Another thing to try for slow logins
Posted: 10/5/2005 9:25:48 AMBy: Comfortably Anonymous
Times Read: 2,222
Likes: 0 Dislikes: 0
Topic: Windows Administration
I had a domain controller go down, thought everything would be handled by the other domain controller, but logins became very slow again. From doing more research, I found that there are these things called Operations Master Roles on both Win2K and Win2K3 servers.
There are five roles that can be distributed among multiple domain controllers, but the role stays assigned to a single machine and is NOT automatically moved to another machine when the machine with the role assignment goes offline (Either from being shut down, or from a crash).
The five roles are:
1) Infrastructure Owner: The infrastructure master for a given domain maintains a list of the security principals for any linked-value attributes.
2) PDC Owner: Emulates an NT4-style Primary Domain Controller
3) RID Owner: The RID master allocates RID pools to all domain controllers to ensure that new security principals can be created with a unique identifier.
4) Domain Owner: Adds and removes domains and application partitions to and from the forest. (There is one Domain Owner for each 'Forest' in an Active Directory structure, so if you have more than one forest, you will have more than one of these, but only one for each forest.)
5) Schema Owner: Governs all changes to the schema. (The Schema Owner role is another 'one per forest' role, so the same concept applies as for a Domain Owner, as far as how many Schema Owner roles you will have.)
Note that the ONLY time these roles are automatically moved to another server is when you demote a domain controller. So, if you plan to take a domain controller offline permanently, and the machine is in a working state, then just demote it before shutting it off. This will avoid any problems with Operations Master Roles.
However, in the case that you lose a server and cannot properly demote it ahead of time, you can do something called "seizing" the Operations Master Role. Note that once you do this, very bad things will happen if you ever somehow return the lost server to the network with its roles in place, a major battle will occur between the new Operations Master server and the old one that insists that it is the Operations Master.
For info on actually doing the 'seizing', check out the following TechNet article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/8a378df1-50b5-4a79-986c-364ce6e0cb07.mspx
Another thing that comes in very handy (And what I used to determine that my all my Operations Master Roles were still assigned to the downed server) is a tool from NetIQ called ADCheck
One of the functions of ADCheck is "Show Ops Masters", which will return the machine name assigned for each of the five roles. This comes in very handy in determining which machine each of these roles is assigned to. Definitely run this first to see if there is a problem with your role assignments, and it comes in very handy to gather information before toying with the role assignments. On mine (since I have a small network with only two domain controllers, it showed that all five roles were assigned to the downed server. Moving the roles to the functional server made logins nice and snappy again. Before then, there was apparently some timeout waiting for the down server to response before trying some backup login method. Sorry, no info on how the backup method works.)
There are five roles that can be distributed among multiple domain controllers, but the role stays assigned to a single machine and is NOT automatically moved to another machine when the machine with the role assignment goes offline (Either from being shut down, or from a crash).
The five roles are:
1) Infrastructure Owner: The infrastructure master for a given domain maintains a list of the security principals for any linked-value attributes.
2) PDC Owner: Emulates an NT4-style Primary Domain Controller
3) RID Owner: The RID master allocates RID pools to all domain controllers to ensure that new security principals can be created with a unique identifier.
4) Domain Owner: Adds and removes domains and application partitions to and from the forest. (There is one Domain Owner for each 'Forest' in an Active Directory structure, so if you have more than one forest, you will have more than one of these, but only one for each forest.)
5) Schema Owner: Governs all changes to the schema. (The Schema Owner role is another 'one per forest' role, so the same concept applies as for a Domain Owner, as far as how many Schema Owner roles you will have.)
Note that the ONLY time these roles are automatically moved to another server is when you demote a domain controller. So, if you plan to take a domain controller offline permanently, and the machine is in a working state, then just demote it before shutting it off. This will avoid any problems with Operations Master Roles.
However, in the case that you lose a server and cannot properly demote it ahead of time, you can do something called "seizing" the Operations Master Role. Note that once you do this, very bad things will happen if you ever somehow return the lost server to the network with its roles in place, a major battle will occur between the new Operations Master server and the old one that insists that it is the Operations Master.
For info on actually doing the 'seizing', check out the following TechNet article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/8a378df1-50b5-4a79-986c-364ce6e0cb07.mspx
Another thing that comes in very handy (And what I used to determine that my all my Operations Master Roles were still assigned to the downed server) is a tool from NetIQ called ADCheck
One of the functions of ADCheck is "Show Ops Masters", which will return the machine name assigned for each of the five roles. This comes in very handy in determining which machine each of these roles is assigned to. Definitely run this first to see if there is a problem with your role assignments, and it comes in very handy to gather information before toying with the role assignments. On mine (since I have a small network with only two domain controllers, it showed that all five roles were assigned to the downed server. Moving the roles to the functional server made logins nice and snappy again. Before then, there was apparently some timeout waiting for the down server to response before trying some backup login method. Sorry, no info on how the backup method works.)
Rating: (You must be logged in to vote)