Rally 'Round the Server Roles

Nagging doubts about which domain controller is the RID Master.

Bill: I recently read your book, Inside Windows 2003, and found it extremely informative. (I particularly enjoyed your comments about the uncanny knack of Users to remember admin passwords even though they forget their own etc. Very true!) I have been working with Windows 2000 for the past three years and Windows 2003 and would like to clarify a couple of points with you.

In a native Windows 2000 domain I had to recently seize the RID Master role from one domain controller to a different DC due to a problem with the original server. The role-seizing went without any incident—the old RID Master is R.I.P. and all is well with the domain. Now, I have this doubt as to whether or not the new RID Pool numbers have been started to be disbursed.

When I seize the role to a different server, how does the new server know as to what the valid range is?

My other doubt was, even though Microsoft recommends the RID Master and PDC Emulator to be the same server for obvious reasons, in a mixed mode domain is this still necessary for domains running native Windows 2000 or Windows 2003? I see it more redundant to have these roles separated on two DCs in a native domain, but can you correct me if I am wrong?
—Name withheld

Thanks for getting my book. I appreciate your nice words.

The FMSO information for the RID Master is stored in an AD object called RID Manager$, located in the System container. You'll need to turn on Advanced View in Active Directory Users and Computers to see this object. When you transfer the RID Master role (or seize it to another domain controller), all you do is change the name of the server stored in the FSMORoleOwner attribute of this object. The other domain controllers in the domain start using this new RID Master because they all have a copy of the Domain naming context that contains the RID Master$ object.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The RID Master$ object also has an attribute called RIDAvailablePool that contains the total available RIDs and the starting point for the next RID. (Microsoft KnowledgeBase 305475 has a detailed explanation of how the large integer value of RIDAvailablePool is used.)

That's why it's so important not to bring the old RID Master back online once you seize the role to another domain controller. There's a possibility that the old RID Master will pass out a duplicate RID, causing potentially devious problems that might take months or years to emerge. For example, if two Windows 2000 or Windows 2003 servers have the same RID, they cannot both be domain controllers. You'll get odd error messages when you try to promote the second server.

When a Windows Server 2003 domain is running at the Windows 2000 Mixed functional level (known as mixed mode in Windows 2000), then only the PDC Emulator is able to draw numbers from the RID pool. This emulates classic NT operations, where the PDC is the only machine with read/write access to the SAM.

In Windows 2000 Native functional level (native mode in Windows 2000), each DC maintains a local cache of RIDs. They carve out 500 at a time from the RID pool and they only go back to the RID Master for more numbers when the local cache reaches 100 RIDs.

As for separating the RID Master and PDC Emulator roles, you're quite right that in Native functional level, you don't need to keep both roles on the same server. The PDC Emulator should be at an area of your network with good connections because of its role as final arbiter of password changes. The RID master can be tucked on a DC somewhere else in the domain. You can take either server down for maintenance. Just make sure that the RID Master comes back online before you exhaust the RID pool at any of your domain controllers. In other words, if you are the administrator of a secondary school network, don't schedule maintenance on the RID Master on the same day that you create the accounts for the freshman class at a high school.

Hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.