Prepare to change server roles in Win2K

How to plan for changing a domain controller’s operations master role.

Domain controllers in a Windows 2000 environment have certain roles to fulfill to make sure Active Directory (AD) functions properly. However, because of server failure or maintenance, you may someday be faced with the task of changing a domain controller’s role. The process of making such a role change requires a bit of preparation. I'm going to show you how to plan for changing a domain controller’s operations master role.

Verifying permissions
Before you can transfer a role, you must have the appropriate permissions. These permissions will depend on which role you plan to transfer. To change the Infrastructure Master, the RID Master, or the PDC Emulator role within a domain, you must belong to the Domain Admins group and/or the Enterprise Admins group. Members of the Enterprise Admins group can also change the domain-naming master. However, if you want to change the Schema Master role, you must belong to the Schema Admins group.

Usually, the administrator makes such changes, and it’s not a problem for the administrator to belong to all these groups. But members of these groups can do a lot more to the system than just change a few roles. So, if someone other than the administrator will be moving roles, you may want to limit his or her power. If that's the case, you can create a special group designated for transferring roles.

To create such a group, you must assign the appropriate permissions using the ADSI Edit tool found in the Windows 2000 Support Tools. The Windows 2000 Support tools are found on the Windows 2000 installation CD and aren’t installed by default, so you may need to install them.

In the Windows 2000 Support Tools, launch the ADSI Edit program by selecting Programs | Windows 2000 Support Tools | Tools | ADSI Edit from the Start menu. To assign the ability to transfer a role, right-click ADSI Edit at the top of the tree in the left column. Select Connect To from the context menu to open the Connection dialog box. In the Name field, you can enter the role you want to modify. For example, you might type in Infrastructure Master. By default, the Name field contains the entry Domain NC, as shown in Figure A. For this example, we'll stick with that default.

Now, select the Distinguished Name option under Connection Point and enter the role’s distinguished name in the Distinguished Name field. When you finish, click OK to close the dialog box.

Figure A

Choosing Connect To opens this dialog box.

At this point, ADSI Edit will display a new node called Domain NC. Expand this node to reveal the server role you entered the distinguished name for, as shown in Figure B.

Figure B

The Domain NC node will contain an entry for the role you’re configuring.

Open the server role’s properties sheet and select the Security tab. You’ll see a list of groups and the permissions that have been assigned to those groups. As Figure C shows, you can easily add a group and assign it permissions to change a role. In this particular case, I would allow this group the Change Infrastructure Master permission.

Figure C

You can allow a group permission to change a role.

Locating the operations master roles
In my previous article “When to move operations master roles to another server,” I pointed out that you might want to transfer a role to a different domain controller if the domain controller currently performing the role is too slow or overworked or it contains insufficient resources. However, this statement assumes that you know which domain controller is performing which roles. After all, how can you transfer server roles if you don’t even know which server is performing the role? So, before you transfer a server role, you may need to figure out which server is performing it.

The method you’ll use to identify an operations master role assignment will vary depending on the role you’re trying to identify. You can use this first technique to locate the Relative Identifier Master, the Infrastructure Master, and the PDC Emulator.

Open the Active Directory Users And Computers console by selecting Programs | Administrative Tools | Active Directory Users And Computers from the Start menu. When the console opens, right-click Active Directory Users And Computers in the left column and open the Operations Master properties sheet. This sheet contains three tabs: RID (which stands for Relative Identifier), PDC (indicating the PDC Emulator), and Infrastructure (or the Infrastructure master roles). You’ll notice that each tab also indicates which machine currently holds the operations master role. Beneath the listing, you'll see the name of another machine you can assign the role to, as shown in Figure D. To transfer the role to this machine, simply click the Change button.

Figure D

The Operations Master properties sheet lets you determine the role assignments for the Relative Identifier, the PDC Emulator, and the Infrastructure master.

Let's examine how to locate the role assignments for the Domain Naming Master role. The Domain Naming Master role is a forest-specific role assigned by default to the first domain controller within the forest, and it contains a copy of every object in the AD. Whenever you create a new domain, AD checks with this server to make sure that the name hasn’t already been taken. The Domain Naming Master also serves as a global catalog server.

To see which server has been assigned the role of Domain Naming Master, open the Active Directory Domains And Trusts console by selecting Programs | Administrative Tools | Active Directory Domain And Trusts from the Start menu. When the console opens, right-click Active Directory Domains And Trusts and then select Operations Master from the context menu. You’ll see a dialog box that resembles the properties sheet shown in Figure D. This dialog box provides you with the name of the server currently holding the Domain Naming Master role and the name of a server you can move the role to by clicking Change.

The last remaining operations master role is the Schema Master Role. As with the Domain Naming Master role, the Schema Master Role is assigned by default to the first domain controller in a forest. Remember that AD is a database, and like any other database, it contains a schema. The Schema Master is responsible for defining the AD schema for all domain controllers within the entire forest.

To identify the Schema Master role assignment, you must install the Active Directory Schema snap-in for Microsoft Management Console. Open the Control Panel and double-click the Add/Remove Programs icon. Click the Change Or Remove Windows Programs button, locate and select the Windows 2000 Administration Tools, and then click the Change button associated with it. Windows will launch the Windows 2000 Administration Tools Setup Wizard. Click Next to bypass the introductory screen and jump directly to the wizard. The next screen gives you a choice of uninstalling or installing the Administrative tools. Select the Install All Of The Administrative Tools radio button and click Next. Windows will then validate and install the Administrative Tools. When the installation process is complete, click Finish.

Open the Active Directory Schema snap-in by selecting the Run command from the Start menu and entering the MMC command at the Run prompt. This will open an empty Microsoft Management Console session. Select the Add/Remove Snap-In command from the Console menu and then click Add in the Standalone tab to display a list of all of the available snap-ins. Select Active Directory Schema from the list and click the Add button followed by Close and OK. You’ll then see the Active Directory Schema snap-in displayed within the console.

Right-click the Active Directory Schema node located in the left column and then select the Operations Master command from the context menu. The dialog box displays the name of the current Schema Master and the name of a server you can transfer the Schema Master role to. Just click Change to make the transfer. We’ll go into more detail about changing the Schema Master role in an upcoming article.

Changing a domain controller’s role is no small task. If you don’t have the correct rights or don't know where to begin to look to find what role the server is currently playing, you’ll never be able to change the role. After you’ve taken the necessary steps to set the rights, you can move on to changing roles.

Editorial disclaimer: The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.