IT tutorials
 
Technology
 

Active Directory 2008 : Managing Operations Masters (part 3) - Seizing Operations Master Roles, Returning a Role to Its Original Holder

9/19/2013 1:15:58 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

6. Recognizing Operations Master Failures

Several operations master roles can be unavailable for quite some time before their absence becomes a problem. Other master roles play a crucial role in the day-to-day operation of your enterprise. You can identify problems with operations masters by examining the Directory Service event log.

However, you will often discover that an operations master has failed when you attempt to perform a function managed by the master, and the function fails. For example, if the RID master fails, eventually you will be prevented from creating new security principals.

7. Seizing Operations Master Roles

If a domain controller performing a single master operation fails and you cannot bring the system back to service, you have the option of seizing the operations token. When you seize a role, you designate a new master without gracefully removing the role from the failed master.

Seizing a role is a drastic action, so before seizing a role, think carefully about whether it is necessary. Determine the cause and expected duration that the operations master will be offline. If the operations master can be brought online in sufficient time, wait. What is sufficient time? It depends on the impact of the role that has failed:

  • PDC emulator failure The PDC emulator is the operations master that has the most immediate impact on normal operations and on users if it becomes unavailable. Fortunately, the PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.

  • Infrastructure master failure A failure of the infrastructure master is noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect even though, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.

  • RID master failure A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online.

  • Schema master failure The schema master role is necessary only when schema modifications are being made, either directly by an administrator or by installing an Active Directory integrated application that changes the schema. At other times, the role is not necessary. It can remain offline indefinitely until schema changes are necessary. Seizing this role to another domain controller is a significant action. After the schema master role has been seized, the domain controller that had been performing the role cannot be brought back online.

  • Domain naming master failure The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure, the domain naming master role can remain offline for an indefinite period of time. Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back online.

Although you can transfer roles by using the administrative tools, you must use Ntdsutil.exe to seize a role. To seize an operations master role, perform the following steps:

  1. From the command prompt, type ntdsutil and press Enter.

  2. At the ntdsutil prompt, type roles and press Enter.

    The next steps establish a connection to the domain controller that you want to perform the single master operation role.

  3. At the fsmo maintenance prompt, type connections and press Enter.

  4. At the server connections prompt, type connect to server DomainControllerFQDN and press Enter, where DomainControllerFQDN is the FQDN of the domain controller you want to perform the role.

    Ntdsutil responds that it has connected to the server.

  5. At the server connections prompt, type quit and press Enter.

  6. At the fsmo maintenance prompt, type seize Role and press Enter, where Role is one of the following:

    • schema master

    • domain naming master

    • RID master

    • PDC

    • infrastructure master

  7. At the fsmo maintenance prompt, type quit and press Enter.

  8. At the ntdsutil prompt, type quit and press Enter.

8. Returning a Role to Its Original Holder

To provide for planned downtime of a domain controller if a role has been transferred, not seized, the role can be transferred back to the original domain controller.

If, however, a role has been seized and the former master can be brought back online, you must be very careful. The PDC emulator and infrastructure master are the only operations master roles that can be transferred back to the original master after having been seized.

Note

DO NOT RETURN A SEIZED SCHEMA, DOMAIN NAMING, OR RID MASTER TO SERVICE

After seizing the schema, domain naming, or RID roles, you must completely decommission the original domain controller.

If you have seized the schema, domain naming, or RID roles to another domain controller, you must not bring the original domain controller back online without first completely decommissioning it. That means you must keep the original role holder physically disconnected from the network, and you must remove AD DS by using the Dcpromo /forceremoval command. 

After the domain controller has been completely removed from Active Directory, if you want the server to rejoin the domain, you can connect it to the network and join the domain. If you want it to be a domain controller, you can promote it. If you want it to resume performing the operations master role, you can transfer the role back to the DC.

Practice Transferring Operations Master Roles

In this practice, you identify the operations masters in the contoso.com domain, and you transfer an operations master to another domain controller to take the current master offline for maintenance. To perform Exercise 2 in this practice, you must have completed “Practice: Installing Domain Controllers” in Lesson 1 so that you have a second domain controller, SERVER02, in the domain.

EXERCISE 1 Identify Operations Masters

In this exercise, you use both user interface and command-line tools to identify operations masters in the contoso.com domain.

  1. Log on to SERVER01 as Administrator.

  2. Open the Active Directory Users And Computers snap-in.

  3. Right-click the contoso.com domain and choose Operations Masters.

  4. Click the tab for each operations master.

    The tabs identify the domain controllers currently performing the single master operations roles for the domain: PDC emulator, RID master, and Infrastructure master.

  5. Click Close.

  6. Open the Active Directory Domains And Trusts snap-in.

  7. Right-click the root node of the snap-in, Active Directory Domains And Trusts, and choose Operations Master.

    The dialog box identifies the domain controller performing the domain naming master role.

  8. Click Close.

    The Active Directory Schema snap-in does not have a console of its own and cannot be added to a custom console until you have registered the snap-in.

  9. Open a command prompt, type regsvr32 schmmgmt.dll, and press Enter.

  10. Click OK to close the message that appears.

  11. Click Start and, in the Start Search box, type mmc.exe and press Enter.

  12. Choose Add/Remove Snap-In from the File menu.

  13. From the Available snap-ins list, choose Active Directory Schema, click Add, and then click OK.

  14. Right-click the root node of the snap-in, Active Directory Schema, and choose Operations Master.

    The dialog box that appears identifies the domain controller currently performing the schema master role.

  15. Click Close.

  16. Open a command prompt, type the command netdom query fsmo, and press Enter. All operations masters are listed.

EXERCISE 2 Transfer an Operations Master Role

In this exercise, you prepare to take the operations master offline by transferring its role to another domain controller. You then simulate taking it offline, bringing it back online, and returning the operations master role.

  1. Open the Active Directory Users And Computers snap-in.

  2. Right-click the contoso.com domain and choose Change Domain Controller.

  3. In the list of directory servers, select SERVER02.contoso.com and click OK.

    Before transferring an operations master, you must connect to the domain controller to which the role will be transferred.

    The root node of the snap-in indicates the domain controller to which you are connected: Active Directory Users And Computers [SERVER02.contoso.com].

  4. Right-click the contoso.com domain and choose Operations Masters.

  5. Click the PDC tab.

    The tab indicates that SERVER01.contoso.com currently holds the role token. SERVER02.contoso.com is listed in the second text box. It should appear similar to Figure 1.

  6. Click Change.

    An Active Directory Domain Services dialog box prompts you to confirm the transfer of the operations master role.

  7. Click Yes.

    An Active Directory Domain Services dialog box confirms the role was successfully transferred.

  8. Click OK, and then click Close. Wait two minutes to ensure that the change has replicated.

  9. Simulate taking SERVER01 offline for maintenance by shutting down the server.

  10. Simulate bringing the server back online by starting the server.

    Remember that you cannot bring a domain controller back online if the RID, schema, or domain naming roles have been seized. But you can bring it back online if any of these roles was transferred.

  11. Log back on to SERVER01 as Administrator. Wait two minutes to ensure that all services have started. Repeat steps 1–8, this time connecting to SERVER01 and transferring the operations master role back to SERVER01.
 
Others
 
- Active Directory 2008 : Managing Operations Masters (part 2) - Optimizing the Placement of Operations Masters, Transferring Operations Master Roles
- Active Directory 2008 : Managing Operations Masters (part 1) - Domain-Wide Operations Master Roles
- SQL Server 2012 : Physical and Virtual Memory (part 2) - NUMA
- SQL Server 2012 : Physical and Virtual Memory (part 1) - Virtual Memory - Virtual Memory Manager
- SQL Server 2012 : Demystifying Hardware - Choosing and Configuring Hardware for Redundancy, Hardware Comparison Tools
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - Unified Messaging Installation
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - Unified Messaging Protocols
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - UM Web Services
- Microsoft Exchange Server 2010 : Creating Special-Purpose Mailboxes (part 3)
- Microsoft Exchange Server 2010 : Creating Special-Purpose Mailboxes (part 2) - Creating Room and Equipment Mailboxes, Creating Linked Mailboxes
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us