Domain controllers in a Windows 2000 environment have certain roles to fulfill to make sure Active Directory (AD) functions properly. However, because of server failure or maintenance, you may someday be faced with the task of changing a domain controller’s role. The process of making such role change requires a bit of preparation. In this Daily Drill Down, I’ll explain how to plan for changing domain controller’s operations master role. In an upcoming article, I’ll give you the steps required to actually make such changes.

Verifying permissions
Before you can transfer a role, you must have the appropriate permissions. The required permissions depend on which role you plan to transfer. To change the Infrastructure Master, the RID Master, or the PDC Emulator role within a domain, the user making the change must belong to the Domain Admins group and/or the Enterprise Admins group. Members of the Enterprise Admins group also have the ability to change the domain-naming master. However, if you want to change the schema master role, you must belong to the Schema Admins group.

Usually, the administrator makes such changes, so it’s not a problem for the administrator to belong to all these groups. However, if someone other than the administrator will be moving roles, you may not want them to belong to some of these groups, because a member of these groups can do a lot more to the system than just change a few roles. If you find yourself wanting to limit a user’s power, but that user needs to be able to transfer roles, you can create a special group designated for transferring roles.

To create such a group, you must assign the appropriate permissions using the ADSI Edit tool found in the Windows 2000 Support Tools. The Windows 2000 Support tools are found on the Windows 2000 installation CD and aren’t installed by default, so if you don’t have them installed, you will need to do so. In the Windows 2000 Support Tools, launch the ADSI Edit program by selecting Programs | Windows 2000 Support Tools | Tools | ADSI Edit from the Start menu.

To assign the ability to transfer a role to a group, right-click ADSI Edit at the top of the tree in the column to the left. When you do, you’ll see a context menu appear. Select Connect To from the menu, and the Connection dialog box will open. In the dialog box’s Name field, enter the role you want to modify. For example, you could type in Infrastructure Master; however, the default name is Domain NC (Figure A). For this example, I have kept the default name. Next, go to the Connection Point section and select the Distinguished Name radio button. In the Distinguished Name field, enter the role’s distinguished name, as in Figure A. Click OK to close the dialog box.

Figure A

At this point, ADSI Edit will display a new node called Domain NC. Expand this node to reveal the server role you entered the distinguished name for, as shown in Figure B.

Figure B
The Domain NC node will contain an entry for the role you’re configuring.

Open the server role’s properties sheet and select the Security tab. You’ll see a list of groups and the permissions that have been assigned to those groups. As Figure C shows, you can easily add a group and assign it permissions to change a role. In this particular case, I would allow this group the Change Infrastructure Master permission.

Figure C
You can allow a group permission to change a role.

Locating the operations master roles
In my previous Daily Drill Down, “When to move operations master roles to another server,” I pointed out that you might want to transfer a role to a different domain controller if the domain controller currently performing the role is too slow, overworked, or contains insufficient resources. However, this statement assumes that you know which domain controller is performing which roles. After all, how can you transfer server roles if you don’t even know which server is performing the role? So before you transfer a server role, you may need to figure out which server is performing the role.

The method you’ll use to identify an operations master role assignment will vary depending on the role you’re trying to identify. You can use this first technique to locate the Relative Identifier Master, the Infrastructure Master, and the PDC Emulator. Open the Active Directory Users And Computers console by selecting Programs | Administrative Tools | Active Directory Users And Computers from the Start menu. When the console opens, right-click Active Directory Users And Computers in the column on the left and open the Operations Master properties sheet. This properties sheet contains three tabs: RID (which stands for Relative Identifier), PDC (indicating the PDC Emulator), and Infrastructure (or the Infrastructure master roles). You’ll notice that each tab also indicates which machine currently holds the operations master role. Beneath the listing, you’ll see the name of another machine that you can assign the role to by simply clicking the Change button. You can see an example of this in Figure D.

Figure D
The Operations Master properties sheet can be used to determine the role assignments for the Relative Identifier, the PDC Emulator, and the Infrastructure master.

Let’s examine how to locate the role assignments for the Domain Naming Master role. The Domain Naming Master role is a forest-specific role assigned by default to the first domain controller within the forest, and it contains a copy of every object in the entire AD. Whenever you create a new domain, AD checks with this server to make sure that the name hasn’t already been taken. The Domain Naming Master also serves as a global catalog server.

To see which server has been assigned the role of Domain Naming Master, open the Active Directory Domains And Trusts console by selecting Programs | Administrative Tools | Active Directory Domain And Trusts from the Start menu. When the console opens, right-click Active Directory Domains And Trusts and then select Operations Master from the context menu. You’ll see a dialog box that closely resembles the properties sheet shown in Figure D. This dialog box provides you with the name of the server currently holding the Domain Naming Master role and the name of a server you can move the role to by clicking the Change button.

The last remaining operations master role is the Schema Master Role. As with the Domain Naming Master role, the Schema Master Role is assigned by default to the first domain controller in a forest. Remember that AD is a database, and like any other database, it contains a schema. The Schema Master is responsible for defining the AD schema for all domain controllers within the entire forest.

To identify the Schema Master role assignment, you must install the Active Directory Schema snap-in for Microsoft Management Console. Open the Control Panel and double-click the Add/Remove Programs icon. When Windows displays the Add/Remove Programs Control Panel applet, click the Change Or Remove Windows Programs button. You’ll then see a list of all of the programs currently installed on your system. Locate the Windows 2000 Administration tools, select the Windows 2000 Administration Tools, and then click the Change button associated with it. Windows will launch the Windows 2000 Administration Tools Setup wizard. Click Next to bypass the introductory screen and jump directly to the wizard. The next screen gives you a choice of uninstalling or installing the Administrative tools. Select the Install All Of The Administrative Tools radio button and click Next. Windows will then validate and install the Administrative Tools. When the installation process is complete, click Finish to terminate the wizard.

Open the Active Directory Schema snap-in by selecting the Run command from the Start menu and entering the MMC command at the Run prompt. Then, an empty Microsoft Management Console session will open. Select the Add/Remove Snap-In command from the Console menu to display the Add/Remove Snap-In properties sheet. Click the Standalone tab’s Add button to display a list of all of the available snap-ins. Select Active Directory Schema from the list and click the Add button followed by the Close button and the OK button. You’ll then see the Active Directory Schema snap-in displayed within the console. Right-click the Active Directory Schema node located in the column on the left and then select the Operations Master command from the context menu. The dialog box displays the name of the current Schema Master and the name of a server that you can transfer the Schema Master role to with a click of the Change button. We’ll go into detail about changing the Schema Master role in an upcoming Daily Drill Down.

Changing a domain controller’s role is no small task. If you don’t have the correct rights or know where to begin to look to find what role the server is currently playing, you’ll never be able to change the role. After you’ve taken the necessary steps to set the rights, you can move on to changing roles.