Rally 'Round the Server Roles
Nagging doubts about which domain controller is the RID Master.
- By Bill Boswell
- October 14, 2003
Bill: I recently read your book,
Inside
Windows 2003, and found it extremely informative. (I particularly
enjoyed your comments about the uncanny knack of Users to remember admin
passwords even though they forget their own etc. Very true!) I have been
working with Windows 2000 for the past three years and Windows 2003 and
would like to clarify a couple of points with you.
In a native Windows 2000 domain I had to recently seize the RID Master
role from one domain controller to a different DC due to a problem with
the original server. The role-seizing went without any incident—the
old RID Master is R.I.P. and all is well with the domain. Now, I have
this doubt as to whether or not the new RID Pool numbers have been started
to be disbursed.
When I seize the role to a different server, how does the new server
know as to what the valid range is?
My other doubt was, even though Microsoft recommends the RID Master and
PDC Emulator to be the same server for obvious reasons, in a mixed mode
domain is this still necessary for domains running native Windows 2000
or Windows 2003? I see it more redundant to have these roles separated
on two DCs in a native domain, but can you correct me if I am wrong?
—Name withheld
Thanks for getting my book. I appreciate your nice words.
The FMSO information for the RID Master is stored in an AD object called
RID Manager$, located in the System container. You'll need to turn on
Advanced View in Active Directory Users and Computers to see this object.
When you transfer the RID Master role (or seize it to another domain controller),
all you do is change the name of the server stored in the FSMORoleOwner
attribute of this object. The other domain controllers in the domain start
using this new RID Master because they all have a copy of the Domain naming
context that contains the RID Master$ object.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
The RID Master$ object also has an attribute called RIDAvailablePool
that contains the total available RIDs and the starting point for the
next RID. (Microsoft KnowledgeBase 305475
has a detailed explanation of how the large integer value of RIDAvailablePool
is used.)
That's why it's so important not to bring the old RID Master back online
once you seize the role to another domain controller. There's a possibility
that the old RID Master will pass out a duplicate RID, causing potentially
devious problems that might take months or years to emerge. For example,
if two Windows 2000 or Windows 2003 servers have the same RID, they cannot
both be domain controllers. You'll get odd error messages when you try
to promote the second server.
When a Windows Server 2003 domain is running at the Windows 2000 Mixed
functional level (known as mixed mode in Windows 2000), then only the
PDC Emulator is able to draw numbers from the RID pool. This emulates
classic NT operations, where the PDC is the only machine with read/write
access to the SAM.
In Windows 2000 Native functional level (native mode in Windows 2000),
each DC maintains a local cache of RIDs. They carve out 500 at a time
from the RID pool and they only go back to the RID Master for more numbers
when the local cache reaches 100 RIDs.
As for separating the RID Master and PDC Emulator roles, you're quite
right that in Native functional level, you don't need to keep both roles
on the same server. The PDC Emulator should be at an area of your network
with good connections because of its role as final arbiter of password
changes. The RID master can be tucked on a DC somewhere else in the domain.
You can take either server down for maintenance. Just make sure that the
RID Master comes back online before you exhaust the RID pool at any of
your domain controllers. In other words, if you are the administrator
of a secondary school network, don't schedule maintenance on the RID Master
on the same day that you create the accounts for the freshman class at
a high school.
Hope this helps.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.