Operations Master Roles
Active Directory defines five operations master roles: schema master domain naming master, relative identifier (RID) master, primary domain controller emulator, and infrastructure master The schema master and domain naming master are per-forest roles, meaning that there is only one schema master and one domain naming master in the entire forest. The other operations master roles are per-domain roles, meaning that each domain in a forest has its own RID master, primary domain controller emulator, and infrastructure master. So, in a forest with only one domain there are five operations master roles. In a forest with more than one domain there are more than five roles because the per-domain roles need to exist in each domain.
For example, the Reskit.com forest has three domains:
Reskit.com. The root domain.
Na.reskit.com. The North American domain.
Eur.reskit.com. The European domain.
Therefore, the total number of operations master roles for the Reskit.com forest is eleven:
Schema master (forest): Reskit.com
Domain naming master (forest): Reskit.com
RID master (domain): Reskit.com
RID master (domain): Na.reskit.com
RID master (domain): Eur.reskit.com
Primary domain controller emulator (domain): Reskit.com
Primary domain controller emulator (domain): Na.reskit.com
Primary domain controller emulator (domain): Eur.reskit.com
Infrastructure master (domain): Reskit.com
Infrastructure master (domain): Na.reskit.com
Infrastructure master (domain): Eur.reskit.com
A domain controller for any domain within a forest can hold a per-forest role for that forest; only a domain controller for a specific domain can hold a per-domain role for that domain. So, a single domain controller can hold up to five operations master roles including one of each role. Therefore, in the preceding example, the eleven roles might be held by as few as three domain controllers, or as many as eleven.
When you create the first Microsoft® Windows® 2000 domain controller in a forest, the Active Directory Installation Wizard assigns all five roles to it. When you create the first Windows 2000 domain controller for a new domain in an existing forest, the Active Directory Installation Wizard assigns the three per-domain roles to it.
In a mixed-mode domain environment (one that contains a mixture of Windows 2000, Microsoft® Windows NT® version 4.0, and Windows NT version 3. 51 domain controllers), only the Windows 2000 domain controllers can hold operations master roles.
The domain controller that holds the schema master role is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest.
As previously mentioned, the schema master is a per-forest operations master role, because regardless of the number of domains, there is only one schema in the forest. To update the directory schema, you must connect to the domain controller holding the forest's schema master role. If, for some reason, you prefer that another domain controller hold the schema master role, you can transfer it to another domain controller.
The schema master role is managed from the Active Directory Schema snap-in. To determine if the Active Directory Schema snap-in is connected to the schema master, in the console tree, right-click the schema node and select Operations Master . If the Current Focus and Current Operations Master values are the same, you are connected to the schema master. Also, to enable schema changes you must select the check box The Schema may be modified on this server .
If you attempt to modify the schema using the Active Directory Schema snap-in while connected to a domain controller that is not the schema master, you will see an unspecific "attempted schema modification failed" error message.
For more information about using the Active Directory Schema snap-in, the schema master role, and extending the schema, see "Active Directory Schema" in this book.
Domain Naming Master
The domain controller that has the domain naming master role is the only ** domain controller that can do the following:
Add new domains to the forest.
Remove existing domains from the forest.
Add or remove cross-reference objects to external directories.
By connecting to the domain controller holding the domain naming master role, you can add (or remove) a domain to (or from) the forest. If the domain naming master is unavailable, you cannot add or remove domains. If, for some reason, you prefer that another domain controller hold the domain naming master role, you can transfer it to another domain controller.
To add a domain to a forest, use one of the following methods:
- The Active Directory Installation Wizard. While creating the first domain controller of the domain, the wizard contacts the domain naming master by mean of RPC in order to create the domain. (Note that you must have sufficient access permissions to create the domain.)
If the domain naming master is unavailable, a message similar to the following appears:
Active Directory Installation Failed
The operation has failed because < reason for failure >
To perform the requested operation, the Directory Service needs to contact the domain naming master (server server05.reskit.com). The attempt to contact it failed.
The error was: "The specified server cannot perform the requested operation."
In this example, "server05.reskit.com" is the domain naming master.
- The Precreate subcommand under the Domain Management option in the Ntdsutil command-line tool, followed by the Active Directory Installation Wizard. You can connect to the domain naming master using the Ntdsutil tool to create a cross reference object that names the new domain. The cross reference object is found in the Partitions container of the Configuration directory partition. After the cross reference object is replicated throughout the forest, you can run the Active Directory Installation Wizard to create the new domain using the newly created domain name. When you precreate the cross reference object, the Active Directory Installation Wizard does not require a connection to the domain naming master to create the first domain controller of the domain. You must have sufficient access permissions to create a domain.
If the domain naming master is unavailable when the Ntdsutil tool attempts to connect to it, a message similar to the following appears, with user input shown in bold type:
ntdsutil: domain management
domain management: connections
server connections: connect to server05.reskit.com
binding to server05.reskit.com ...
DsBindW error 0x6ba(The RPC server is unavailable.)
Relative Identifier Master
You can create a new security principal object (User, Group, or Computer) on any domain controller. However, after creating several hundred security principal objects, a domain controller must communicate by means of RPC with the domain controller holding the domain's RID master role before creating the next security principal object. Then, another several hundred security principal objects can be created, and when this set of objects has been created, the process of contacting the RID master repeats. If a domain controller's RID pool is empty, and the RID master is unavailable, you cannot create new security principal objects on that domain controller.
When using Active Directory Users and Computers snap-in to create new objects, a message similar to the following displays when the domain controller's RID pool is empty and the domain's RID master is unavailable:
Active Directory Service
The object James Smith could not be created.
The problem encountered was:
The directory service has exhausted the pool of relative identifiers.
In this example, a new User object called "James Smith" could not be created because the RID master has exhausted its pool of RIDs.
To move objects from one domain (the source domain) to another (the destination domain) using the Movetree command-line tool, you must connect to the domain controller holding the source domain's RID master role. If the RID master is unavailable, objects cannot be moved to other domains.
If you attempt to move an object from one domain to another using the Movetree tool and you specify a source domain controller that is not the RID master, you will see an unspecific "Movetree failed" error message.
For more information about RIDs, see "Access Control" in this book.
Primary Domain Controller Emulator
In a Windows NT 3.51 or Windows NT 4.0 system, each domain contains a primary domain controller. The functions of the primary domain controller include:
Processing password changes from both users and computers
Replicating updates to backup domain controllers
Running the Domain Master Browser
Windows 2000 interoperates with Windows NT 3.51 and Windows NT 4.0 workstations, member servers, and domain controllers. Therefore one domain controller in a Windows 2000 system, the one holding the primary domain controller emulator role, must serve as primary domain controller for compatibility with older systems.
Active Directory uses multimaster replication for most directory updates. This means that unavailability of the primary domain controller emulator does not have the same impact as unavailability of the primary domain controller in Windows NT. If the primary domain controller emulator is unavailable, you lose the services mentioned above. Symptoms include:
When a user of a Windows NT Workstation 3.51–based computer, or a user of a computer running Windows NT Workstation 4.0, Windows 95, or Windows 98 without the Active Directory client installed, attempts a password change, the user sees a message similar to the following: "Unable to change password on this account. Please contact your system administrator."
In a mixed-mode domain, the event logs of Windows NT 3.51 or Windows NT 4.0 backup domain controllers contain entries showing failed replication attempts.
In a mixed-mode domain, trying to start User Manager on a Windows NT 3.51 or Windows NT 4.0 backup domain controller results in a "domain unavailable" error message. If User Manager is already running, you will see an "RPC server unavailable" message. Attempting to create an account using the net user /add command results in a "could not find domain controller for this domain" message. When you run Server Manager, you will see a message similar to the following: "Cannot find the primary domain controller for < domain name >. You may administer this domain, but certain domainwide operations will be disabled."
As systems are upgraded, either to Windows 2000 or (for Windows NT Workstation 4.0, Windows 95, and Windows 98) by installing the Active Directory client, they cease to rely on the primary domain controller and, instead, behave in the following manner:
Clients do not make password changes at the primary domain controller emulator. Instead, clients update passwords at any domain controller in the domain.
When all backup domain controllers in a domain are upgraded to Windows 2000, the primary domain controller emulator does not receive any Windows NT 3.51 or Windows NT 4.0 replication requests.
Clients use Active Directory to locate network resources. They do not require the Windows NT Computer Browser service.
Even after all systems are upgraded to Windows 2000, the domain controller holding the primary domain controller emulator role still performs the following functions:
Password changes performed by other domain controllers in the domain are sent to the primary domain controller.
When an authentication fails with an invalid password at other domain controllers in the domain, the authentication request is retried at the primary domain controller emulator before failing. If a recent password update has reached the primary domain controller emulator, the retried authentication request should succeed.
When an authentication succeeds on an account for which the most recent authentication attempt at the domain controller failed, the domain controller communicates this fact ("zero lockout count") to the primary domain controller emulator.
Therefore, when the primary domain controller emulator is unavailable, you might experience an increase in support requests regarding password difficulties.
For more information about upgrading Windows NT 3.51 and Windows NT 4.0 domains, see "Windows 2000 Upgrade and Installation"in the Microsoft ® Windows ® Server Resource Kit Deployment Planning Guide .
Suppose you add a user to a group in the same domain using Active Directory Users and Computers. While still connected to the same domain controller, you can open up the group to examine its members and see the user you just added. If you then rename the user object (that is, change its cn attribute) and then display the group membership, you will instantly see the user's new name in the list of group members.
When the user and group are in different domains there is a time lag between when you rename a user object and when a group containing that user displays the user's new name. (In Active Directory Users and Computers, selecting the Members tab of the group's property page shows the user's old name in the Name column.) This time lag is inevitable in a distributed system where sites function independently.
The domain controller holding the infrastructure master role for the group's domain is responsible for updating the cross-domain group-to-user reference to reflect the user's new name. The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up to date. If the infrastructure master is unavailable, these updates are delayed.
For more information about viewing group membership, see Windows 2000 Server Help.