Managing Operations Master Roles
Although Active Directory is based on a multimaster administration model, some operations support only a single master. For multimaster operations, conflict resolution ensures that after the system finishes replicating, all replicas agree on the value for a given property on a given object. However, some data, for which adequate conflict resolution is not possible, is key to the operation of the system as a whole. This data is controlled by individual domain controllers called operations masters. These domain controllers are referred to as holding a particular operations master role.
.gif "note-icon")
Note
Operations masters are sometimes referred to as Flexible Single-Master Operations (FSMOs).
There are five operations master roles: some are enterprisewide, and some are per domain. The following paragraphs describe these five roles:
Schema Operations Master There is a single schema operations master role for the entire enterprise. This role allows the operations master server to accept schema updates. There are other restrictions on schema updates. For more information about operations masters, see "Managing Flexible Single-Master Operations"dsbl_fsm_DJNW in this book.
Relative ID Master There is one relative ID master per domain. Each domain controller in a domain has the ability to create security principals. Each security principal is assigned a relative ID. Each domain controller is allocated a small set of relative IDs out of a domainwide relative ID pool. The relative ID master role allows the domain controller to allocate new subpools out of the domainwide relative ID pool.
Domain-Naming Master There is a single domain-naming master role for the entire enterprise. The domain-naming master role allows the owner to define new cross-reference objects representing domains in the Partitions container.
PDC Operations Master There is one primary domain controller (PDC) operations master role per domain. The owner of the PDC operations master role identifies which domain controller in a domain performs Microsoft® Windows NT® version 4.0 PDC activities in support of Windows NT 4.0 backup domain controllers and clients using earlier versions of Windows.
Infrastructure Master There is one infrastructure master role per domain. The owner of this role ensures the referential integrity of objects with attributes that contain distinguished names of other objects that might exist in other domains. Because Active Directory allows objects to be moved or renamed, the infrastructure master periodically checks for object modifications and maintains the referential integrity of these objects.
For more information about operations masters and operations master roles, see "Managing Flexible Single-Master Operations" in this book.
An operations master role can only be moved by administrative involvement; it is not moved automatically. Additionally, moving a role is controlled by standard Windows 2000 access controls. Thus a corporation should tightly control the location and movement of operations master roles. For example, an organization with a strong IT presence might place the schema role on a server in the IT group and configure its access control list (ACL) so that it cannot be moved at all.
Operations master roles require two forms of management: controlled transfer and seizure.
Use controlled transfer when you want to move a role from one server to another, perhaps to track a policy change with respect to role location or in anticipation of a server being shut down, moved, or decommissioned.
Seizure is required when a server that is holding a role fails and you do not intend to restore it. Even in the case of a server recovered from a backup, the server does not assume that it owns a role (even if the backup tape says so), because the server cannot determine if the role was legitimately transferred to another server in the time period between when the backup was made and the server failed and was recovered. The restored server assumes role ownership only if a quorum of existing servers is available during recovery and they all agree that the restored server is still the owner.
The Roles submenu in Ntdsutil is used to perform controlled transfer and recovery of operations master roles. Controlled transfer is simple and safe. Because the source and destination servers are running, the system software guarantees that the operations master role token and its associated data is transferred atomically. Operations master role seizure is equally simple but not as safe. You simply tell a particular domain controller that it is now the owner of a particular role.
.gif "caution-icon")
Caution
Do not make a server a role owner by means of seizure commands if the real role holder exists on the network. Doing this could create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another domain controller the role owner. This could result in a situation where two computers function as the role owner, which might cause irreconcilable conflicts for key system data.
The commands listed in Table C.4 are found in the Roles submenu and perform controlled transfer and recovery of operations master roles.
Table C.4 Roles Commands
Command |
Description |
|---|---|
Abandon all roles |
Instructs the domain controller to which you are connected to give away all operations master roles it owns. This command is not guaranteed to succeed because eligible role recipients might be currently unreachable or because the domain controller to which you are connected is the last domain controller for the domain. |
Connections |
Invokes the Connections submenu. |
Seize domain naming master |
Forces the domain controller to which you are connected to claim ownership of the domain-naming operations master role without regard to the data associated with the role. Use only for recovery purposes. |
Seize infrastructure master |
Forces the domain controller to which you are connected to claim ownership of the infrastructure operations master role without regard to the data associated with the role. Use only for recovery purposes. |
Seize PDC |
Forces the domain controller to which you are connected to claim ownership of the PDC operations master role without regard to the data associated with the role. Use only for recovery purposes. |
Seize RID master |
Forces the domain controller to which you are connected to claim ownership of the relative ID master role without regard to the data associated with the role. Use only for recovery purposes. |
Seize schema master |
Forces the domain controller to which you are connected to claim ownership of the schema operations master role without regard to the data associated with the role. Use only for recovery purposes. |
Select operation target |
Invokes the Select operation target submenu. |
Transfer domain naming master |
Instructs the domain controller to which you are connected to obtain the domain-naming role by means of controlled transfer. |
Transfer infrastructure master |
Instructs the domain controller to which you are connected to obtain the infrastructure operations master role by means of controlled transfer. |
Transfer PDC |
Instructs the domain controller to which you are connected to obtain the PDC operations master by means of controlled transfer. |
Transfer RID master |
Instructs the domain controller to which you are connected to obtain the relative ID master role by means of controlled transfer. |
Transfer schema master |
Instructs the domain controller to which you are connected to obtain the schema operations master role by means of controlled transfer. |