An Active Directory domain controller tries to replicate inbound changes for each locally held directory partition (also known as a naming context) every time the domain controller starts. In Microsoft Windows Server 2003 and in Microsoft Windows 2000 SP3 or later, the domain controllers that host operations master roles must successfully replicate inbound changes on the directory partition that replicates and maintains the operations master role's state. Successful replication must occur before dependent operations can be performed. This is done to ensure that the FSMO owner is up-to-date with any changes to the attribute that holds the information about the current FSMO owner. If this attribute was changed while it was offline, it will resign the FSMO ownership. If it is still pointing to the local Domain Controller, it will begin acting as the role owner.
Windows Server 2003-based domain controllers log the following events:
The following table shows the partition that a domain controller that hosts operations master roles must successfully replicate before the operations master roles will function.
Role | Partition that must replicate for role to become active | Operation performed |
Domain naming | Configuration | Add or remove a domain or an application partition. |
Infrastructure | Domain partition in the operations master role owner's domain | Introduce changes made by the Windows Server 2003 adprep /domainprep command. |
Relative ID (RID) | Domain partition in the operations master role owner's domain | Allocate RID pools to newly promoted or to existing domain controllers. |
Schema | Schema | Introduce schema changes in the Active Directory Schema snap-in, in the adprep /forestprep command, or in Active Directory-aware applications. |
For example, suppose that the information about the current RID operations master and its state is replicated in the domain partition of a sample domain named Contoso.com. A domain controller named DC1.Contoso.com (DC1) is the RID master in the Contoso.com domain. If the configuration partition on DC1's copy of Active Directory contains references to another domain controller (DC2.Contoso.com) that replicates the writable Contoso.com partition, the RID master role for the Contoso.com domain does not become operational until one of the following scenarios occurs:
- The RID master role performs inbound replication for the writable Contoso.com domain partition with DC2 or another domain controller in the Contoso.com domain.
- You remove references to domain controllers that host writable copies of the Contoso.com domain partition from the forest.
Until the RID master role becomes operational, DC1 cannot issue the new RID pools that are necessary to create users, computers (including additional domain controllers), and security groups in the Contoso.com domain. Similarly, the other operations masters listed in the operations master roles table must successfully replicate inbound changes on the host partition before the operations masters can perform dependent operations. The goal of this synchronization requirement is to make sure that only one domain controller plays a particular operations master role in each domain or forest.
Note A domain controller that hosts an operations master role that resides in a partition that does not have replication partners (that is, a role that is hosted by a single domain controller in that role's domain or forest-wide replication scope) does not have to satisfy the initial synchronization requirement because the domain controller has no replication partners. Synchronization requirements only exist when the current role owner's
hasMastersNC attribute contains references to more than one domain controller that replicates the operations master partition. (The
hasMastersNC attribute is part of a domain controller's NTDS settings object in the CN=Configuration partition of an operations master.) For example, if the configuration partition for the sample domain Contoso.com does not contain references to other domain controllers that host the Contoso.com partition, the current RID operations master (DC1) becomes operational after the DC1.Contoso.com computer starts.
Changes to initial synchronization requirements in Windows Server 2003 with Service Pack 1
Windows Server 2003 original release
In the original release version of Windows Server 2003, if a domain controller that is an operations master role holder is restarted, it will try to replicate only with other domain controllers that are in its own site. If an appropriate source domain controller exists in the same Active Directory site as the operations master role owner, the initial synchronization requirement is typically satisfied soon after operating system startup. This lets operations master role-dependent operations occur immediately. Delays may be encountered if the only appropriate source domain controller exists in a remote site. Replication will not occur until the schedule on the site link or on the connection object opens. Any operation that requires access to the schema master role, the domain-naming master role, or the RID master role will fail until incoming replication from a writable source domain controller occurs.
Windows Server 2003 with Service Pack 1
If a domain controller that is an operations master role holder is restarted, it will try to perform initial synchronization with all its existing partners until a successful synchronization occurs. The partner that is picked for the synchronization is selected at random from all replication partners that the domain controller has for each naming context that it hosts. No preference is given to intrasite replication partners. Each partner is tried one at a time until successful replication occurs.
Possible causes of initial synchronization failures and suggested resolutions
The following scenarios describe possible causes of inbound replication failure on an operations master. If a domain controller that holds an operations master role cannot complete its initial synchronization requirements, dependent operations may fail or be delayed. Each scenario includes a suggested method to make the operations master active.
- The current role resides on a domain controller whose NTDS settings (NTDS-DSA) object has been deleted from Active Directory. This scenario may occur for one of the following reasons:
- You used the Active Directory Sites and Services snap-in, the Ntdsutil.exe utility, or an equivalent utility to delete the NTDS-DSA object from a domain controller's Active Directory. However, the domain controller's operations master role has not been transferred to another domain controller in the domain or the forest.
- You used the dcpromo /forceremoval command to forcefully demote a domain controller that had an operations master role.
For more information about the dcpromo /forceremoval command, click the following article number to view the article in the Microsoft Knowledge Base:
332199 Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
- You used the Active Directory Installation Wizard to gracefully demote an operations master domain controller, but the locally held operations master roles do not transfer to surviving domain controllers in the domain or the forest.
In all these cases, you must seize or transfer operations master roles to an existing domain controller.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
255504 Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
- The domain controller that owns the operations master role contains references to domain controllers that are no longer running Active Directory but that still have metadata.
To resolve this issue, remove the metadata for offline domain controllers that host the partition if they are no longer active in the forest and will never be used again. After you remove the metadata for the domain controllers that are no longer running Active Directory, restart the current operations master role owner.
For more information about how to remove metadata for an offline domain controller, click the following article number to view the article in the Microsoft Knowledge Base:
216498 How to remove data in Active Directory after an unsuccessful domain controller demotion
- Replication fails on the directory partition that holds the operations master role.
In this case, you must resolve the Active Directory replication failure that is preventing the operations master role owner from replicating the operations master's partition with an existing domain controller's partition. Failures in connectivity, name resolution, authentication, or in the replication engine can cause replication issues. - The replication partner for an operations master role partition resides in a remote Active Directory site.
To resolve this issue, if the operations master resides in a different Active Directory site than other domain controllers that replicate the operations master's partition, wait until the replication schedule opens or force inbound replication to the current operations master from a domain controller that contains a copy of that partition. - The domain controller is started on an isolated network and cannot replicate with domain controllers in its domain or forest because of a lack of network connectivity.
A network is "isolated" if the domain controller that holds an operations master role has no network cable attached, or if the domain controller is on a test or a lab network without network access to partner domain controllers.
To resolve this issue, add a domain controller to the domain so that the domain controller that holds the operations master roles can replicate the necessary domain or the forest-wide partitions when the domain controller that holds the operations master roles starts.
Note For Windows Server 2003 domain controllers that are only in an isolated network, you can use the Ntdsutil utility to seize the operations master role owner to itself. Microsoft recommends that you try this self-seizure operation only as a last resort and only after you verify that each operations master role in the forest has a unique owner.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
255504 Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller
All operations master roles can sustain some downtime. This means that you do not have to seize the operations master roles if the computer must be taken offline temporarily. For more information about downtime for each operations master role, see the following list:
- Schema operations master: It is not urgent to bring the schema operations master role back unless you want to change the schema before the schema operations master role holder comes back through repair or restore.
- Domain naming operations master: The domain naming operations master role is required only when you want to add or remove a naming context in the forest. You have to seize this role only if it is not brought back online through repair or restore before adding or removing a naming context in the forest.
- Infrastructure operations master: The tasks of the infrastructure operations master role are run in the background. If this computer is not brought online for several days, and no major account changes have been made in the forest, this computer can easily make the changes when it is brought back online.
- Primary domain controller (PDC) emulator operations master: When no pre-Active Directory clients are in the domain, the PDC emulator operations master role holder is used only to help ease transition when users change passwords. Only the PDC emulator operations master role holder can change passwords for trusts. Therefore, too much downtime is not good.
- RID operations master: If you are not creating accounts, even the RID operations master role holder can sustain some downtime. If one domain controller runs out of RIDs, we recommend that you use another domain controller to distribute RIDs if the original owner comes back in several hours.
How to use the Repadmin.exe tool to troubleshoot initial synchronization issues
To troubleshoot initial synchronization issues, follow these steps:
- Locate the Repadmin.exe tool in the Microsoft Windows 2000 Support Tools. (Windows 2000 Support Tools are available on the Windows 2000 Server CD-ROM. To install the Windows 2000 Support Tools, run the Setup program from the Support\Tools folder.)
- From the command prompt, on the domain controller that is an operations master role owner, type repadmin /showreps.
- Examine the output and determine if the domain controller has successfully replicated from its partners since the last restart. If there are errors, try to fix replication problems with the relevant replication partners, and then wait for replication to complete.
Each domain controller must successfully replicate the schema, the domain, and the configuration partitions.
Note You can use the
repadmin /delete command to remove replication links to partner domain controllers that contain the partition that hosts the operations master role in question.
Warning The
repadmin /delete command has the potential to break your Active Directory installation. Microsoft recommends that you use the
repadmin /delete command only under the expert guidance of Microsoft Product Support Services. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:
For more information about how to use the Repadmin.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
229896 Using Repadmin.exe to troubleshoot Active Directory replication
Initial synchronization error messages
When initial synchronization by an operations master role owner was not completed successfully, you may receive an error message under the following circumstances:
RID master
If the RID master cannot be contacted, and the RID pool drops below 20 percent, the Directory Service event log shows the following event message:For more information about a similar error message that you may receive when the RID master is unavailable, click the following article number to view the article in the Microsoft Knowledge Base:
248410 Error message: The account-identifier allocator failed to initialize properly
Schema master
When you run the adprep /forestprep command to prepare your Windows 2000 forest and its domains for the addition of Windows Server 2003 domain controllers, the adprep /forestprep command fails and the Adprep.log contains the following message:ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable). If the error code is "Insufficient Rights", make sure you are logged in as a member of the schema admin group. Adprep was unable to upgrade the schema on the schema master.
This error can also be caused by an invalid DNS record in DNS for a server that is no longer a DNS server. When you try to change a schema property, you may receive the following error message:The FSMO role ownership could not be verified because its directory partition has not replicated successfully with at least one replication partner.
Domain naming master
When you try to add a new child domain or a tree to the forest, you may receive the following error message:02/17 17:02:16 [INFO] Error - The Directory Service failed to create the object CN=UCD,CN=Partitions,CN=Configuration,DC=Domain,DC=loc. Please check the event log for possible system errors. (8610)
For more information about the importance of the domain naming master when you add or remove a domain, click the following article numbers to view the articles in the Microsoft Knowledge Base:
254933 Adding or removing a domain during Dcpromo requires access to the domain naming master FSMO role holder
255229 Dcpromo demotion of last domain controller in child domain does not succeed
The replication partner for an operations master partition resides in a remote Active Directory site
Operations masters on domain controllers that are running Microsoft Windows Server 2003 Service Pack 1 will try to replicate from out-of-site replication partners instead of waiting for the replication schedule to open.
As mentioned, you can use the
repadmin /deletecommand to remove replication links to partner domain controllers that contain partitions that host particular operations master roles. To use the
repadmin /delete command, follow these steps:
- From a command prompt, type:
repadmin /showreps /v domain_controller_that_hosts_the_operations_master_role
Note the names of the source domain controllers that the current operations master role owner replicates the operations master partition from. - For each source domain controller that the operations master role owner replicates the operations master partition from, note the name of the fully qualified CNAME record that has the format:
guid._msdcs.distinguished_name_of_forest_root_domain
For example, a sample CNAME record for a domain controller in the Contoso.com forest might look similar to the following:
f4a9999b-db8b-4568-ad06-8e6cddb0b284._msdcs.Contoso.com
- For each source domain controller that the role owner replicates from, use the repadmin /delete command to delete replication links from all other domain controllers. For example, type:
repadmin /delete naming_context destination_domain_controller GUID-based_DNS_name_of_source_domain_controller /localonly
For example, if the RID operations master resides on DC1.Contoso.com, and you type repadmin /showreps /v, the output shows that:- DC1.Contoso.com “pulls” the DC=Contoso partition from a second domain controller, DC2.Contoso.com (NTDS-DSA object GUID = d140762d-aa9f-4ebe-b373-2a4d7118a394) .
- DC1.Contoso.com “pulls” the DC=Contoso partition from a third domain controller, DC3.Contoso.com (NTDS-DSA object GUID =f4a9999b-db8b-4568-ad06-8e6cddb0b284).
- The forest root domain is Contoso.com.
In this case, to delete the replication links from the DC2 and DC3 domain controllers, type the following commands: repadmin /delete cn=schema,cn=configuration,dc=contoso,dc=com dc1 d140762d-aa9f-4ebe-b373-2a4d7118a394._msdcs.contoso.com /localonly
repadmin /delete cn=schema,cn=configuration,dc=contoso,dc=com dc1 f4a9999b-db8b-4568-ad06-8e6cddb0b284._msdcs.contoso.com /localonly