FSMOs

  • Article

There are a number of operations that have a single operations master. They include activities such as updating the schema, creating new domains in a forest issuing relative identifiers (RIDs) for security principal objects, updating domains running Windows NT 4.0 and earlier, and referencing objects in other domains.

The transfer of operations master roles can be done through the graphical user interface. However, if you have a domain controller that is unavailable, that is holding a token, the Ntdsutil tool can be used to actually force the transfer, or what is commonly referred to as seizure. The tool also allows you to do metadata cleanup. Thus, if you delete a domain or delete a domain controller without cleaning up the data directly used in the Active Directory Installation Wizard, you can use Ntdsutil to clean up that metadata. The Ntdutil tool can also be used to do domain precreation. The benefit here is that you can precreate domains by using a specific administration account, and then have other users actually promote and create domains without having to have the same set of permissions that you used to actually precreate that domain.

Relative Identifier Master Operations Master Role Holder

The Relative ID (RID) operations master role holder must be available when a server needs to be supplied RIDs. The Dcpromoui.log file that follows shows the error that occurs when the RID master operations master role holder is not accessible. This particular error is captured by the Dcpromoui.log file during domain controller promotion, but is in fact unrelated. The error occurs when the domain controller is out of RIDs and the RID operations master role holder is unavailable.

note-iconNote

If the server still has RIDs, the Relative ID operations master role holder is not required to be available for account creations.

To troubleshoot this error, determine which server is hosting the RID master operations master role holder and confirm that it has network connectivity by using the Netdiag tool. Also, review the directory service log in Event Viewer for RID Master–related errors.

dcpromoui t:0x398 00279 Enter DS::JoinDomain

dcpromoui t:0x398 00280 Enter massageUserName

dcpromoui t:0x398 00281 Exit massageUserName

dcpromoui t:0x398 00282 Calling NetJoinDomain

dcpromoui t:0x398 00283 lpServer : Reskit

dcpromoui t:0x398 00284 lpDomain : reskit-rdp.com

dcpromoui t:0x398 00285 lpAccountOU : (null)

dcpromoui t:0x398 00286 lpAccount : reskit-rdp.com\administrator

dcpromoui t:0x398 00287 fJoinOptions : 0x23

dcpromoui t:0x398 00288 Error 0x2010 (!0 => error)

dcpromoui t:0x398 00289 Exit DS::JoinDomain

dcpromoui t:0x398 00290 Exception caught

dcpromoui t:0x398 00291 catch completed

dcpromoui t:0x398 00292 handling exception

dcpromoui t:0x398 00293 Error Joining Domain

dcpromoui t:0x398 00294 The directory service was unable to allocate a relative identifier.

dcpromoui t:0x398 00295 Enter State::SetOperationResults result FAILURE message: The directory service was unable to allocate a relative identifier.

dcpromoui t:0x398 00296 Exit State::SetOperationResults result FAILURE message: The directory service was unable to allocate a relative identifier.

Operations Master and Duplicate Operations Master Role Holders

In Windows NT 4.0, if you received a duplicate primary domain controller in a domain on a network as a result of someone promoting a backup domain controller when the primary domain controller is offline, it resolves itself eventually when the downed primary domain controller came back on line because of the conflict in the NetBIOS name for the primary domain controller in the domain, which is unique.

In Windows 2000, the primary domain controller FSMO is not quite as important, but the main point is that you do not want it duplicated or you might end up with conflicts. If you had duplicate RID pool role owners, you might end up with duplicate SIDs.

The following checks are done to minimize the possibility of having duplicate RID pool role owners:

  • The server is synchronized with others before seizing the RID master role.

  • The global RID (available) pool state is replicated urgently to maximize chances that candidates for the new RID FSMO are up-to-date.

  • If the RID master allocates a RID pool to a domain controller that overlaps with the RID pool of another domain controller, the domain controller whose pool overlaps with the new pool notices this when this information replicates to it, and then proceeds by invalidating its current pool and requesting a new RID pool. This prevents the domain controller from issuing further duplicates and quickly "moves" all domain controllers that have overlapping pools to acquire fresh pools that do not overlap.

  • The operating system contains checks to detect and handle instances of duplicate RIDs.

One situation that has been identified as a possible cause of allocation of duplicate relative identifier pools is if the relative ID master role has been seized while the original relative ID master is still operational but has been temporarily disconnected from the network. In normal practice, after one replication cycle, the relative ID master role is assumed by one and only one domain controller, but it might be possible that before the role ownership is resolved, two different domain controllers might each request a new relative ID pool and they might be allocated the same RID pool.

The Ntdsutil tool contains an option, Security account management to detect and clean all instances of duplicate SIDs. Accounts with duplicate SIDs are deleted.

To detect and clean up all instances of duplicate SIDs

  1. Back up Active Directory.
    Windows 2000 Backup natively supports backing up Active Directory while you are online. This occurs automatically when you select the option to back up everything on the computer in the Backup Wizard, or independently when you select to back up the "System State" in the wizard.

  2. Restart the domain controller, select the appropriate installation from the startup menu, and then press F8 to display the Windows   2000 Advanced OptionsMenu .

  3. Select Directory Services Restore Mode , and then press ENTER. To start the boot process again, press ENTER.

  4. Log on by using the Administrator account with the password that is defined for the Local Administrator account in the offline SAM.

  5. Click Start , point to Programs and then to Accessories , and then click Command Prompt .

  6. At the command prompt, type ntdsutil and then press ENTER.

  7. Type Security account management , and then press ENTER.

  8. Type Connect to server*<server name>* , and then press ENTER.

  9. At the Security Account Maintenance prompt, type Cleanup Duplicate SID , and then press ENTER.
    A duplicate SID cleanup operation is carried out and all results are logged in the Dupsid.log file that is located in the directory from which you ran the Ntdsutil tool.

  10. Type quit , and then press ENTER. To return to the command prompt, type quit again.

In general, if any operations master role holders get duplicated, this resolves itself eventually by replication. The newer role owner has the change in its directory database with a higher USN, and thus overwrites the previous role owner when new role owner replicates to the directory database. The only damage that might occur is that it writes to the older role owner before replication solves the problem of duplicate role owners.

The best practice is to never let duplicates happen. However, if duplicate RIDs occur, you can fix it by putting the older role owner in the same site as the new role owner and immediately forcing replication to occur.

For more information about FSMOs and troubleshooting FSMOs, see "Managing Flexible Single-Master Operations" in this book.