04,CN=Servers,

CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com

PDC - CN=NTDS Settings,CN=server10,CN=Servers,

CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com

RID - CN=NTDS Settings,CN=server10,CN=Servers,

CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com

Infrastructure - CN=NTDS Settings,CN=server12,CN=Servers,

CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com

fsmo maintenance: quit

ntdsutil: quit

C:\>

note-iconNote

In the previous example, user input is in bold type.

For more information about specific procedures for using the Ntdsutil command-line tool, see Windows   2000 Support Tools Help, which is included on the Windows   2000 Server installation CD.

Using the Ntdsutil Tool for Role Placement

The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more convenient for operations master transfers and seizures than the graphical user interface tools, because it is simpler and quicker to enter commands than to use multiple windows.

To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool is the required method. When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs the seizure.

The Ntdsutil tool provides help information when you type a question mark (?). The following is an example showing the transfer of the domain naming master role (with user input shown in bold type):

C:\> ntdsutil

ntdsutil: ?

? - Print this help information

Authoritative restore - Authoritatively restore the DIT database

Domain management - Prepare for new domain creation

Files - Manage NTDS database files

Help - Print this help information

IPDeny List - Manage LDAP IP Deny List

LDAP policies - Manage LDAP protocol policies

Metadata cleanup - Clean up objects of decommissioned servers

Popups %s - (en/dis)able popups with "on" or "off"

Quit - Quit the utility

Roles - Manage NTDS role owner tokens

Security account management - Manage Security Account Database - Duplicate SID Cleanup

Semantic database analysis - Semantic Checker

ntdsutil: roles

fsmo maintenance: ?

? - Print this help information

Connections - Connect to a specific domain controller

Help - Print this help information

Quit - Return to the prior menu

Seize domain naming master - Overwrite domain role on connected server

Seize infrastructure master - Overwrite infrastructure role on connected server

Seize PDC - Overwrite PDC role on connected server

Seize RID master - Overwrite RID role on connected server

Seize schema master - Overwrite schema role on connected server

Select operation target - Select sites, servers, domains, roles and Naming Contexts

Transfer domain naming master - Make connected server the domain naming master

Transfer infrastructure master - Make connected server the infrastructure master

Transfer PDC - Make connected server the PDC

Transfer RID master - Make connected server the RID master

Transfer schema master - Make connected server the schema master

fsmo maintenance: connections

server connections: ?

? - Print this help information

Clear creds - Clear prior connection credentials

Connect to domain %s - Connect to DNS domain name

Connect to server %s - Connect to server, DNS name or IP address

Help - Print this help information

Info - Show connection information

Quit - Return to the prior menu

Set creds %s %s %s - Set connection creds as domain, user, pwd

Use "NULL" for null password

server connections: connect to server reskit1

Binding to reskit1 ...

Connected to reskit1 using credentials of locally logged on user

server connections: quit

fsmo maintenance: transfer domain naming master

Server "reskit1" knows about 5 roles

Schema - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

Domain - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

PDC - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

RID - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

Infrastructure - CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com

fsmo maintenance: quit

ntdsutil: quit

Disconnecting from reskit1 ...

C:\>

In the previous example, the available Ntdsutil tool commands display after entering a question mark (?). To transfer an operations master role, the roles command is entered, which displays the fsmo maintenance menu. Entering a question mark (?) displays the subcommands within the fsmo maintenance menu. Before transferring the operations master role, you must connect to the domain controller that will receive the role ("reskit1" in the example above) by entering the connect to server subcommand. Then, after leaving the server connections mode by entering "quit", issue the transfer domain naming master command. A confirmation pop-up window (not shown) displays for the transfer domain naming master operation.

note-iconNote

You must have sufficient permissions to execute commands using the Ntdsutil tool. For more information about controlling access to operations master role placements, see "Controlling Access to Role Placements" later in this chapter.

It is also possible to view the current operations master role owner using the Ntdsutil command-line tool from the Select Operation Target menu located under the Roles option. By using the List roles for connected server command, a list displays of all of the current operations master role owners.

For more information about using the Ntdsutil command-line tool, see Windows   2000 Support Tools Help, which is included on the Windows   2000 Server installation CD.