Professional Documents
Culture Documents
TechieBird
Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us
Related Links
Windows 2003 KB
Windows 2008 KB
Blocked Arteries?
Windows 2012 KB
clinlife.co.uk/Atherosclerosis
Exchange Q&A
Virtualization
Network Interview
Questions
SQL Interview
Questions
Windows Admin
Interview Q&A
Windows Forum
Other Links
DNS FAQ's
DHCP FAQ's
Active Directory
FAQ's
AD History
Configuring New
Domain
Deleted Object
Recovery in AD
Network KB
Knowledge Base
Home
Active Directory Trust
Group Policy Guide
IIS 6.0
The first
step in responding to the unavailability of a domain controller that is an operations master role owner is to
determine the anticipated duration of the outage. If the outage is expected to be brief, the recommended
response is simply to wait for the role owner to become available before performing a role-related function.
If the outage is longer, the correct response might be to seize the operations master role from a domain
controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid
seizing roles. The decision to seize an operations master role depends upon the role and the expected
length of the outage.
Primary Domain Controller Emulator Failures
The loss of a domain controller that is the primary domain controller emulator role can be visible to any
user, either users or administrators. Specifically, an end user running Windows NT Workstation3.51,
or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their
password without communicating with the primary domain controller emulator. If the users password has
expired, the user is not able to log on.
Therefore, you might need to repair a primary domain controller emulator failure quickly.If the
primary domain controller emulator is offline for a significant period of time and the domain has users
running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the
Active Directory client, or domain controllers running earlier versions of Windows NT, you should seize the
primary domain controller emulator role to the Standby operations masterdomain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it
requires an extra confirmation from you. Agree to the confirmation only if you know the current
primary domain controller emulator will be offline for a significant period. Later, when the original
primary domain controller emulator domain controller comes back online, transfer the role back to the
original role owner.
Infrastructure Master Failures
Temporary loss of a domains infrastructure master is not visible to end users, and is not visible to you, as
an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most
cases, a temporary loss of the infrastructure master is not a problem worth fixing. If you anticipate a long
outage of a domains infrastructure master and you need to repair it, first select a domain controller that is
not a Global Catalog server and that has good network connectivity to a Global Catalog server located in
any domain.
Ideally, the domain controller you have chosen should be within the same site as a Global Catalog server. It
is not important that the new infrastructure master be near the previous one. When you have selected
the domain controller, seize the infrastructure master role to this domain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it
requires an extra confirmation from you. Agree to the confirmation only if you know that the current
infrastructure master will be offline for a very long period. Later, when the original infrastructure master
comes back online, transfer the role back to the original role owner.
Other Operations Master Failures
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to
end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a
problem worth fixing. However, if you anticipate an extremely long outage of the domain controller holding
one of these roles, you can seize that role to the Standby operations master domain controller.
But, seizing any of these roles is a drastic step; one that you would take only when the outage is
permanent, as in the case when a domain controller is physically destroyed and cannot be restored from
backup media. A domain controller whose schema master, domain naming master, or RID master role is
seized must never come back online. Before proceeding with the role seizure, you must ensure that the
outage of this domain controller is permanent by physically disconnecting the domain controller from the
network.
RAID Levels
The domain controller that seizes the role should be fully up-to-date with respect to updates performed on
the previous role owner. Because of replication latency, it is possible that the domain controllermight not be
up-to-date.
RPC Guide
To check the status of updates for a domain controller, you can use the Repadmin command-line tool. The
Repadmin command-line tool is a Resource Kit tool that performs replication diagnostics. It is available on
the Microsoft Windows 2000 Server installation CD. Repadmin can determine whether a domain
controller has the most current updates.
http://www.techiebird.com/fsmofailure.html
1/4
15/8/2014
Print Server
BitLocker
PowerShell
Planning Trust
Creating Trust
After you have determined that the role owner is fully up-to-date, you can seize the operations master role
using the Ntdsutil tool as in the following example:
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server server10.reskit.com knows about 5 roles
Schema CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see Windows
2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more
convenient for operations master transfers and seizures than the graphical user interface tools, because it
is simpler and quicker to enter commands than to use multiple windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool
is the required method.
When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a
transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs
the seizure. The Ntdsutil tool provides help information when you type a question mark (?). The following is
an example showing the transfer of the domain naming master role (with user input shown in bold type):
C:\> ntdsutil
ntdsutil: ?
? Print this help information
Authoritative restore Authoritatively restore the DIT database
Domain management Prepare for new domain creation
http://www.techiebird.com/fsmofailure.html
2/4
15/8/2014
Select operation target Select sites, servers, domains, roles and Naming Contexts
Transfer
Transfer
Transfer
Transfer
Transfer
domain naming master Make connected server the domain naming master
infrastructure master Make connected server the infrastructure master
PDC Make connected server the PDC
RID master Make connected server the RID master
schema master Make connected server the schema master
CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain
CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC
CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID
CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure
CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1
C:\>
In the previous example, the available Ntdsutil tool commands display after entering a question mark (?).
To transfer an operations master role, the roles command is entered, which displays the fsmo maintenance
menu. Entering a question mark (?) displays the subcommands within the fsmo maintenance menu. Before
transferring the operations master role, you must connect to the domain controller that will receive the
role (reskit1 in the example above) by entering the connect to server subcommand. Then, after leaving
the server connections mode by entering quit, issue the transfer domain naming master command. A
confirmation pop-up window (not shown) displays for the transfer domain naming master operation.
Note
You must have sufficient permissions to execute commands using the Ntdsutil tool. For more information
about controlling access to operations master role placements, see Controlling Access to Role
Placements later in this chapter.
http://www.techiebird.com/fsmofailure.html
3/4
15/8/2014
It is also possible to view the current operations master role owner using the Ntdsutil command-line tool
from the Select Operation Target menu located under the Roles option. By using the List roles for
connected server command, a list displays of all of the current operations master role owners.
For more information about using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help,
which is included on the Windows 2000 Server installation CD.
Recommend this on Google
Planning FSMO
Seizing FSMO
Transfering FSMO
Comments
Name
Enter your comment here
Comment
by Htm l C om m e nt Box
Designed by Techiebird
http://www.techiebird.com/fsmofailure.html
4/4