Configure Operations Master Roles

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configure the forest-level and domain-level operations master roles for the forest root domain. By default, the first domain controller in the forest root domain is assigned all operations master roles.

  • If your design specifies that all domain controllers in the forest root domain are global catalog servers, leave all five operations master roles on the first domain controller, and designate the second domain controller as the standby.

  • If any domain controllers in the forest root domain will not be global catalog servers, move all operations master roles from the first domain controller to the second domain controller, and ensure that the second domain controller will never be a global catalog server. Designate the third domain controller as the standby, and never make it a global catalog server.

    Note

    • In a single domain forest, the database content of a domain controller and a global catalog server are the same. Therefore, to load balance client lookups across global catalog servers in a single domain forest, ensure that all domain controllers are global catalog servers.

For a procedure to help you transfer operations master roles, see "Transfer operations master roles" in Help and Support Center for Windows Server 2003.

If your Active Directory design specifies that you designate a standby operations master for the current operations master role holder, configure the current role holder and the standby as direct replication partners by manually creating a connection object between them. Designating a standby operations master can save some time if you must reassign any operations master roles to the standby operations master.

Of all the operations master roles, the PDC emulator role has the highest impact on the performance of the domain controller hosting that role. In domains with more than 10,000 users, it might be necessary to reduce the number of authentication requests performed by the PDC emulator to decrease its workload and allow it to perform other tasks. If CPU utilization is higher than 50 percent or disk queues remain higher than 2 for several hours or days, reduce the number of client authentication requests received by the PDC emulator.

Note

  • Other factors that can increase the workload on the PDC emulator include pre-Active Directory clients or applications that have been written to contact the PDC emulator.

To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its weight or its priority in the DNS environment. If you want to proportionately reduce the number of client authentication requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC emulator does not receive any client authentication requests, adjust its priority.

Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the weight and assigning it a decreased value of 50, you can proportionately reduce the number of client authentication requests sent to the PDC emulator. This ensures that the PDC emulator will authenticate half of the number of clients than it would if the weight value remained at 100.

Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the priority and assigning it an increased value of 200, you can ensure that the PDC emulator will never receive client authentication requests unless it is the only accessible domain controller.

Repeat these procedures if the PDC emulator operations master role is transferred or seized to another domain controller in the forest root domain.

Caution

  • The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the "Registry Reference" on the Microsoft Windows Server 2003 Deployment Kit companion CD or on the Microsoft Web site.

To change the weight for DNS SRV records by using the registry

  1. In the Run dialog box, type regedit, and press ENTER.

  2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

  3. Click Edit, click New, and then click DWORD value.

  4. For the new entry name, type LdapSrvWeight and press ENTER. (The value name is not case sensitive.)

  5. Double-click the entry name you just typed to open the Edit DWORD Value dialog box.

  6. Choose Decimal as the Base option.

  7. Enter a value from 0 through 65535. The recommended value is 50.

  8. Click OK.

  9. Click File, and then click Exit to close the registry editor.

Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather than reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable.

Note

  • A lower value entered for LdapSrvPriority indicates a higher priority. A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10. Therefore, clients attempt to use the domain controller with the setting of 10 first.

To change the priority for DNS SRV records by using the registry

  1. In the Run dialog box, type regedit, and press ENTER.

  2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  3. Click Edit, click New, and then click DWORD value.

  4. For the new entry name, type LdapSrvPriority, and press ENTER.

  5. Double-click the entry name that you just typed to open the Edit DWORD Value dialog box.

  6. Choose Decimal as the Base option.

  7. Enter a value from 0 through 65535. The recommended value is 200.

  8. Click OK.

  9. Click File, and then click Exit to close the registry editor.

For more information about adjusting the weight or the priority of the PDC emulator, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources. Search under "Administration and Configuration Guides" and download the Active Directory Operations Guide.