Special Domain Operations
In the previous chapters of
Windows 2003: Active Directory Administration Essentials
, I’ve discussedmany of the Windows Server 2003 (Windows 2003) tasks you might perform regularly or periodically – although not always daily. Those tasks include working with•trusts•authentication firewalls•security control•Emergency Management Services (EMS)•backup and restore•advanced administration with support toolsIn this final chapter, I discuss administrative tasks that involve operations I hope you seldom – if ever – need to perform. These useful and occasionally necessary operations can be hazardous to theoverall health of Active Directory (AD) if they’re not handled perfectly. However, should you becalled upon, you’ll want to know how to perform these tasks. I recommend that you attempt theseoperations first in a test lab – before you’re called to active (directory) duty. Among the administrative tasks I cover are working with server roles, cleaning up the ADmetabase, renaming domain controllers (DCs), and renaming domains. Because the powerfuloperations you’ll use for these tasks involve specific dangers, you need to know how to perform theoperations safely.
FSMO Role Review and Troubleshooting
If you’re a current Windows 2000 administrator, you probably already know about Flexible SingleMaster Operation (FSMO, aka Operations Master) roles. FSMO roles control specific Windows 2003and Win2K domain capabilities, as I describe in the following text.Each of the five FSMO roles – two for the entire forest, three for each domain – must reside on aDC. Each role plays a key part in the proper operation of AD.Each domain role resides in a specific location and controls specific tasks:•PDC Emulator – Each domain has one PDC Emulator. The PDC Emulator is the sole passwordchange location for downlevel clients, the central authority for time synchronization, and thedefault location for the creation of Group Policy Objects (GPOs).•Relative Identifier (RID) Master – Each domain has one RID Master. The RID Master helps in thecreation of new accounts in each domain by providing a unique identification number for eachuser account. Each user’s SID has a RID. As you read in the previous chapter, Acctinfo.dll canshow you the user’s SID. The last portion of the user’s SID (the block of numbers that followsthe last dash – 1120 in the following screen shot) is the RID, which Figure 8.1 shows.
Brought to you by
Windows & .NET Magazine