There are five operations master roles played by domain controllers in the forest. The severity of the problem depends on which DC fails. Table 13-6 lists the operations master roles and the consequences of their failure.
Most operations master failures will not immediately or drastically affect the performance or functionality of the network. There is one notable exception, the primary domain controller emulator.
Because it deals with user authentication, if the PDC emulator is unavailable it can cause serious problems. This is the one case where you might consider seizing the role .
Seizing an operations master role involves transferring the operations master role to another domain controller. This process was covered earlier in this chapter. You should only do this if it is absolutely necessary.
Table 13-6. Operations Master Failure
|
Operations Master Role |
Consequence of Failure |
|---|---|
|
Usually not an urgent problem, unless there have been a lot of user or group changes. Try to fix the problem before seizing the role. | |
|
Users may have trouble logging in, especially if the network is running in mixed mode. Unless you can make an immediate fix, seize the role and assign it to the standby unit. | |
|
Usually not an urgent problem, unless enough objects are added to a domain to cause the current batch of relative IDs to be used up. Try to fix the problem before seizing the role. | |
|
Usually not an urgent problem, until you need to add or remove a domain from the forest. Try to fix the problem before seizing the role. | |
|
Almost never a problem, unless an administrator wants to modify the Active Directory schema, either manually or through software. | |
|
The GCS is replicated among domain controllers, so the odds of a total failure are small. But, if it becomes corrupted or otherwise unavailable, users will not be able to log on to access network resources. However, they will still be able to log on locally to those machines for which they have adequate permissions. |
If a DNS server is malfunctioning, it can cause quite a bit of trouble on the network. The Windows 2000 Event Viewer can be used to monitor and diagnose problems with DNS.
There are two levels of monitoring available, standard logging of events and debug logging . Debug logging can significantly slow down the DNS server’s performance, so use it as a last resort. Debug information will be stored locally on the DNS server in a file named DNS.LOG, which can become quite large.
You should verify DNS entries in both forward and reverse directions. This can be done with the nslookup utility by first looking for the FQDN and matching the IP address, then using the IP address to match the FQDN.
Remote installation can cause problems that you wouldn’t experience during a normal installation. Table 13-7 lists some common problems and their solutions.
Table 13-7. Troubleshooting RIS
|
Problem |
Solution |
|---|---|
|
The wrong server is installing to an RIS client. |
Either the data associating the RIS client and server hasn’t been replicated yet (likely) or there is a rogue RIS server (unlikely). |
|
A restored RIS volume no longer functions properly. |
The SIS directory is missing or corrupt. Verify the source data and reinstall again. |
|
Customized settings are not being implemented. |
Check your configuration files for incorrect paths. |
Group Policies are a great way to manage resources because they can be layered and are cumulative. Unfortunately, when something goes wrong, you have to check the chain of inheritance to track down where the problem actually originates. If you’re not careful, it’s easy to either grant or deny access to a resource accidentally through the automatic accumulation of permissions.
Group Policies are also very flexible, allowing you to modify the normal inheritance rules. This is a convenient feature, but when something goes wrong, it can make it doubly difficult to track down the problem. Your best bet in troubleshooting Group Policies is to use a strict and consistent implementation of Group Policies right from the start.
Earlier in this chapter we discussed both publishing and assigning applications on the network. If you’ve distributed applications by Organizational Unit, you’ll have an easier time making sure the correct people have access to applications. You should also take advantage of inheritance in the Active Directory to assign or publish applications the fewest number of times.
Windows 2000 includes several tools for maintaining and diagnosing problems with Active Directory, such as ReplMon, RepAdmin, DSStat, SDCheck, and ACLDiag. Even if you don’t currently have a problem with your Active Directory, you should use these tools to get used to their functionality in case they are needed in an emergency.