Chapter 11. Working with Operations Master
The multimaster replication model of Active Directory creates a distributed environment that allows any domain controller to be used for authentication and allows you to make changes to standard directory information without regard to which domain controller you use. The approach works well for most Active Directory operations—but not all. Some Active Directory operations can be performed only by a single authoritative domain controller called an operations master.
A designated operations master has a flexible single-master operations (FSMO) role. The five designated roles are
Two of the roles—schema master and domain naming master—are assigned on a per-forest basis. This means that there is only one schema master and only one domain naming master in a forest. The other three roles—RID master, PDC emulator, and infrastructure master—are assigned on a per-domain basis. For each domain in the forest, there is only one of these operations master roles.
When you install Active Directory and create the first domain controller in a new forest, all five roles are assigned to that domain controller. As you add domains, the first domain controller you install in a domain is automatically designated the RID master, infrastructure master, and PDC emulator for that domain.
As part of domain design, you should consider how many domain controllers you need per domain, and whether you need to transfer operations master roles after you install new domain controllers. In all cases, you’ll want to have at least two domain controllers in each domain in the forest. The reasons for transferring the operations master roles depend on several factors. First, you might want to transfer an operations master role to improve performance, as you might do when a server has too heavy a workload and you need to distribute some of the load. Second, you might need to transfer an operations master role if you plan to take the server with that role offline for maintenance or if the server fails.
You can determine the current operations masters for your logon domain by typing the following at a command prompt:
netdom query fsmo
As shown here, the output lists each role owner by its fully qualified domain name:
Schema master CorpServer26.imaginedlands.com
Domain naming master CorpServer26.imaginedlands.com
PDC CorpServer32.tech.imaginedlands.com
RID pool manager CorpServer32.tech.imaginedlands.com
Infrastructure master CorpServer41.tech.imaginedlands.com
From the output in this example, you can also determine that the forest root domain is imaginedlands.com and the current logon domain is tech.imaginedlands.com. If you want to determine the operations masters for a specific domain, use the following command:
netdom query fsmo /d:DomainName
Here, DomainName is the name of the domain, such as eng.imaginedlands.com.
In Windows PowerShell, you can use Get-ADDomain to get information about domains, including the forest root domain, the domain mode, the infrastructure master, the RID master, and the PDC emulator. Use the –Identity parameter to specify the fully qualified name of the domain you want to work with. If you don’t specify a domain to work with, the cmdlet displays information about the current logon domain.
When you use Get-ADDomain, you’ll get a lot of information. To streamline this information, you can enter:
get-addomain | fl forest, *mode, *master, pdc*
The output will then look similar to the following:
forest : imaginedlands.com
DomainMode : Windows2016Domain
InfrastructureMaster : CorpServer18.imaginedlands.com
RIDMaster : CorpServer18.imaginedlands.com
PDCEmulator : CorpServer18.imaginedlands.com
Use Get-ADForest to get information about forests, including the forest mode, the domain naming master, and the schema master. As shown in the following example, the output provides a lot of additional information as well:
ApplicationPartitions : {DC=ForestDnsZones,DC=imaginedlands,DC=com, DC=DomainDnsZones,DC=imaginedlands,DC=com}
CrossForestReferences : {}
DomainNamingMaster : CorpServer18.imaginedlands.com
Domains : {imaginedlands.com}
ForestMode : Windows2016Forest
GlobalCatalogs : {CorpServer18.imaginedlands.com}
Name : imaginedlands.com
PartitionsContainer : CN=Partitions,CN=Configuration,DC=imaginedlands,DC=com
RootDomain : imaginedlands.com
SchemaMaster : CorpServer18.imaginedlands.com
Sites : {Default-First-Site-Name}
SPNSuffixes : {}
UPNSuffixes : {}
You can change operations master roles in several ways:
Regarding placement of operations master roles, Microsoft recommends the following configuration:
The infrastructure master is responsible for updating cross-domain group membership, and it determines whether its information is current or out of date by checking a global catalog and then replicating changes to other domain controllers as necessary. If the infrastructure master and the global catalog are on the same server, the infrastructure master doesn’t see that changes have been made and thus doesn’t replicate them.
The exceptions are for a single-domain forest or a multidomain forest where all domain controllers are global catalog servers. In the case of a single domain forest, there are no cross-group references to update, so it doesn’t matter where the infrastructure master is located. In the case of a multidomain forest where all domain controllers are global catalog servers, all the domain controllers know about all the objects in the forest already, so the infrastructure master doesn’t really have to make updates.
The schema master is the only domain controller in the forest with a writeable copy of the schema container. This means that it is the only domain controller in the forest on which you can make changes to the schema. You make changes to the schema using the Active Directory Schema snap-in. When you start the Active Directory Schema snap-in, it makes a direct connection to the schema master, allowing you to view the schema for the directory. To make changes to the schema, however, you must use an account that is a member of the Schema Admins group.
By default, the schema master is the first domain controller installed in the forest root domain. You can transfer this role using the Active Directory Schema snap-in or the NTDSUTIL command-line utility.
To locate the schema master for the current forest, enter the following command at a Windows PowerShell prompt:
(Get-ADForest).SchemaMaster
Alternatively, open the Active Directory Schema snap-in in a custom console. Right-click the Active Directory Schema node, and then select Operations Master. The Change Schema Master dialog box, shows the current schema master.
IMPORTANT The Active Directory Schema snap-in is not available by default. You must install this tool by registering its dynamic-link library (DLL) by entering the following at an administrator command prompt:
regsvr32 schmmgmt.dll
After you register the DLL, you can add the Active Directory Schema snap-in to a custom MMC console using the Add/Remove Snap-in option. For more information, see “Designating Replication Attributes” in Chapter 5.
To transfer the schema master role to another server, follow these steps:
344. Open the Active Directory Schema snap-in in a custom console. Right-click the Active Directory Schema node, and then select Change Active Directory Domain Controller.
345. In the Change Directory Server dialog box, select This Domain Controller and then select the forest root domain name in the Look In This Domain list. Next, select an available domain controller to which you want to transfer the role and then click OK.
346. Right-click the Active Directory Schema node and then select Operations Master. In the Change Schema Master dialog box, click Change. When prompted to confirm, click Yes and then click Close.
The domain naming master is responsible for adding or removing domains from the forest. Any time you create a domain, a remote procedure call (RPC) connection is made to the domain naming master, which assigns the domain a globally unique identifier (GUID). Any time you remove a domain, an RPC connection is made to the domain naming master and the previously assigned GUID reference is removed. If you can’t connect to the domain naming master when you are trying to add or remove a domain, you will not be able to create or remove the domain.
To locate the domain naming master for the current forest, enter the following command at a Windows PowerShell prompt:
(Get-ADForest).DomainNamingMaster
Alternatively, start Active Directory Domains And Trusts. Right-click the Active Directory Domains And Trusts node and then select Operations Master. The Operations Master dialog box, shows the current domain naming operations master:
To transfer the domain naming master role to another server, follow these steps:
347. In Active Directory Domains And Trusts, right-click the Active Directory Domains And Trusts node and then select Change Active Directory Domain Controller.
348. In the Change Directory Server dialog box, select This Domain Controller and then select the forest root domain name in the Look In This Domain list. Next, select an available domain controller to which you want to transfer the role and then click OK.
349. Right-click the Active Directory Domains And Trusts node and then select Operations Master. In the Change Operations Master dialog box, click Change. When prompted to confirm, click Yes and then click Close.
The relative ID (RID) master controls the creation of new security principals—such as users, groups, and computers—throughout its related domain. Every domain controller in a domain is issued a block of relative IDs by the RID master. These relative IDs are used to build the security IDs that uniquely identify security principals in the domain. The actual security ID generated by a domain controller consists of a domain identifier, which is the same for every object in a domain, and a unique relative ID that differentiates the object from any other objects in the domain.
The block of relative IDs issued to a domain controller is called a RID pool. Typically, blocks of relative IDs are issued in lots of 500. When the RID pool on a domain controller is nearly exhausted, the domain controller requests a new block of 500 RIDs. It’s the job of the RID master to issue blocks of RIDs, and it does so as long as it’s up and running. If a domain controller can’t connect to the RID master and for any reason runs out of RIDs, no new objects can be created on the domain controller and object creation will fail. To resolve this problem, the RID master must be made available or the RID master role must be transferred to another server.
TIP Size the RID pool by editing the registry on each domain controller and changing the REG_DWORD value of the RID Block Size value located in HKLM\System\CurrentControlSet\Services\NTDS\RID Values. For Windows Server 2012 and later, the maximum RID pool block size is 15,000. Previously, the maximum was 10,000. If you enter a value greater than 15,000, the RID pool block size will be 15,000. Additionally, an error with event ID 16653 and the source as Directory-Services-SAM will be logged each time you start the domain controller.
Because relative IDs are not reused and a finite number of them is available for assignment throughout the lifetime of a domain, older enterprise environments could run out of relative IDs. RID pool exhaustion can seriously affect the domain because no new objects can be created. In an Active Directory domain, 2^30 – 1 (1,073,741,823) RIDs are available. Although approximately 1 billion objects sounds like a lot, RIDs could be leaked and lost in earlier releases of Windows Server. If an RID was taken from an RID pool to create an object but the object creation failed, the RID would not be available for reuse. If a deleted Domain Controller computer object was restored, the domain controller could repeatedly request a new RID pool block because of a missing rIDSetReference attribute and, by itself, could use up the RID pool in about 24 months. Windows Server 2012 and later resolve these and other identified problems that could lead to faster-than-normal depletion of the RID pool.
The newly implemented RID Reuse pool resolves some of these problems. When object creation fails, the RID, instead of being leaked and lost, is placed in the Reuse pool. Because a domain controller checks the Reuse pool for available relative IDs before taking a relative ID from the primary pool, the relative ID can be assigned to the next object created on that domain controller. Keep in mind, however, that rebooting a domain controller clears its RID Reuse pool.
Because the RID master can run out of assigned addresses in its global RID pool space, Windows Server 2012 and later issue periodic RID consumption warnings and also have a soft ceiling for the RID pool. When 10 percent of the global address space is used, the RID master logs an informational event with an RID consumption warning. The RID master logs another RID consumption warning when 10 percent of the remainder is used, and so on, so that the RID consumption warnings become more frequent as more and more of the global space is depleted. The soft ceiling is reached when 90 percent of the available address space is used. As a result, the RID master will not allocate any additional blocks of RIDs until the soft ceiling is removed.
Using Dcdiag, you can check the number of RIDs available by entering the following at a command prompt on the RID master for the domain:
dcdiag /test:ridmanager /v | find /i “Available RID Pool”
The output will show the available RIDs and be similar to the following:
* Available RID Pool for the Domain is 480678 to 1073741823
From this output, you know the number of available RIDs and you can infer the number of RIDs that have been used. Here, 480,677 RIDs have been used and 1,073,261,146 RIDs are available. That’s 480,678 minus 1 to determine the number of RIDs that have been used and 1,073,741,823 minus 480,677 to determine the number of RIDs available.
If a domain’s RID master is running Windows Server 2012 or later, you can double the size of the RID pool by enabling SID compatibility. Enabling SID compatibility unlocks the thirty-first bit of the RID pool, which effectively raises the total number of RIDs available for a domain to 2^31 – 1 (2,147,483,647) or approximately 2 billion objects. Set the sidCompatibilityVersion property on the RID master to 1 to unlock the thirty-first bit and enable SID compatibility. However, before you implement this change, you must ensure that all other domain controllers in the domain are also running Windows Server 2012 or later or that domain controllers running earlier versions of Windows Server have updates applied to ensure compatibility with this change.
You can use Ldp.exe to enable SID compatibility. Open Ldp by typing ldp in the Search box or at a prompt and then clicking Ldp in the search results. In Ldp, choose Connect from the Connection menu. Next, connect to the RID master for the domain you want to work with by entering the fully qualified domain name and clicking OK.
After you connect to the RID master, choose Bind from the Connection menu to bind to the domain using an account with domain administrator privileges. If your logon account has these permissions already, you don’t need to perform this step.
Next, choose Modify from the Browse menu to open the Modify dialog box. In the Edit Entry Attribute box, type sidCompatibilityVersion. In the Values box, type 1. Because the attribute shouldn’t already exist, set the Operation value as Add. Click Enter to create an LDAP transaction for this update. Ensure that Synchronous is selected as an option, and then click Run to apply the change.
Active Directory blocks further allocations from the global RID pool by setting the msDS-RIDPoolAllocationEnabled attribute of the RID Manager$ object to FALSE. To enable the RID master to allocate blocks of RIDs from the global space, you must set the msDS-RIDPoolAllocationEnabled attribute to TRUE.
You can modify the msDS-RIDPoolAllocationEnabled attribute using ADSI Edit or Ldp. This value is set on a per-domain basis.
You can open ADS Edit by selecting the related option on the Tools menu in Server Manager. Alternatively, open a new MMC by typing MMC.exe at a prompt and then use the Add/Remove Snap-in option on the File menu to add the ADSI Edit snap-in to the MMC.
In ADSI Edit, right-click the ADSI Edit node and then select Connect To. In the Connection Settings dialog box, choose the Select A Well Known Naming Context option. On the related selection list, select Default Naming Context and then click OK.
In ADSI Edit, work your way down to the CN=System container by expanding the Default naming context and the domain container. With the CN=System container selected in the left pane, right-click CN=RID Manager$ and then select Properties.
In the Properties dialog box, select the msDS-RIDPoolAllocationEnabled property and then click Edit. In the Boolean Attribute Editor dialog box, select True, and then click OK twice.
TIP If you want to use Ldp to set the msDS-RIDPoolAllocationEnabled property, open Ldp by typing ldp in the Search box or at a prompt. In Ldp, choose Connect from the Connection menu to connect to a domain controller in the domain you want to work with. After you connect to a domain controller, choose Bind from the Connection menu to bind to the domain using an account with domain administrator privileges. Next, choose Tree from the View menu to open the Tree View dialog box. In the Tree View dialog box, use domain container as the base DN to work with. In the domain container, expand the CN=System container. Next, right-click CN=RID Manager$ and then select Modify. In the Modify dialog box, type msDS-RIDPoolAllocationEnabled in the Edit Entry Attribute box and then type True in the Values box. Because the attribute should already exist, set the Operation value as Replace. Click Enter to create an LDAP transaction for this update, and then click Run to apply the change.
To locate the RID master for the current logon domain, enter the following command at a Windows PowerShell prompt:
(Get-ADDomain).RIDMaster
Alternatively, start Active Directory Users And Computers. Right-click the domain you want to work with and then select Operations Masters. The Operations Masters dialog box, shows the current RID master in the RID tab.
