15/8/2014

Responding to Operations Master Failures

TechieBird
Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us
Related Links

Responding to Operations Master Failures

Windows 2003 KB
Windows 2008 KB

Blocked Arteries?

Windows 2012 KB

clinlife.co.uk/Atherosclerosis

Exchange Q&A
Virtualization

Network Interview
Questions
SQL Interview
Questions
Windows Admin
Interview Q&A
Windows Forum
Other Links
DNS FAQ's
DHCP FAQ's
Active Directory
FAQ's
AD History
Configuring New
Domain
Deleted Object
Recovery in AD

Global Catalog Server

NetDom Command
Replmon Command
NTDS Utility Guide
FSMO Guide
FSMO Failure

Network KB
Knowledge Base
Home
Active Directory Trust
Group Policy Guide
IIS 6.0

Research Study enrolling Participants. Learn more here.

The first
step in responding to the unavailability of a domain controller that is an operations master role owner is to
determine the anticipated duration of the outage. If the outage is expected to be brief, the recommended
response is simply to wait for the role owner to become available before performing a role-related function.
If the outage is longer, the correct response might be to seize the operations master role from a domain
controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid
seizing roles. The decision to seize an operations master role depends upon the role and the expected
length of the outage.
Primary Domain Controller Emulator Failures
The loss of a domain controller that is the primary domain controller emulator role can be visible to any
user, either users or administrators. Specifically, an end user running Windows NT Workstation3.51,
or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their
password without communicating with the primary domain controller emulator. If the users password has
expired, the user is not able to log on.
Therefore, you might need to repair a primary domain controller emulator failure quickly.If the
primary domain controller emulator is offline for a significant period of time and the domain has users
running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the
Active Directory client, or domain controllers running earlier versions of Windows NT, you should seize the
primary domain controller emulator role to the Standby operations masterdomain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it
requires an extra confirmation from you. Agree to the confirmation only if you know the current
primary domain controller emulator will be offline for a significant period. Later, when the original
primary domain controller emulator domain controller comes back online, transfer the role back to the
original role owner.
Infrastructure Master Failures
Temporary loss of a domains infrastructure master is not visible to end users, and is not visible to you, as
an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most
cases, a temporary loss of the infrastructure master is not a problem worth fixing. If you anticipate a long
outage of a domains infrastructure master and you need to repair it, first select a domain controller that is
not a Global Catalog server and that has good network connectivity to a Global Catalog server located in
any domain.
Ideally, the domain controller you have chosen should be within the same site as a Global Catalog server. It
is not important that the new infrastructure master be near the previous one. When you have selected
the domain controller, seize the infrastructure master role to this domain controller.
The user interface for this seizure is similar to that of a normal operations master role transfer, except it
requires an extra confirmation from you. Agree to the confirmation only if you know that the current
infrastructure master will be offline for a very long period. Later, when the original infrastructure master
comes back online, transfer the role back to the original role owner.
Other Operations Master Failures
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to
end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a
problem worth fixing. However, if you anticipate an extremely long outage of the domain controller holding
one of these roles, you can seize that role to the Standby operations master domain controller.
But, seizing any of these roles is a drastic step; one that you would take only when the outage is
permanent, as in the case when a domain controller is physically destroyed and cannot be restored from
backup media. A domain controller whose schema master, domain naming master, or RID master role is
seized must never come back online. Before proceeding with the role seizure, you must ensure that the
outage of this domain controller is permanent by physically disconnecting the domain controller from the
network.

RAID Levels

The domain controller that seizes the role should be fully up-to-date with respect to updates performed on
the previous role owner. Because of replication latency, it is possible that the domain controllermight not be
up-to-date.

RPC Guide

To check the status of updates for a domain controller, you can use the Repadmin command-line tool. The
Repadmin command-line tool is a Resource Kit tool that performs replication diagnostics. It is available on
the Microsoft Windows 2000 Server installation CD. Repadmin can determine whether a domain
controller has the most current updates.

Domain & Forest

Functional Levels
SQL Failover Cluster
Hyper-V

http://www.techiebird.com/fsmofailure.html

1/4

15/8/2014

Print Server
BitLocker
PowerShell
Planning Trust
Creating Trust

Responding to Operations Master Failures

Most Reliable DNS Servers

nominum.com
Highest level of network resiliency 100% proven uptime. 0% risk
For more information about using the Repadmin tool, see Windows 2000 Support Tools Help, which is
included on the Windows 2000 Server CD and Active Directory Diagnostics, Troubleshooting, and
Recovery in this book.
For example, to make sure a domain controller is fully up-to-date, suppose that server05 is the RID
master of the domain reskit.com, server10 is the Standby operations master domain controller, and
server12 is the only other domain controller in the reskit.com domain. Using the Repadmin tool, you
would issue the following commands:
C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
Note
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10s up-to-date status value with respect to
server05 (server05 @ USN 2604) is larger than server12s up-to-date status value with respect to
server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly
held by server05. If the up-to-date status value for server10 was less than the value for server12, you
would wait for normal replication to update server10, or use the Repadmin tools /sync/force commands
to make the replication happen immediately.
Recommend this on Google

After you have determined that the role owner is fully up-to-date, you can seize the operations master role
using the Ntdsutil tool as in the following example:
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server server10.reskit.com knows about 5 roles
Schema CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see Windows
2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more
convenient for operations master transfers and seizures than the graphical user interface tools, because it
is simpler and quicker to enter commands than to use multiple windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool
is the required method.
When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a
transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs
the seizure. The Ntdsutil tool provides help information when you type a question mark (?). The following is
an example showing the transfer of the domain naming master role (with user input shown in bold type):
C:\> ntdsutil
ntdsutil: ?
? Print this help information
Authoritative restore Authoritatively restore the DIT database
Domain management Prepare for new domain creation
http://www.techiebird.com/fsmofailure.html

2/4

15/8/2014

Responding to Operations Master Failures

Files Manage NTDS database files

Help Print this help information
IPDeny List Manage LDAP IP Deny List
LDAP policies Manage LDAP protocol policies
Metadata cleanup Clean up objects of decommissioned servers
Popups %s (en/dis)able popups with on or off
Quit Quit the utility
Roles Manage NTDS role owner tokens
Security account management Manage Security Account Database Duplicate SID Cleanup
Semantic database analysis Semantic Checker
ntdsutil: roles
fsmo maintenance: ?
? Print this help information
Connections Connect to a specific domain controller
Help Print this help information
Quit Return to the prior menu
Seize
Seize
Seize
Seize
Seize

domain naming master Overwrite domain role on connected server

infrastructure master Overwrite infrastructure role on connected server
PDC Overwrite PDC role on connected server
RID master Overwrite RID role on connected server
schema master Overwrite schema role on connected server

Select operation target Select sites, servers, domains, roles and Naming Contexts
Transfer
Transfer
Transfer
Transfer
Transfer

domain naming master Make connected server the domain naming master
infrastructure master Make connected server the infrastructure master
PDC Make connected server the PDC
RID master Make connected server the RID master
schema master Make connected server the schema master

Free Network Resources

brocade.com/NetworkFacts
Enjoy 99.9999% Network Uptime. Free White Papers, Videos and More.
fsmo maintenance: connections
server connections: ?
? Print this help information
Clear creds Clear prior connection credentials
Connect to domain %s Connect to DNS domain name
Connect to server %s Connect to server, DNS name or IP address
Help Print this help information
Info Show connection information
Quit Return to the prior menu
Set creds %s %s %s Set connection creds as domain, user, pwd
Use NULL for null password
server connections: connect to server reskit1
Binding to reskit1
Connected to reskit1 using credentials of locally logged on user
server connections: quit
fsmo maintenance: transfer domain naming master
Server reskit1 knows about 5 roles
Schema

CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain

CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC

CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID

CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure

CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1
C:\>
In the previous example, the available Ntdsutil tool commands display after entering a question mark (?).
To transfer an operations master role, the roles command is entered, which displays the fsmo maintenance
menu. Entering a question mark (?) displays the subcommands within the fsmo maintenance menu. Before
transferring the operations master role, you must connect to the domain controller that will receive the
role (reskit1 in the example above) by entering the connect to server subcommand. Then, after leaving
the server connections mode by entering quit, issue the transfer domain naming master command. A
confirmation pop-up window (not shown) displays for the transfer domain naming master operation.
Note
You must have sufficient permissions to execute commands using the Ntdsutil tool. For more information
about controlling access to operations master role placements, see Controlling Access to Role
Placements later in this chapter.
http://www.techiebird.com/fsmofailure.html

3/4

15/8/2014

Responding to Operations Master Failures

It is also possible to view the current operations master role owner using the Ntdsutil command-line tool
from the Select Operation Target menu located under the Roles option. By using the List roles for
connected server command, a list displays of all of the current operations master role owners.
For more information about using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help,
which is included on the Windows 2000 Server installation CD.
Recommend this on Google

Planning FSMO

Seizing FSMO

Transfering FSMO

Comments
Name
Enter your comment here

Comment

by Htm l C om m e nt Box

No one has commented yet. Be the first!

Windows Home || Network Home || Database Home

Designed by Techiebird

http://www.techiebird.com/fsmofailure.html

4/4