objectives
DESCRIPTION
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 8: Active Directory Operations Masters. Objectives. Describe the forest-wide operations master roles and where they should be placed - PowerPoint PPT PresentationTRANSCRIPT
70-294: MCSE Guide to Microsoft Windows Server 2003 Active
Directory, Enhanced
Chapter 8: Active Directory
Operations Masters
Guide to MCSE 70-294, Enhanced 2
Objectives
• Describe the forest-wide operations master roles and where they should be placed
• Describe the domain-wide operations master roles and where they should be placed
• Describe the process of transferring and seizing roles from operations masters
Guide to MCSE 70-294, Enhanced 3
Forest-wide Roles
• Certain operations can only be performed by single domain controller in entire forest
• Forest-wide FSMO roles:• Schema master
• Domain naming master
• Can be located on different domain controllers• Most often located on same domain controller
• Easier management
Guide to MCSE 70-294, Enhanced 4
Schema Master
• Allowed to make modifications to Active Directory schema
• Has writable copy of schema naming context for entire forest
• Changes replicated to other domain controllers • Using standard, non-urgent replication
Guide to MCSE 70-294, Enhanced 5
Schema Master - Placement
• Assigned to first domain controller in forest• Additional load is negligible
• Often left on first domain controller in forest without any issues
• May be necessary to move • If server frequently unavailable
Guide to MCSE 70-294, Enhanced 6
Schema Master - Impact if Unavailable
• Users do not notice impact• Network administrators most likely do not notice
loss• Unless they are attempting to modify schema
Guide to MCSE 70-294, Enhanced 7
Activity 8-1: Identifying the Schema Master of a Forest
• Objective: Learn how to use the Active Directory Schema snap-in to identify the schema master of a forest
• Follow instructions to identify schema master
Guide to MCSE 70-294, Enhanced 8
Identifying the Schema Master of the Forest
Guide to MCSE 70-294, Enhanced 9
Domain Naming Master
• Every domain must have unique name• Adds domains to forest
• Ensure name is unique
• Removing domains from forest
Guide to MCSE 70-294, Enhanced 10
Domain Naming Master - Placement
• Assigned to first domain controller in forest• Additional load negligible• Forest functional level of Windows 2000:
• Only place on global catalog server
• Forest functional level Windows Server 2003:• Not necessary to place on global catalog server
Guide to MCSE 70-294, Enhanced 11
Domain Naming Master - Impact if Unavailable
• Users do not notice any impact• Network administrators most likely do not notice
loss • Unless they are attempting to add or remove domain
from forest
Guide to MCSE 70-294, Enhanced 12
Domain-wide Roles
• Some operations can only be performed by single domain controller in domain
• Domain-wide FSMO roles:• PDC emulator
• RID master
• Infrastructure master
Guide to MCSE 70-294, Enhanced 13
Domain-wide Roles – Placement Options
• All three reside on one domain controller• All three reside on different domain controllers• Any combination of:
• Two of the roles are on one domain controller
• Third role on its own domain controller
• Domain controller may even hold domain-wide roles and forest-wide roles
Guide to MCSE 70-294, Enhanced 14
PDC Emulator
• Acts as Windows NT 4.0 PDC for domain• Replicate appropriate change(s) to Windows NT 4.0
BDCs in domain
• Responsible for performing operations for client workstations running:• Windows NT 4.0 Workstation
• Windows 98
Guide to MCSE 70-294, Enhanced 15
PDC Emulator (continued)
• Used for synchronizing system clock• Password updates preferentially replicated to PDC
emulator
Guide to MCSE 70-294, Enhanced 16
PDC Emulator - Placement
• Assigned to first domain controller in every new domain
• Should be highly available• Need additional processing power for PDC
emulator in a large domain• Or do not place on global catalog server
• Centrally located on network
Guide to MCSE 70-294, Enhanced 17
PDC Emulator - Impact if Unavailable
• Users may notice impact• Validation of user passwords may randomly pass or fail
• Replication of updates to Windows NT 4.0 BDCs will not occur
Guide to MCSE 70-294, Enhanced 18
RID Master
• Security principle has own unique security identifier (SID)• Made up of
• SID of domain
• Relative identifier (RID)
• RID is unique for every security principle in domain
• RID master • Allocates blocks of RIDs to domain controllers
Guide to MCSE 70-294, Enhanced 19
RID Master (continued)
• Responsible for moving objects between domains to prevent object duplication• Move object to new domain
• Then delete it from old domain
Guide to MCSE 70-294, Enhanced 20
RID Master - Placement
• Assigned to first domain controller in every new domain
• Additional load negligible• Highly available• Locate in site where most new security principles
are created
Guide to MCSE 70-294, Enhanced 21
RID Master - Impact if Unavailable
• Users do not notice any impact• Network administrators most likely do not notice
loss • Unless they are attempting to create many security
principles
• Domain controller runs out of RIDs
Guide to MCSE 70-294, Enhanced 22
Infrastructure Master
• Update object references in its domain that point to objects located in another domain
• Updates distinguished name and SID if object moves within or between domains
• Object references contain:• GUID of object
• Distinguished name of object
• Possibly SID of object if it is security principle
Guide to MCSE 70-294, Enhanced 23
Infrastructure Master - Placement
• Forest with multiple domains:• Do not place on global catalog server
• Do locate in site that contains global catalog server
• Assigned to first domain controller in every new domain
• Does not place much additional load
Guide to MCSE 70-294, Enhanced 24
Infrastructure Master - Impact if Unavailable
• Users typically do not notice any impact• Network administrators may notice that group
membership does not appear to be updated• User accounts may appear with incorrect names in
group’s membership list
Guide to MCSE 70-294, Enhanced 25
Activity 8-3: Identifying the Domain-wide FSMO Role
Holders
• Objective: Learn how to use the Active Directory Users and Computers console to identify the PDC emulator, RID master, and infrastructure master of a domain
• Follow instructions to view masters
Guide to MCSE 70-294, Enhanced 26
Transferring and Seizing Roles
• May be necessary to transfer FSMO roles• Usually orderly process• May be situations where original role holder is
permanently unavailable• Role will be seized by another domain controller
Guide to MCSE 70-294, Enhanced 27
Transfer Roles
• Preferred method:• Perform transfer operation
• Both domain controllers must be available• Ensures no data loss occurs
• Administrator needs to be member of certain group• Depends on role being moved
Guide to MCSE 70-294, Enhanced 28
Groups Authorized to Move FSMO Roles Between Domain
Controllers
Guide to MCSE 70-294, Enhanced 29
Activity 8-4: Transferring Domain-wide FSMO Roles
• Objective: Learn how to transfer the infrastructure master role to another domain controller
• Use Active Directory Users and Computers to transfer role
Guide to MCSE 70-294, Enhanced 30
Seizing Roles
• Transfer when original role holder is unavailable• Should only be done as last step• Any recent changes cannot be replicated
• May be lost
• Original role holder cannot be informed that it no longer holds the role
• Never place server back on network unless it is formatted and Windows is reinstalled
Guide to MCSE 70-294, Enhanced 31
Consequences of Bringing a Domain Controller Back Online After FSMO Role
Seizure
Guide to MCSE 70-294, Enhanced 32
Seizing Roles
• Methods:• Active Directory Users and Computers
• Use only for PDC emulator or infrastructure master
• NTDSUTIL
Guide to MCSE 70-294, Enhanced 33
Activity 8-5: Using NTDSUTIL to Seize a FSMO Role
• Objective: Learn how to seize the infrastructure master role using NTDSUTIL
• Use NTDSUTIL to seize role
Guide to MCSE 70-294, Enhanced 34
Seizing a FSMO Role Using NTDSUTIL
Guide to MCSE 70-294, Enhanced 35
Summary
• Forest-wide operations master roles:• Schema master
• Domain naming master
• Domain-wide operations master roles: • PDC emulator
• RID master
• Infrastructure master
• Roles can be transferred/seized and given to another domain controller