4. Moving Operations Master Roles
As discussed, both forest and domain operation master roles are
assigned to the first DC in the forest root domain. The first DC in each
new domain in the forest is assigned its own domain operations master
roles
.
You may need to move operations master roles to
another DC. For example, the Infrastructure Master role should not be on
a DC that is also a global catalog (GC) server (unless only one DC
exists, or all DCs are GCs). If you do not separate these roles, domain
information in forest-wide GCs may not be properly updated. As you
recall, GCs store forest-wide information that is necessary for proper
AD operation. If GCs are not updating properly, authentication, then
directory-wide searching and other functions will not work correctly (or
at all). You may also want to move roles when upgrading servers or
recovering a failed DC that held one of the operations master roles.
When the operations master role holder is still alive on the network,
the process of moving operations master roles is referred to as a role transfer (the role is removed from one DC and placed on another). When it is not, the process is called seizing
the operations master role. In this process, since the DC the
role is on is not available, the role cannot be removed. Instead, the
role is added to the new DC.
Never
seize the operations master role when the current operations master is
still alive on the network—even if it is currently shut down. If you
restart a former operations master after seizing its role, it will still
believe it owns that role. When a role is transferred, the old master
is informed and at the same time the new master is given the role. Only
seize roles when a former operations master is totally removed (for
example, because of hardware failure). |
|
To transfer the operations master roles, you must
meet group member requirements and use the appropriate administration
tool or the correct command line. Be sure to follow the instructions
specific to each role; they are not all the same. The instructions for
each role are provided here, followed by instructions on how to change
roles using the command line.
To transfer the schema master operations role,
you must be a member of the Schema Admins group. Begin by opening the AD
Schema console. If the console has not been installed, install it by
typing regsvr32 schmmgmt.dll at a command line and then pressing Enter. (Click OK when a pop up advises the dll
has been registered.) To transfer the role, right-click on AD Schema
node in the AD Schema console and then click Change Domain Controller.
In most cases of transferring an operations
master role, you will want to keep the selection Any DC (the process
will select a DC), as shown in Figure 10.
However, you may run into situations where you want to specifically
name a DC (for example, when DCs for the domain are located at different
physical locations and you want a local DC to have the role). In those
cases, click Specify Name and then enter the name of the DC to switch
the role to. When you have finished, click OK.
You should now be back at the console screen. To
verify your changes, right-click AD Schema and then click Operations
Master. The "Current schema master" and proposed schema master DC is
identified, as shown in Figure 11. If this is correct, click Change.
To transfer the domain-naming master role, open
the AD Domains and Trusts console. Right-click the Active Director
Domains and Trusts and select Connect to Domain Controller. Enter the
name of the domain controller to transfer the role to, or select an
available DC, as shown in Figure 12 and then click OK.
Right-click on AD Users and Computers and select
All Tasks then select Operations Masters. The current and proposed
domain naming master DC is identified. If this is correct, click Change.
To transfer the relative identifier (RID), PDC
emulator, or Infrastructure Master Role, begin by opening the AD Users
and Computers console. Right-click AD Users and Computers and select
Connect to Domain Controller. Enter the name of the domain controller to
transfer the role to or select an available DC and then click OK.
Right-click on AD Users and Computers and select All Tasks. Then select
Operations Masters. Select the tab for the operations master role you
wish to transfer, as shown in Figure 13.
If you prefer to make your changes manually, all
operations master roles can be transferred using the command-line
utility ntdsutil. Begin by opening a command prompt and entering ntdsutil. Enter roles. Enter connection and then enter connect to server
<server>. Enter quit and then enter transfer
<server>master.
You should never seize an operations master role
if the current operations master is available. However, if you must
seize an operations master role because the current role holder crashed,
begin by opening a command prompt and entering ntdsutil. Enter roles, and then enter connection. Enter connect to server
<server>. Then enter quit and enter seize
<server>master.
If the information is correct, click Change.
Now that you have successfully set and configured
domains, sites, and subnets, and (if necessary) moved operations master
roles, it is time to look at backing up AD. Backing up AD is important
because you may need to recover AD after hardware or software failure.
5. Back Up AD
To back up AD, you must perform a system state backup. A system state backup
backs up the AD and other important components of the system (such as
the registry). You should not substitute a backup of the AD database
file (ntds.dit) for a system state
backup because many of the items in the system state backup are
interrelated. Windows native backup software (Ntbackup) and some
third-party backup software can perform a system state backup.
A system state backup always backs up the following:
Registry
COM+ class Registration database
Boot files and system files
System files that are under Windows File Protection
A system state backup backs up the following items if the associated service is installed on the computer:
Certificate services database if the server is a certification authority (CA)
AD database if the server is a domain controllers
SYSVOL directory if the server is a DC
Cluster service information if the server is part of a cluster
IIS Metadirectory if IIS is installed.
To perform a system state backup, begin by
selecting All Programs → Accessories → System Tools → Backup. If you
have not already switched to Advanced Mode, do so by selecting Advanced
Mode from the Backup or Restore Wizard Welcome page. Select the Schedule
Jobs tab and click "Add job"; then click Next. Select "Only backup
System State data," as shown in Figure 14 and then click Next.
Select the backup type information. For a tape
drive, select the Tape type; for a disk the File type. Select "Verify
data after backup." This step reads the backup data to verify that its
integrity. If required and available, select" Use hardware compression,
if available" and click Next. If you are replacing an existing backup,
click "Allow only the owner and the Administrator access to the backup
data and to any backups appended to this medium" and click Next. To run
the backup right away, click Now. Otherwise, enter a job name and then
click the Set Schedule button to schedule the backup. Use the Settings
tab as shown in Figure 15 to complete the schedule.
After the schedule is set, click OK and, if
prompted, enter the account name and password of an account authorized
to perform a backup. Click OK, followed by Next and then Finish.
Now that you have created
and configured a new AD infrastructure and backed up AD, it's time to
reflect on the interrelationship between AD and TCP/IP. Your correct
understanding of this relationship is crucial. Without it you are doomed
to fail in your efforts to efficiently and correctly administer AD
domains and the AD infrastructure.
