Main /

Windows DC Roles And Functions


[-edit SideBar-]

Windows DC Roles And Functions

Generic Tricks & Tweaks

Exchange Schema Version

dsquery * CN=ms-Exch-Schema-Version-Adc,cn=schema,cn=configuration,dc=yourdomain,dc=local -scope base -attr rangeUpper

Version-specific Procedures

Windows 2003 (and R2) Servers

Some improvements were made to Active Directory and the roles have been redefined to allow more load-balancing and to optimize performance over slow WAN links. The role structure is now called FSMO (flexible single master operations).

FSMO roles:

  • scheme master (one per forest)
  • domain naming master (one per forest)
  • RID (relative id) master (one per sub-tree)
  • PDC emulation master (one per sub-tree) - also time server
  • infrastructure master (one per sub-tree)
  • global catalog server (not exactly a role but also an important function in AD)

The Active Directory database is stored in a file called NTDS.DIT and again contains two main tables plus one new ACE deduplication table which allows single-storage of permission records.

Changing Roles
Roles may be changed when in proper operation by command line: "ntdsutil /roles"

If there are (at least) two DC servers in a domain, the functions in that the failed server was active master, will be taken by the remaining server(s) more or less automatically, although there are still single points of failure, which might be eliminated in future versions of Windows Server. If the failed server cannot be repaired at all or cannot be repaired without complete reinstallation, the AD computer account for that DC server must be dereferenced and deleted manually.

Note that the "transfer" command is the proper way while the "seize" command is a drastic step.

command line: C:\...> **ntdsutil** [ENTER] **roles** [ENTER] **connections** [ENTER] **connect to server <servername>** [ENTER] server connections> **quit** [ENTER] fsmo maintenance> **<transfer|seize> <scheme master|domain naming master|infrastructure master|rid master|pdc>** [ENTER] fsmo maintenance> **quit** [ENTER]
In some cases, you can also change the role masters graphically:
#. for scheme master - register "regsvr32 schmmgmt.dll" (needed only the first time)
#. start empty management console - add new snap-in "AD schema"
#. connect to desired new domain controller, if not local host
#. right click on "active directory schema" then "operation masters" - make the change.

It has also been reported that the following command may help for "global catalog not found"-error messages after global catalog service has been enabled at the current server.

how to enable GC: MS KB 313994

then command line: NLTEST / /gc (from MS KB 253096)

Windows 2000 Servers

Windows 2000 Server was the first system to implement its domain structure through ActiveDirectory*, which is Microsoft's version of a functionality that Novell's NetWare network operating system already offered for decades. The main features are:

  • Hierarchical structure with the ability to have sub-trees stored on branch servers, and delegate administration of sub-trees to sub-admins
  • Use of well-known documented protocols such as DNS and LDAP

The whole of Active Directory with all of its sub-trees is called the forest (which is slightly incorrect, since in graph theory*, a forest is a set of unconnected trees).

The Active Directory database is stored in a file called NTDS.DIT and contains two main tables.

Windows NT Servers

There are exactly one PDC and zero or more BDC in one Windows Domain.
Windows NT implemented its domain structure through NTDS* (NT Directory Services), which was the predecessor of ActiveDirectory*.

NTDS Roles:

  • PDC (primary domain controller)
  • BDC (backup domain controllers)

If the PDC fails, any BDC that has properly synchronized before, can take over the PDC function (command line: "dcpromo")

Recent Changes (All) | Edit SideBar Page last modified on March 27, 2010, at 11:14 PM Edit Page | Page History
Powered by TechnoloWiki