Scribd Logo
Upload

Welcome to Scribd!

  • Active Directory: Operations Masters

    Uploaded by

    arkumar18
    24 views25 pages
    Active Directory updates generally multimaster changes can be made on any DC. Some exceptions -- single master Sometimes better to prevent conflict than to resolve later E.g. Schema updates exceptions managed by Operations Masters.

    Original Description:

    Original Title

    6-OperationsMasters

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Active Directory updates generally multimaster changes can be made on any DC. Some exceptions -- single master Sometimes better to prevent conflict than to resolve later E.g. Schema updates exceptions managed by Operations Masters.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views25 pages

    Active Directory: Operations Masters

    Uploaded by

    arkumar18
    Active Directory updates generally multimaster changes can be made on any DC. Some exceptions -- single master Sometimes better to prevent conflict than to resolve later E.g. Schema updates exceptions managed by Operations Masters.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Active Directory

    Operations Masters

    Overview
    Active Directory updates generally multimaster Changes can be made on any DC
    Some exceptions single master Sometimes better to prevent conflict than to resolve later E.g. schema updates Exceptions managed by Operations Masters

    Operations Master Roles


    Five roles in total
    Two roles where there is one per forest

    Schema master Domain naming master Relative Identifier (RID) master Primary Domain Controller (PDC) Emulator Infrastructure master

    Three roles where there is one per domain


    Schema Master
    Responsible for schema updates
    Only DC that can process schema

    updates

    After update, replicates changes to other DCs

    If this Operations master is unavailable,

    no schema changes can be made

    Domain Naming Master


    Responsible for changes to configuration

    naming context

    Adding and removing domains Adding and removing cross references to domains in external directories After update, replicates to other DCs

    If unavailable, cannot add or remove domains Domain Naming Master must also be a global

    catalog server

    May be unnecessary in single-domain forest?

    RID Master
    Objects e.g. users and groups, each have a

    unique security identifier (SID)

    Consists of domain SID and unique relative identifier (RID)

    RID master allocates each DC a pool of RIDs When a DCs RID pool falls too low, it requests

    additional RIDs from RID master RID master also controls moving objects between domains With no RID master, when a DC runs out of RIDs, new security principals (i.e. users, groups etc.) cannot be created on that DC

    Infrastructure Master
    Object in domain referencing object in another

    domain uses GUID, SID and DN

    E.g. group in one domain referencing user or group in another domain

    Infrastructure master updates SID and DN in

    cross-domain references

    E.g. if referenced object moves

    Multiple-domain, infrastructure master role must

    not be held by GC server

    Not a problem in single-domain forests (because no external references)

    PDC Emulator
    Mixed Mode

    Acts as NT PDC to NT BDCs Supports Netlogon replication

    Native and Mixed Modes

    Password changes replicated preferentially to PDC emulator Authentication failures due to bad password at another DC forwarded to PDC emulator before failing completely Manages password changes from 95, 98, NT clients

    PDC Emulator cont.


    Native and Mixed Modes

    By default, Group Policy snap-in runs on PDC emulator


    Reduces

    potential for Group Policy replication

    conflicts Can be changed

    PDC Emulator cont.


    Miscellaneous

    All DCs synchronize their clock to that of the PDC emulator


    PDC

    emulator of forest root domain should be synchronized to external time source In multi-domain forest, PDC emulator for domain synchronizes with PDC emulator of forest root domain

    Acts as Domain Master Browser

    Default Placement of Roles


    First DC in a forest holds all roles
    First DC in a new domain within existing

    forest holds all domain roles


    RID master Infrastructure master PDC emulator

    Guidelines for the Placement of Roles


    Keep schema master and domain naming

    master roles on same DC

    DC should also be a global catalog server

    Put RID master and PDC emulator roles on the

    same DC In multi-domain forest, the infrastructure master must not be a global catalog server

    Should have good connection to global catalog server

    Guidelines for the Placement of Roles cont.


    Single-domain forest

    Keep all five roles on same DC which should also be a global catalog server Move infrastructure master role to a DC that is not a global catalog server

    Multiple-domain forest

    Determining Role Placement


    Replication Monitor

    Easiest Support Tools (2000 CD) PDC Emulator, Infrastructure master, RID master

    Active Directory Users and Computers Active Directory Domains and Trusts

    Domain Naming master


    Schema master NB Schmmgmt.dll must be registered before first use

    Active Directory Schema Snap-In

    Dumpfsmos

    Resource kit
    Command line tool included with 2000 server

    NTDSUTIL

    User Rights to Change Roles


    By default, certain groups only have rights to

    change role holders Schema Administrators

    Schema master Domain naming master All domain role holders

    Enterprise Administrators

    Domain Administrators

    NB By default, Administrator of forest root

    domain is a member of all these groups

    Modifying Permissions to Change Roles


    Adsiedit (support tools) tool allows all

    permissions to be changed

    Transferring Roles
    Transfer only when source and

    destination DCs are up and running Domain-specific roles

    Active Directory Users and Computers


    Schema Manager Snap-In Active Directory Domains and Trusts

    Schema Master

    Domain Naming Master

    When to Transfer Roles


    Initial setup of domain E.g. in a multi-domain forest, move Infrastructure master off global catalog server Permanently demoting a DC Roles held by the DC transferred automatically but manual transfer gives control over location Temporarily taking down a DC Probably unnecessary to transfer schema and domain naming masters (little used); also infrastructure master in single-domain forest Always transfer the PDC emulator; may be wise to transfer RID master, but probably unnecessary for short downtime

    Seizing Roles
    Generally only seize when originally role

    holder has failed irrecoverably and will not be restored from backup

    Exception can fairly safely seize PDC emulator role Strangely, this is also the role that you can least do without

    References Overview
    Managing Flexible Single-Master Operations http://www.microsoft.com/WINDOWS2000/techinfo/ reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook-0-2-16.xml&tocPath=w2rkbook-0-2-16&URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm
    Windows 2000 Active Directory FSMO Roles

    http://support.microsoft.com/support/kb/article s/Q197/1/32.ASP

    References Placement
    Windows 2000 Active Directory FSMO

    Roles

    http://support.microsoft.com/support/kb /articles/Q197/1/32.ASP

    FSMO Placement and Optimization on

    Windows 2000 Domain Controllers

    http://support.microsoft.com/support/kb/arti cles/Q223/3/46.ASP

    References User Rights


    Setting User Rights for Designating

    FSMO Roles in an Enterprise

    http://support.microsoft.com/support/kb/arti cles/Q228/7/76.ASP

    References Determining Operations Masters


    How to Use the Replication Monitor to

    Determine the Operations Master and Global Catalog Roles

    http://support.microsoft.com/support/kb/arti cles/Q297/2/30.ASP

    How to Find FSMO Role Holders

    (Servers)

    http://support.microsoft.com/support/kb/arti cles/Q234/7/90.ASP

    References Transferring and Seizing Roles


    How to View and Transfer FSMO

    Roles in the Graphical User Interface

    http://support.microsoft.com/support/kb/arti cles/Q255/6/90.ASP

    Using Ntdsutil.exe to Seize or

    Transfer FSMO Roles to a Domain Controller

    http://support.microsoft.com/support/kb/arti cles/Q255/5/04.ASP

    References Transferring and Seizing Roles


    How to Change the Role Owner of the

    Operations Master After a Successful Seizure

    http://support.microsoft.com/support/kb/arti cles/Q283/5/95.ASP

    You might also like