One of the most useful features of Microsoft Windows Server 2003 (and the upcoming Windows Server 2008) is Active Directory. Often misunderstood and rarely managed correctly Active Directory (AD) allows for large and small organizations to easily manage both resources and user accounts. This brief guide will walk you through the most important aspects of getting setup and working correctly for a typical small to medium company. Several issues addressed in this guide will also be of interest to those managing a widely distributed AD system.

Active Directory Core Services (Operations Masters)

First thing you need to understand about Microsoft Active Directory is why it does not equal or replace (not exactly anyway) the old NT 4.0 style of Windows domain management. Many folks think that AD is just a newer version of the account/domain style of management services which were a part of Windows NT 4.0. The advent of Active Directory introduces a completely new management model and has only superficial ties back to the older NT domain way of doing things.

Making up the foundation of Active Directory are several services and components that perform daily housekeeping functions. All of these functions are critical to the long term operation of AD but some you can live without for short periods of time while you fix the problem. It is very important to note here that although operation of AD depends on the following services it has been my experience that most problems with them result from poor monitoring or human error. During daily use you will find that only several (noted below) will cause you significant concern or grief depending on your network setup and even basic checkups tend to keep things running smooth.

1. Schema Master – By far the most important for the long term health of your Active Directory system the Schema Master role provides the required directory oversight that allows you to build your forest one tree at a time. Put simply the Schema master controls write access to the database where all your AD objects are stored. This database schema is then replicated out to all the AD controllers in your organization. Keeping your schema master running smoothly keeps future software installations that modify the schema from failing (such as Exchange 2003-2007 or upgrades to R2 of Server 2003). Unfortunately problems tend to arise long after the Schema Master has run into trouble making recovery difficult and sometimes even impossible. I highly recommend that you run regular checks using the command line Active Directory tools provided by Microsoft (ntdsutil) in order to prevent issues long before you get the dreaded “attempted schema modification failed” message.

2. Naming Master – This role controls the naming contexts for adding domains to the AD forest. Like the Schema Master role this function works behind the scenes only when needed and is often neglected until it is too late. Although 90% of the time you will never need to directly interact with this service it is always a good idea to run periodic checks to ensure problems don’t arise with the Naming Master role. Once again you can run these checks from the ntdsutil command line tool provided by Microsoft.

3. RID (Relative Identifier) Master – Like all databases Active Directory requires unique identifiers for each object in the system. As you would expect, there is a strong need for a central way of creating and tracking these identifiers so that they stay unique throughout the enterprise. The RID Master role provides this service to the AD environment and is another service that if lost or offline for an extended period of time can suddenly bring things to a complete halt on your AD system. Often problems with the RID Master are found long after the damage has been done so it is very important to periodically check in on this service. Several years ago I had a friend call me asking about an error message he was getting that we tracked back to an AD Controller that had failed several weeks prior to his call. As it turns out this AD Controller was his RID Master and by the time he discovered what was causing the error message “The directory service has exhausted the pool of relative identifiers” it was too late to restore from his last backup. In that case the only solution was to rebuild his entire domain which thankfully was very small and did not contain many objects.

4. Primary Domain Controller Emulator (PDC) – Those who have had the pleasure of managing a Windows NT 4.0 domain will remember the whole PDC vs. BDC (Backup Domain Controller) arraingment which used to drive system administrators nuts back in the day. Not surprisingly Microsoft has included some of this functionality in order to provide backwards compatibility with older Windows systems. What is not always discussed is how this service also provides much of the required services needed to support older (non-AD) samba clients under Linux or other Unix operating systems. Newer versions of Samba that are shipped with the latest Linux distributions are less effected by not having the PDC emulator running but my experience has been that it is just better to make sure those systems have access to this service regardless of what they say is required. Most often the problems you get when this service is not present is associated with the inability to change passwords on older clients resulting in the error message “Unable to change password on this account. Please contact your system administrator.”. Thankfully the troubleshooting process for the PDC emulator is easy; it is either running or it’s not and you can easily seize the role or transfer it onto another AD Controller if needed (more on this later).

5. Infrastructure Master – This role is like the proverbial traffic cop at a busy intersection directing traffic. As updates (objects are moved and renamed) the Infrastructure Master handles the coordination necessary to correctly replicate these changes throughout the enterprise. Loss of this role breaks replication between AD Controllers and very quickly the AD database becomes inconsistent between sites. I have found with experience that basic monitoring your AD environment will detect problems caused by a broken Infrastructure Master since you will get plenty of replication errors in your AD Controller event logs.