Configuring Operations Master Roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configure operations master roles to ensure the availability and performance of those domain controllers. Figure 7.8 shows when configuring operations master roles occurs in the regional domain deployment process.

Figure 7.8   Configuring Operations Master Roles

It is generally recommended that you leave the operations master roles on the first domain controller in the regional domain. Monitor this domain controller closely and ensure that it is not a global catalog server. Deploy an additional domain controller in the same site to act as the standby operations master.

Host the PDC emulator role on a powerful and reliable domain controller to ensure that it is available and capable of handling the workload.

Of all the operations master roles, the PDC emulator role has the highest impact on the performance of the domain controller hosting that role. In domains with more than 10,000 users, it might be necessary to reduce the number of authentication requests performed by the PDC emulator to decrease its workload and allow it to perform other tasks. If CPU utilization is higher than 50 percent or disk queues remain higher than 2 for several hours or days, reduce the number of client authentication requests received by the PDC emulator.

Note

• Other factors that can increase the workload on the PDC emulator include pre-Active Directory clients or applications that have been written to contact the PDC emulator.

To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its weight or its priority in the DNS environment. If you want to proportionately reduce the number of client authentication requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC emulator does not receive any client authentication requests, adjust its priority.

Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the weight and assigning it a decreased value of 50, you can proportionately reduce the number of client authentication requests sent to the PDC emulator. This ensures that the PDC emulator will authenticate half of the number of clients that it would if the weight value remained at 100.

Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the priority and assigning it an increased value of 200, you can ensure that the PDC emulator will never receive client authentication requests unless it is the only accessible domain controller.

Repeat these procedures if the PDC emulator operations master role is transferred or seized to another domain controller in the forest root domain.

Caution

• The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Microsoft Windows Server 2003 Deployment Kit companion CD or on the Web at https://www.microsoft.com/reskit.

To change the weight for DNS SRV records by using the registry

1. In the Run dialog box, type regedit, and press ENTER.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

3. Click Edit, click New, and then click DWORD value.

4. For the new entry name, type LdapSrvWeight and press ENTER. (The value name is not case sensitive.)

5. Double-click the entry name you just typed to open the Edit DWORD Value dialog box.

6. Choose Decimal as the Base option.

7. Enter a value from 0 through 65535. The recommended value is 50.

8. Click OK.

9. Click File, and then click Exit to close the registry editor.

Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather than reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable.

Note

• A lower value entered for LdapSrvPriority indicates a higher priority. A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10. Therefore, clients attempt to use the domain controller with the setting of 10 first.

To change the priority for DNS SRV records by using the registry

1. In the Run dialog box, type regedit, and press ENTER.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Click Edit, click New, and then click DWORD value.

4. For the new entry name, type LdapSrvPriority, and press ENTER.

5. Double-click the entry name that you just typed to open the Edit DWORD Value dialog box.

6. Choose Decimal as the Base option.

7. Enter a value from 0 through 65535. The recommended value is 200.

8. Click OK.

9. Click File, and then click Exit to close the registry editor.

For more information about adjusting the weight or the priority of the PDC emulator, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources. Search under "Administration and Configuration Guides" and download the Active Directory Operations Guide.