70-240 in 15 minutes a week: Operations Masters, AD Database Maintenance, and RIS Page 2

Operations Masters Management

Having already looked at what the operations masters roles are responsible for in previous articles, in this section we take a look at the actual management of the 5 roles, which includes the transfer or seizing of the roles. Just to quickly recap, the operations masters roles are special role held by certain domain controllers on a per domain/ per forest basis. The 5 roles are:

Schema Master - controls originating updates to the Schema. One domain controller per forest holds this role.
Domain Naming Master - controls the addition / deletion of domains from the forest. This system must also be a Global Catalog Server. One domain controller per forest holds this role.
PDC Emulator - acts as the PDC for BDCs when the domain is in mixed mode, manages password changes for downlevel (pre-win2k) clients, is the focus for group policy changes, and is immediately forwarded all password changes. One domain controller per domain holds this role.
RID Master - allocates the pool of relative identifiers (RIDs, which are the unique part of SIDs) to each domain controller in the domain. One domain controller per domain holds this role. Note that you can view the RID pool allocation using a utility called dcdiag, the domain controller diagnostic utility.
Infrastructure Master - is responsible for updating user-to-group references between domains. This role should not be held on a domain controller which is also acting as a global catalog server - the infrastructure master will not function in this scenario because it holds a copy of all objects, and therefore has no external references. One domain controller per domain holds this role.

The ability to transfer roles is important, since a domain controller may need to be taken offline for maintenance. In this scenario, we simply transfer the role as will be described shortly. However, in the event that a DC holding an operations master role should crash, we might need to transfer the role by seizing it, a more drastic action. If you are taking a domain controller offline for a significant period of time, be sure to transfer the roles that the domain controller holds. Note that since changes to the schema and adding and removing domains are both rare, it may not be necessary to transfer these roles, even if a domain controller needed to be taken offline for a longer period of time.

The tools used to transfer the operations masters' roles are listed below, by role:

PDC Emulator - Active Directory Users and Computers
RID Master - Active Directory Users and Computers
Infrastructure Master - Active Directory Users and Computers
Domain Naming Master - Active Directory Domains and Trusts
Schema Master - Active Directory Schema Snap-in. (this will not be viewable by default, and must be registered. From the run command, issue the following command, and the snap-in will be available: regsvr32.exe schmmgmt.dll

The screenshot below shows an example of the screen used to transfer the PDC Emulator role in Active Directory Users and Computers:

You should also be aware of which users have the ability to change operations masters roles by default (controlled via permissions):

PDC Emulator - Domain Admins
RID Master - Domain Admins
Infrastructure Master - Domain Admins
Domain Naming Master - Enterprise Admins
Schema Master - Schema Admins

If a domain controller that holds an operations master role becomes permanently unavailable (equipment failure and cannot be restored from backup, for example), you can take the step of seizing the role it holds. In order to seize a role, you should ensure that the former role owner is disconnected from the network, and proceed with the transfer process. You will receive a warning message stating that a regular transfer is not possible, but continuing will allow you to seize the role. 

It is also possible to seize an operations master role by using the ntdsutil tool. The following steps outline the process:

1. Run ntdsutil.exe
2. From the prompt, type roles
3. At the fsmo maintenance prompt, type connections
4. At the server connections prompt, type connect to server, followed by the FQDN of the server. 
5. Type quit at the server connections prompt.
6. At the fsmo maintenance prompt, type one of the following:
a. Seize PDC
b. Seize RID master
c. Seize infrastructure master
d. Seize domain naming master
e. Seize schema master
7. Type quit at the fsmo maintenance prompt
8. Type quit at the ntdsutil prompt

Just for the sake of knowing, 'fsmo' stands for Flexible Single Master Operation.

Remote Installation Services

Although the basics of RIS have been covered in previous articles, you'll need to know a little more about what it is capable of. Remote Installation Services is part of a broad group of Windows 2000 services that also go by the name Intellimirror. These technologies are meant to allow configuration management to be automated. With RIS, Microsoft has provided a technology that will allow a computer capable of booting off the network to start and automatically download its operating system image. The idea is that in combination with technologies such as group policy, a user could have their complete environment 'rebuilt' without necessitating that a technical support person make a physical trip to their location. Note that as far as Microsoft is concerned, RIS only distributes images of Windows 2000 Professional, not Server (or 9x, NT, etc).

As a review, remember that in order for RIS to function, 3 services must be available on the network. These include:

- DHCP (to give the OS-less client an IP address for network connectivity)
- DNS (to allow the client to find Active Directory, and subsequently a RIS Server) 
- Active Directory (to control who which users / computers have permissions to access an images, which RIS server provides the requested image, and to determine the computer account placement)

There are also requirements with respect to the client computer in terms of RIS Support. In order for a client machine to be able to boot and obtain an image via RIS, the client requires PXE functionality. PXE stands for Preboot Execution Environment, a technology that allows a PC that supports the standard to obtain TCP/IP network connectivity. This is accomplished in one of three ways.

1. The client computers meet the PC98 or NetPC specification
2. The client computers have a PXE-compliant BIOS
3. The client computers have a supported PXE-compliant network adapter card. 

This article was originally published on Jul 26, 2001
Page 2 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date