Rally 'Round the Server Roles

Nagging doubts about which domain controller is the RID Master.

Bill: I recently read your book, Inside Windows 2003, and found it extremely informative. (I particularly enjoyed your comments about the uncanny knack of Users to remember admin passwords even though they forget their own etc. Very true!) I have been working with Windows 2000 for the past three years and Windows 2003 and would like to clarify a couple of points with you.

In a native Windows 2000 domain I had to recently seize the RID Master role from one domain controller to a different DC due to a problem with the original server. The role-seizing went without any incident—the old RID Master is R.I.P. and all is well with the domain. Now, I have this doubt as to whether or not the new RID Pool numbers have been started to be disbursed.

When I seize the role to a different server, how does the new server know as to what the valid range is?

My other doubt was, even though Microsoft recommends the RID Master and PDC Emulator to be the same server for obvious reasons, in a mixed mode domain is this still necessary for domains running native Windows 2000 or Windows 2003? I see it more redundant to have these roles separated on two DCs in a native domain, but can you correct me if I am wrong?
—Name withheld

Thanks for getting my book. I appreciate your nice words.

The FMSO information for the RID Master is stored in an AD object called RID Manager$, located in the System container. You'll need to turn on Advanced View in Active Directory Users and Computers to see this object. When you transfer the RID Master role (or seize it to another domain controller), all you do is change the name of the server stored in the FSMORoleOwner attribute of this object. The other domain controllers in the domain start using this new RID Master because they all have a copy of the Domain naming context that contains the RID Master$ object.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The RID Master$ object also has an attribute called RIDAvailablePool that contains the total available RIDs and the starting point for the next RID. (Microsoft KnowledgeBase 305475 has a detailed explanation of how the large integer value of RIDAvailablePool is used.)

That's why it's so important not to bring the old RID Master back online once you seize the role to another domain controller. There's a possibility that the old RID Master will pass out a duplicate RID, causing potentially devious problems that might take months or years to emerge. For example, if two Windows 2000 or Windows 2003 servers have the same RID, they cannot both be domain controllers. You'll get odd error messages when you try to promote the second server.

When a Windows Server 2003 domain is running at the Windows 2000 Mixed functional level (known as mixed mode in Windows 2000), then only the PDC Emulator is able to draw numbers from the RID pool. This emulates classic NT operations, where the PDC is the only machine with read/write access to the SAM.

In Windows 2000 Native functional level (native mode in Windows 2000), each DC maintains a local cache of RIDs. They carve out 500 at a time from the RID pool and they only go back to the RID Master for more numbers when the local cache reaches 100 RIDs.

As for separating the RID Master and PDC Emulator roles, you're quite right that in Native functional level, you don't need to keep both roles on the same server. The PDC Emulator should be at an area of your network with good connections because of its role as final arbiter of password changes. The RID master can be tucked on a DC somewhere else in the domain. You can take either server down for maintenance. Just make sure that the RID Master comes back online before you exhaust the RID pool at any of your domain controllers. In other words, if you are the administrator of a secondary school network, don't schedule maintenance on the RID Master on the same day that you create the accounts for the freshman class at a high school.

Hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured