The first step in responding to the unavailability of a domain controller that is an operations master role owner is to determine the anticipated duration of the outage. If the outage is expected to be brief, the recommended response is simply to wait for the role owner to become available before performing a role-related function.
              If the outage is longer, 
the correct response might be to seize the operations master role from 
a domain controller. To seize a role is to move it without the 
cooperation of its current owner. It is best to avoid seizing roles. The
 decision to seize an operations master role depends upon the role and 
the expected length of the outage.
Primary Domain Controller Emulator Failures
The loss of a domain controller that is the primary domain controller emulator role can be visible to any user, either users or administrators. Specifically, an end user running Windows NT Workstation3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their password without communicating with the primary domain controller emulator. If the user’s password has expired, the user is not able to log on.
The loss of a domain controller that is the primary domain controller emulator role can be visible to any user, either users or administrators. Specifically, an end user running Windows NT Workstation3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their password without communicating with the primary domain controller emulator. If the user’s password has expired, the user is not able to log on.
 Therefore, you might need to repair a 
primary domain controller emulator failure quickly.If the primary domain
 controller emulator is offline for a significant period of time and the
 domain has users running Windows NT Workstation 3.51, or Windows NT 
4.0, Windows 95, or Windows 98 without the Active Directory client, or 
domain controllers running earlier versions of Windows NT, you should 
seize the primary domain controller emulator role to the “Standby 
operations masterdomain controller.”
              The user interface for this
 seizure is similar to that of a normal operations master role transfer,
 except it requires an extra confirmation from you. Agree to the 
confirmation only if you know the current primary domain 
controller emulator will be offline for a significant period. Later, 
when the original primary domain controller emulator domain 
controller comes back online, transfer the role back to the original 
role owner.
Infrastructure Master Failures
Temporary loss of a domain’s infrastructure master is not visible to end users, and is not visible to you, as an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a problem worth fixing. If you anticipate a long outage of a domain’s infrastructure master and you need to repair it, first select a domain controller that is not a Global Catalog server and that has good network connectivity to a Global Catalog server located in any domain.
Temporary loss of a domain’s infrastructure master is not visible to end users, and is not visible to you, as an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a problem worth fixing. If you anticipate a long outage of a domain’s infrastructure master and you need to repair it, first select a domain controller that is not a Global Catalog server and that has good network connectivity to a Global Catalog server located in any domain.
 Ideally, the domain controller you have 
chosen should be within the same site as a Global Catalog server. It is 
not important that the new infrastructure master be near the previous 
one. When you have selected the domain controller, seize the 
infrastructure master role to this domain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know that the current infrastructure master will be offline for a very long period. Later, when the original infrastructure master comes back online, transfer the role back to the original role owner.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know that the current infrastructure master will be offline for a very long period. Later, when the original infrastructure master comes back online, transfer the role back to the original role owner.
Other Operations Master Failures
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing. However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the “Standby operations master domain controller.”
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing. However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the “Standby operations master domain controller.”
But, seizing any of these roles is a 
drastic step; one that you would take only when the outage is permanent,
 as in the case when a domain controller is physically destroyed and 
cannot be restored from backup media.
              A domain controller whose schema master, domain 
naming master, or RID master role is seized must never come back online.
 Before proceeding with the role seizure, you must ensure that the 
outage of this domain controller is permanent by physically 
disconnecting the domain controller from the network.
              The domain controller that 
seizes the role should be fully up-to-date with respect to updates 
performed on the previous role owner. Because of replication latency, it
 is possible that the domain controllermight not be up-to-date.
              To check the status of
 updates for a domain controller, you can use the Repadmin command-line 
tool. The Repadmin command-line tool is a Resource Kit tool that 
performs replication diagnostics. It is available on the Microsoft 
Windows 2000 Server installation CD. Repadmin can determine whether a domain controller has the most current updates.
 For more information about using the Repadmin tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server CD and “Active Directory Diagnostics, Troubleshooting, and Recovery” in this book.
              For example, to make sure 
a domain controller is fully up-to-date, suppose that “server05″ is the 
RID master of the domain “reskit.com,” “server10″ is the “Standby 
operations master domain controller,” and “server12″ is the only 
other domain controller in the “reskit.com” domain. Using the Repadmin 
tool, you would issue the following commands:
              C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
              C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
              Note
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10′s up-to-date status value with respect to server05 (server05 @ USN 2604) is larger than server12′s up-to-date status value with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly held by server05. If the up-to-date status value for server10 was less than the value for server12, you would wait for normal replication to update server10, or use the Repadmin tool’s /sync/force commands to make the replication happen immediately.
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10′s up-to-date status value with respect to server05 (server05 @ USN 2604) is larger than server12′s up-to-date status value with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly held by server05. If the up-to-date status value for server10 was less than the value for server12, you would wait for normal replication to update server10, or use the Repadmin tool’s /sync/force commands to make the replication happen immediately.
              After you have determined 
that the role owner is fully up-to-date, you can seize the operations 
master role using the Ntdsutil tool as in the following example:
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com …
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server “server10.reskit.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain – CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC – CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID – CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure – CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com …
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server “server10.reskit.com” knows about 5 roles
Schema – CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain – CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC – CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID – CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure – CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
              Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.
              
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more convenient for operations master transfers and seizures than the graphical user interface tools, because it is simpler and quicker to enter commands than to use multiple windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool is the required method.
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more convenient for operations master transfers and seizures than the graphical user interface tools, because it is simpler and quicker to enter commands than to use multiple windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool is the required method.
When you use the Ntdsutil command-line 
tool to seize an operations master role, the tool attempts a transfer 
from the current role owner first. Then, if the existing operations 
master is unavailable, it performs the seizure.
              The Ntdsutil tool provides help information when you type a
 question mark (?). The following is an example showing the transfer of 
the domain naming master role (with user input shown in bold type):
C:\> ntdsutil
ntdsutil: ?
? – Print this help information
C:\> ntdsutil
ntdsutil: ?
? – Print this help information
              Authoritative restore – Authoritatively restore the DIT database
Domain management – Prepare for new domain creation
Files – Manage NTDS database files
Help – Print this help information
IPDeny List – Manage LDAP IP Deny List
LDAP policies – Manage LDAP protocol policies
Metadata cleanup – Clean up objects of decommissioned servers
Popups %s – (en/dis)able popups with “on” or “off”
Quit – Quit the utility
Roles – Manage NTDS role owner tokens
Security account management – Manage Security Account Database – Duplicate SID Cleanup
Semantic database analysis – Semantic Checker
Domain management – Prepare for new domain creation
Files – Manage NTDS database files
Help – Print this help information
IPDeny List – Manage LDAP IP Deny List
LDAP policies – Manage LDAP protocol policies
Metadata cleanup – Clean up objects of decommissioned servers
Popups %s – (en/dis)able popups with “on” or “off”
Quit – Quit the utility
Roles – Manage NTDS role owner tokens
Security account management – Manage Security Account Database – Duplicate SID Cleanup
Semantic database analysis – Semantic Checker
              ntdsutil: roles
fsmo maintenance: ?
? – Print this help information
Connections – Connect to a specific domain controller
Help – Print this help information
Quit – Return to the prior menu
fsmo maintenance: ?
? – Print this help information
Connections – Connect to a specific domain controller
Help – Print this help information
Quit – Return to the prior menu
              Seize domain naming master – Overwrite domain role on connected server
Seize infrastructure master – Overwrite infrastructure role on connected server
Seize PDC – Overwrite PDC role on connected server
Seize RID master – Overwrite RID role on connected server
Seize schema master – Overwrite schema role on connected server
Seize infrastructure master – Overwrite infrastructure role on connected server
Seize PDC – Overwrite PDC role on connected server
Seize RID master – Overwrite RID role on connected server
Seize schema master – Overwrite schema role on connected server
              Select operation target – Select sites, servers, domains, roles and Naming Contexts
              Transfer domain naming master – Make connected server the domain naming master
Transfer infrastructure master – Make connected server the infrastructure master
Transfer PDC – Make connected server the PDC
Transfer RID master – Make connected server the RID master
Transfer schema master – Make connected server the schema master
Transfer infrastructure master – Make connected server the infrastructure master
Transfer PDC – Make connected server the PDC
Transfer RID master – Make connected server the RID master
Transfer schema master – Make connected server the schema master
              fsmo maintenance: connections
server connections: ?
? – Print this help information
Clear creds – Clear prior connection credentials
Connect to domain %s – Connect to DNS domain name
Connect to server %s – Connect to server, DNS name or IP address
Help – Print this help information
Info – Show connection information
Quit – Return to the prior menu
Set creds %s %s %s – Set connection creds as domain, user, pwd
Use “NULL” for null password
server connections: connect to server reskit1
Binding to reskit1 …
Connected to reskit1 using credentials of locally logged on user
server connections: quit
fsmo maintenance: transfer domain naming master
Server “reskit1″ knows about 5 roles
Schema – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1 …
C:\>
server connections: ?
? – Print this help information
Clear creds – Clear prior connection credentials
Connect to domain %s – Connect to DNS domain name
Connect to server %s – Connect to server, DNS name or IP address
Help – Print this help information
Info – Show connection information
Quit – Return to the prior menu
Set creds %s %s %s – Set connection creds as domain, user, pwd
Use “NULL” for null password
server connections: connect to server reskit1
Binding to reskit1 …
Connected to reskit1 using credentials of locally logged on user
server connections: quit
fsmo maintenance: transfer domain naming master
Server “reskit1″ knows about 5 roles
Schema – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure – CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1 …
C:\>
              In the previous example, 
the available Ntdsutil tool commands display after entering a question 
mark (?). To transfer an operations master role, the roles command is 
entered, which displays the fsmo maintenance menu. Entering a question 
mark (?) displays the subcommands within the fsmo maintenance menu. 
Before transferring the operations master role, you must connect to the 
domain controller that will receive the role (“reskit1″ in the example 
above) by entering the connect to server subcommand. Then, after leaving
 the server connections mode by entering “quit”, issue the transfer 
domain naming master command. A confirmation pop-up window (not shown) 
displays for the transfer domain naming master operation.
 
No comments:
Post a Comment