A good network administrator knows that thoroughly planning a network before actually implementing it will save a tremendous amount of time and effort in the long run. An experienced network administrator knows that no matter how well you plan a network, the network will have to be changed to meet the ever changing needs of its users.
The three main tasks you’ll have to perform are: adding a new server, moving a server to a new replication site, and removing a server from the network. Because hardware is constantly improving, adding new servers or consolidating tasks performed by a few less powerful servers on a new server is commonplace. This type of activity can occur quite frequently if your company is growing rapidly.
Everything in Active Directory is an object. In the case of a server, a server object is the logical representation of the physical machine in the hierarchical AD database. When you install a new server, you’ll have to add it to the Active Directory using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Double-click on the site you would like to add the server to.
Right-click on the Servers folder and choose New → Server.
You’ll see the New Object -- Server screen. Type in a name for the new server and click the OK button.
Sites are areas of the network that have high interconnectivity bandwidth. They’re used to divide up replication traffic in the most efficient way possible. When you start to change the number or types of servers on a network, you may have to move servers to other sites to maintain those high-speed connections.
Sometimes you need to change the replication site a server is currently a member of. You can do this by using the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Right-click on the server you’d like to move and choose Move.
You’ll see a list of available sites. Choose the site you want to move the server to and click the OK button.
Hardware becomes obsolete fairly quickly. It’s not that three-year-old servers become unusable, but time is money, so it’s often your job to weed out slower machines.
Assuming you want to permanently remove a server, use the following steps to delete the server object from the Active Directory:
Choose Start → Programs → Administrative Tools → Active Directory Sites and Services.
Right-click on the server object you’d like to permanently remove and choose Delete.
Confirm that you want to do this by pressing the Yes button.
In most network environments, significant and frequent changes are made to the files, folders, user accounts, and equipment. Active Directory has to share these changes with all its domain controllers. Synchronizing this information across the entire enterprise can be a huge amount of work. To make this task as efficient as possible, the method of replication is specialized to the particular situation. Active Directory supports two main types of replication:
- Single-master replication
To prevent possible conflicts, one computer stores a master copy of the data and the replicating computers store a backup. This is a one-way process.
- Multi-master replication
Multiple computers store, send, and accept replication data at various times simultaneously around the network.
Single-master replication is organized into five distinct tasks, called operations master roles . Some of the roles involve single domains, while other roles involve the whole forest. Only Windows 2000 domain controllers can be assigned operations master roles. The operations master roles are described in Table 13-5.
Table 13-5. Operations Master Roles
|
Role |
Scope |
Description |
|---|---|---|
|
Domain |
Updates and changes if a user or group is renamed. There can be only one infrastructure master per domain. If a user moves across domains, the two infrastructure masters will replicate the change during the next multi-master replication between domains. | |
|
Domain |
If the network is running in mixed mode, the PDC emulator acts like a Windows NT PDC and replicates with the NT backup domain controllers. If the network is running in native mode, the PDC emulator will be the first DC to get replication of password changes. If replication hasn’t occurred on a recent password change, a DC can check with the PDC emulator to see if it received the password change. This is especially important if a network has a lot of domain controllers and frequent password changes. There can be only one PDC emulator per domain. | |
|
Domain |
The relative ID master has two main functions. It assigns a group of consecutive IDs to domain controllers so that they can assign unique IDs to objects created on the DC. To move any Active Directory object between domains, you have to move it from the computer that is currently acting as the relative ID master. You can change which computer is the relative ID master, but there can be only one relative ID master at a time in a domain. | |
|
Forest |
Keeps track of domains that are added to or removed from the forest. There can be only one domain naming master in the forest. | |
|
Forest |
Changes to the Active Directory schema can only be made from the schema master. There can be only one schema master in the forest. |
All the operations master roles are automatically assigned to the first domain controller in the forest. After your network has grown and there are multiple domain controllers, you may want to distribute the roles among different domain controllers.
Once you have two domain controllers in a domain, you can take some precautionary steps. The first domain controller will still have all the operations master roles, but the second domain controller can be configured as a standby operations master domain controller.
If the first computer fails, the backup machine will automatically assume any roles formerly handled by the original domain controller. If you have many domain controllers on your network, you may want to move some of the operations master roles onto separate machines for load balancing and reliability.
Because the operations masters have to replicate data frequently, be sure to choose domain controllers with fast network connections. You can assign any role to any domain controller by following a few steps. The process differs slightly, depending on which role you’re changing.
All five roles can be reassigned using Microsoft Management Console (MMC) snap-ins. Unfortunately, not all of the snap-ins you’ll need are installed by default. If you want to change the schema master, you’ll have to install the Active Directory Schema snap-in by using the following steps:
Choose Start → Settings → Control Panel → Add/Remove Programs.
Choose Change or Remove Programs.
Choose Windows 2000 Administrative Tools and click the Change button.
You’ll see the Welcome to the Windows 2000 Administration Tools Setup Wizard. As with most Windows 2000 wizards, you’ll have to click the Next button to move to the next screen.
You’ll see the Setup Options screen. Choose Install All of the Administrative Tools.
It will copy all the required files. Click the Finish button.
Start the Microsoft Management Console. Choose Start → Run, and then type
mmcand click OK.Choose Console → Add/Remove Snap-In.
You’ll see the Add/Remove Snap-In screen. Click Add.
You’ll see the Add Standalone Snap-In screen. Double-click on Active Directory Schema.
Click Close and then click OK.
Choose Console → Save.
Almost all of the administrative tasks in Windows 2000 are handled by MMC snap-ins. We’re going to be using the MMC a lot in this chapter, so you’ll be well prepared for the MMC simulation questions by the time you’re done.
If you want to transfer the domain naming master role, you’ll need to perform the following steps:
Choose Start → Run, type
mmc, and click the OK button.Open the Active Directory Domains and Trusts snap-in.
Right-click on the domain controller that you want to become the new domain naming master. Choose Connect to Domain.
You’ll see the Connect to Domain screen. Click the Browse button and choose the correct domain name.
Right-click on Active Directory Domains and Trusts and choose Operations Master.
You’ll see the Operations Master screen. Click on the Change button and then click OK.
You can change either the infrastructure master, PDC emulator, or relative ID master roles using roughly the same set of steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Right-click on the domain in question and choose Connect to Domain.
You’ll see the Connect to Domain screen. Click the Browse button and choose the correct domain name.
Right-click on Active Directory Users and Computers and choose Operations Master.
You’ll see the Operations Master screen. Depending on which role you want to change, choose either RID (for Remote ID), PDC (for PDC emulator), or Infrastructure (for the infrastructure master).
After you’ve chosen the role you want to change, click on the Change button and then click OK.
There is one last role you may need to change, the schema master role. Assuming you’ve already installed the schema master snap-in, you can use the following steps to change which DC will act as the schema master:
Choose Start → Run, type
mmc, and click the OK button.Right-click on Active Directory Schema and choose Change Domain Controller.
Choose Any DC for automatic selection, or you can manually type in the name of the domain controller you want to be the new schema master. Click the OK button.
Right-click on Active Directory Schema and choose Operations Master.
You’ll see the Change Schema Master screen. Click the Change button and then click OK.
If you only have one domain controller, all operations master roles will be on that computer. However, if you have multiple domain controllers and domain trees in your Active Directory forest, it can be difficult to remember which domain controllers are assigned each role.
There is a methodical way to find out which computers are playing each role. Remember, some roles are required in each domain, while others need only a single player for the entire forest.
If you want to find out which machines are acting as an infrastructure, PDC emulator, or relative ID master, you can perform the following steps:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers.
Right-click on Active Directory Users and Computers and choose Operations Master.
Depending on which computer you’re trying to find, choose either RID (for Remote ID), PDC (for PDC emulator), or Infrastructure (for infrastructure master).
The name of whichever domain controller is currently acting in the role will appear. Click Cancel to close the dialog box.
If you want to find out which computer is acting as the domain naming master, use the following steps:
Choose Start → Run, type
mmc, and click the OK button.Open the Active Directory Domains and Trusts snap-in.
Right-click on Active Directory Domains and Trusts and choose Operations Master.
You’ll see the Operations Master screen. Under Domain Naming Operations Master, you’ll see the name of the current domain naming master.
Click the Close button without making any changes.
You’ll have to follow a different set of steps to find out which computer is the current Active Directory schema master: