4. Optimizing the Placement of Operations Masters
When you create the forest root domain with its first domain
controller, all five operations master roles are performed by the domain
controller. As you add domain controllers to the domain, you can
transfer the operations master role assignments to other domain controllers to balance
the load among domain controllers or optimize placement of a single
master operation. The best practices for the placement of operations master roles are as
follows:
-
Co-locate the schema master and domain
naming master The schema master and domain naming master
roles should be placed on a single domain controller that is a GC
server. These roles are rarely used, and the domain controller
hosting them should be tightly secured. The domain naming master
must be hosted on a GC server, because when a new domain is added
the master must ensure that there is no object of any type with
the same name as the new domain. The GC’s partial replica contains
the name of every object in the forest. The load of these
operations master roles is very light unless schema modifications
are being made.
-
Co-locate the RID master and PDC
Emulator roles Place the RID and PDC Emulator roles on a
single domain controller. If the load mandates that the roles be
placed on two separate domain controllers, those two systems
should be physically well connected and have explicit connection
objects created in Active Directory so that they are direct
replication partners. They should also be direct
replication partners with domain controllers that you have
selected as standby operations masters.
-
Place the infrastructure master on a
DC that is not a GC The infrastructure master should be
placed on a domain controller that is not a GC server but is
physically well connected to a GC server. The infrastructure
master should have explicit connection objects in Active Directory
to that GC server so that they are direct replication partners.
The infrastructure master can be placed on the same domain
controller that acts as the RID master and PDC emulator.
Note
IT DOESN’T MATTER IF THEY’RE ALL
GCS
If all DCs in a domain are GC servers—you do not
need to worry about which DC is the infrastructure master. When
all DCs are GCs, all DCs have up-to-date information about every
object in the forest, which eliminates the need for the
infrastructure master role.
-
Have a failover
plan In following sections, you learn to transfer single
operations master roles between domain controllers,
which is necessary if there is lengthy planned or unplanned
downtime of an operations master. Determine, in advance, a plan
for transferring operations roles to other DCs in the event that
one operations master is offline.
Identifying Operations Masters
To implement your role placement plan, you must know which DCs are currently
performing single master operations roles. Each role is exposed in an
Active Directory administrative tool as well as in other user
interface and command-line tools. To identify the current master for
each role, use the following tools:
-
PDC Emulator: The Active Directory
Users And Computers snap-in Right-click the domain and
choose Operations Masters. Click the PDC tab. An example is shown
in Figure 1, which indicates that
SERVER01.contoso.com is currently the PDC operations
master.
-
RID Master: The Active Directory Users
And Computers snap-in Right-click the domain and choose
Operations Masters. Click the RID tab.
-
Infrastructure Master: The Active
Directory Users And Computers snap-in Right-click the
domain and choose Operations Masters. Click the Infrastructure
tab.
-
Domain Naming: The Active Directory
Domains And Trusts snap-in Right-click the root node of
the snap-in (Active Directory Domains And Trusts) and choose
Operations Master.
-
Schema Master: The Active Directory
Schema snap-in Right-click the root node of the snap-in
(Active Directory Schema) and choose Operations Master.
Note
REGISTERING THE ACTIVE DIRECTORY SCHEMA
SNAP-IN
You must register the Active Directory Schema snap-in before
you can create a custom Microsoft Management Console (MMC) with the
snap-in. At a command prompt, type regsvr32
schmmgmt.dll.
You can also use several other tools to identify operations
masters, including the following commands:
-
NTDSUtil
Type the following series of commands in Command
Prompt to list the operations master roles of a domain
controller:
ntdsutil
roles
connections
connect to server DomainControllerFQDN
quit
select operation target
list roles for connected server
quit
quit
quit
-
DCDiag Type the following
command to list the operations master roles of a domain
controller:
dcdiag /test:knowsofroleholders /v
-
NetDom Type the following
command to list the operations master roles of a domain
controller:
netdom query fsmo
Note
PRACTICE: IT
Exercise 1, “Identify Operations Masters,” in the practice at the end of this lesson covers the
identification of operations masters.
5. Transferring Operations Master Roles
You can transfer a single operations master role easily. You
transfer roles in the following scenarios:
-
When you establish your forest, all five roles are performed
by the first domain controller you install. When you add a domain
to the forest, all three domain roles are performed by the first
domain controller in that domain. As you add domain controllers,
you can distribute the roles to reduce single-point-of-failure
risks and improve performance.
-
If you plan to take a domain controller offline that is
currently holding an operations master role, transfer that role to
another domain controller before taking it offline.
-
If you are decommissioning a domain controller that
currently holds an operations master role, transfer that role to
another domain controller before decommissioning. The Active
Directory Domain Services Installation Wizard will attempt to do
so automatically, but you should prepare for demoting a domain
controller by transferring its roles.
To transfer an operations master role, follow these
steps:
-
Make sure that the new role holder is up to date with
replication from the former role holder.
-
Open the administrative tool that exposes the current
master.
For example, open the Active Directory Users And Computers
snap-in to transfer any of the three domain master roles.
-
Connect to the domain controller to which you are
transferring the role.
This is accomplished by right-clicking the root node of the
snap-in and choosing Change Domain Controller or Change Active
Directory Domain Controller. (The command differs between
snap-ins.)
-
Open the Operations Master dialog box, which displays the
domain controller currently holding the role token for the
operation. Click Change to transfer the role to the domain
controller to which you are connected.
Note
PRACTICE: IT
Exercise 2, “Transfer an Operations Master Role,” in the practice at the end of this lesson guides you
through the transfer of an operations master role.
When you transfer an operations master role, both the current
master and the new master are online. The token is transferred, the
new master immediately begins to perform the role, and the former
master immediately ceases to perform the role. This is the preferred
method of moving operations master roles.
