Rally 'Round the Server Roles

Nagging doubts about which domain controller is the RID Master.

Bill: I recently read your book, Inside Windows 2003, and found it extremely informative. (I particularly enjoyed your comments about the uncanny knack of Users to remember admin passwords even though they forget their own etc. Very true!) I have been working with Windows 2000 for the past three years and Windows 2003 and would like to clarify a couple of points with you.

In a native Windows 2000 domain I had to recently seize the RID Master role from one domain controller to a different DC due to a problem with the original server. The role-seizing went without any incident—the old RID Master is R.I.P. and all is well with the domain. Now, I have this doubt as to whether or not the new RID Pool numbers have been started to be disbursed.

When I seize the role to a different server, how does the new server know as to what the valid range is?

My other doubt was, even though Microsoft recommends the RID Master and PDC Emulator to be the same server for obvious reasons, in a mixed mode domain is this still necessary for domains running native Windows 2000 or Windows 2003? I see it more redundant to have these roles separated on two DCs in a native domain, but can you correct me if I am wrong?
—Name withheld

Thanks for getting my book. I appreciate your nice words.

The FMSO information for the RID Master is stored in an AD object called RID Manager$, located in the System container. You'll need to turn on Advanced View in Active Directory Users and Computers to see this object. When you transfer the RID Master role (or seize it to another domain controller), all you do is change the name of the server stored in the FSMORoleOwner attribute of this object. The other domain controllers in the domain start using this new RID Master because they all have a copy of the Domain naming context that contains the RID Master$ object.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The RID Master$ object also has an attribute called RIDAvailablePool that contains the total available RIDs and the starting point for the next RID. (Microsoft KnowledgeBase 305475 has a detailed explanation of how the large integer value of RIDAvailablePool is used.)

That's why it's so important not to bring the old RID Master back online once you seize the role to another domain controller. There's a possibility that the old RID Master will pass out a duplicate RID, causing potentially devious problems that might take months or years to emerge. For example, if two Windows 2000 or Windows 2003 servers have the same RID, they cannot both be domain controllers. You'll get odd error messages when you try to promote the second server.

When a Windows Server 2003 domain is running at the Windows 2000 Mixed functional level (known as mixed mode in Windows 2000), then only the PDC Emulator is able to draw numbers from the RID pool. This emulates classic NT operations, where the PDC is the only machine with read/write access to the SAM.

In Windows 2000 Native functional level (native mode in Windows 2000), each DC maintains a local cache of RIDs. They carve out 500 at a time from the RID pool and they only go back to the RID Master for more numbers when the local cache reaches 100 RIDs.

As for separating the RID Master and PDC Emulator roles, you're quite right that in Native functional level, you don't need to keep both roles on the same server. The PDC Emulator should be at an area of your network with good connections because of its role as final arbiter of password changes. The RID master can be tucked on a DC somewhere else in the domain. You can take either server down for maintenance. Just make sure that the RID Master comes back online before you exhaust the RID pool at any of your domain controllers. In other words, if you are the administrator of a secondary school network, don't schedule maintenance on the RID Master on the same day that you create the accounts for the freshman class at a high school.

Hope this helps.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Thu, Nov 17, 2005 Satish Bhardwaj www.newerawisp.blogspot.com

I usede the keywords Server roles in the search engine to see if my blog www.blogspot.com would be listed in the search engine since I created the metatag for my blog only btoday and was curious to see if the search engine crawlers would catch my keywords.

Lo and behold I found this article asking people to rally around the server roles like there is an alternative choice for people.

Actually the server role is merely clerical in the form of receiving documents from one client and sending them back to any other client that asks for them although the IT people try to place obstacles in the path of strangers and trying to stop them unsuccessfully since the stranger clients are able to obtain the documents any way. A number of IT people are totally frustrated.

The only way to cure the situation is to abandon this server role in favor of a newly developed role that vwill bar the server from sending the documents back to any server.

This will allow multitasking possible since a server can handle the tasks of many clients if the task handling is done by the server instead of the client. This will prevent the idle processor time while it's awaiting the receipt of processing instruction and the internet service would become super fast. Presently the internet service speed is the same no matter what internet service (T1, DSL broadband, conventional internet service is used.

Wed, Feb 18, 2004 Anonymous Anonymous

Excellent! I need an information about RIDs and SIDs, and... Here we are...

Mon, Dec 1, 2003 Tony Spain

I agree with Grant Moyle about that not PDC-E has RID pools and any DC has its own pool even when mixed mode.
Could you Bill pls clarify that?.

Tue, Oct 14, 2003 Grant Moyle Chicago

Bill: Is this comment (shown below) on Mixed Mode really true??? I don't think so:
===Quoted from Article===
When a Windows Server 2003 domain is running at the Windows 2000 Mixed functional level (known as mixed mode in Windows 2000), then only the PDC Emulator is able to draw numbers from
the RID pool. This emulates classic NT operations, where the PDC is the only machine with read/write access to the SAM.
====

All the Windows 2000/2003 Domain Controllers have RID pools and can create user/other security objects, even in Mixed Mode. It is true that the BDC's don't get RID pools (they wouldn't know what to do with them anyways) - but account creation can be done on any of the W2K/W2K3 servers. You can prove
this but turning off the PDC FSMO and then create user accounts. They will be created!

Tue, Oct 14, 2003 John Howard Oxley Atlanta, GA, USA

I think the current way of teaching server functions and Operations Master roles separately is a big mistake. First we learn that all DCs are essentially equal, and then we learn, whoops!, not really, because of the OM functions each can/must serve, especially if there is more than one DC in the network -- the issue of "root DC" is also relevant here.

Such obfuscation simply makes it harder, rather than easier to learn -- this article is a good example -- if you understand Operations Masters, all of it makes sense -- but you have to understand OMs in the first place.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.