Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

A Course on Global Catalog And Flexible Single Master Operations

advertisement 
A Course on
Global Catalog And Flexible Single
Master Operations (Fsmo) Roles
1
Prepared for: *Stars*
New Horizons Certified Professional
Course
Company Confidential
1
UNDERSTANDING THE
GLOBAL CATALOG
• Central repository for forest-wide data.
• Subset of attributes from objects forestwide.
• First domain controller in the forest is
automatically configured as a global
catalog server.
• Other domain controllers can become
global catalog servers.
2
FUNCTIONS OF THE
GLOBAL CATALOG
• Facilitate searches for objects in the forest
• Resolve User Principal Names (UPNs)
• Provide universal group membership
information
– If the domain is in Microsoft Windows 2000
native functional level or later, global catalog
information is required in order for users to log
on.
3
UNIVERSAL GROUP
MEMBERSHIP CACHING
• New for Microsoft Windows Server 2003.
• When enabled, non-global catalog domain
controllers can process logons without contacting
a global catalog server.
• Refreshed on an eight-hour interval.
• Eliminates the need to place a global catalog
server in a remote site to facilitate logons.
• Provides better logon performance.
• Can be used to minimize wide area network
(WAN) link usage.
4
LOGON PROCESS AND
THE GLOBAL CATALOG
• Universal group membership is used in creation of
the access control list (ACL) when the user logs on.
• Global catalog is used to verify universal group
membership.
• Users might be denied logon if the global catalog is
not available and universal group membership
caching is not enabled.
• Built-in Administrator account can logon, regardless
of global catalog availability or the universal group
membership caching configuration.
5
ENABLE UNIVERSAL GROUP
MEMBERSHIP CACHING
6
PLANNING GLOBAL CATALOG
SERVER PLACEMENT CONSIDERATIONS
• There is additional global catalog
replication traffic when a global catalog
is configured.
• Consider placing a global catalog server
in each site or configure universal group
membership caching for that site.
• Consider placing a global catalog server
in each site where applications need to
make global catalog queries.
7
ENABLING A GLOBAL
CATALOG SERVER
8
UNDERSTANDING
FLEXIBLE SINGLE MASTER
OPERATIONS ROLES
• Flexible Single Master Operations (FSMO)
roles
– Assigned automatically to the first domain
controller in a domain
– Roles can be transferred to other domain
controllers
• Used to reduce conflict and facilitate
communication concerning replication
between domain controllers
9
FIVE FSMO ROLES
•
•
•
•
Domain naming master
Relative identifier (RID) master
Infrastructure master
Primary Domain Controller (PDC)
emulator
• Schema master
10
DOMAIN-SPECIFIC ROLES
• RID master—Assigns RIDs to other domain
controllers
• Infrastructure master—Allows security principals
to be tracked between domains
• PDC emulator
– Backward compatibility with Microsoft Windows NT
Server version 4.0 domains and later client computers
(Microsoft Windows 98 and Windows Me)
– Time synchronization
– User account password change replication
11
DOMAIN-WIDE
OPERATIONS MASTERS
12
RID MASTER
• Used when security principals are created
– RID makes the individual security principal
security identifier (SID) unique within a
domain
– Built-in RIDs are consistent between domains,
for example, Built-in Administrator has a RID
of 500
• RID master gives other domain controllers
RIDs to use when new objects are created
13
WHAT IF THE RID MASTER
ISN’T AVAILABLE?
• Doesn’t affect existing users
• Might cause a problem when creating new
objects, if the existing RID pool on the
domain controller is depleted
• Problems
moving
objects
between
domains
14
INFRASTRUCTURE MASTER
• Manages user and group references for objects between
domains
• Updates ACLs and group memberships as required
• Queries the global catalog to ensure that references are
current
• Role should not be assigned to a global catalog server
– Exception 1: There is only a single domain in the forest
– Exception 2: All domain controllers are also global catalog
servers
15
PDC EMULATOR
• Provides backward compatibility for pre–
Windows 2000 client computers
• Acts as the PDC in Windows 2000 mixed
functional level for any Windows NT Server
version 4.0 backup domain controllers
(BDCs) that are present on the network
• Acts as a central manager for user password
changes, replication, and account lockouts
• Handles time synchronization
16
ALTERNATE TCP/IP ADDRESS
CONFIGURATION
• Domain naming master
• Schema master
• These roles are assigned to only one
domain controller in the entire forest
• Usually these roles are assigned to
domain controllers in the forest root
domain
17
DOMAIN NAMING MASTER
• Allows additions or removals of domains.
• Ensures domain names are unique in the
forest.
• Domains cannot be added or removed if
the domain naming master is not
available.
• Enterprise Admins level access is required
in order to add and remove domains.
18
SCHEMA MASTER
• Controls access to the schema.
• Ensures modifications are replicated to all
domain controllers in the forest.
• The schema cannot be modified if the
schema master is not available.
• Schema Admins level access is required
to modify the schema.
19
PLACING FSMO SERVERS
• In a multi-domain environment, you’ll likely
move some of the FSMO roles.
• Decisions on placing domain controllers
involve.
– Number of domains that are a part of the
forest
– Physical structure, including sites
– Number of domain controllers in each domain
20
DEFAULT FSMO ROLE
ASSIGNMENTS
21
ADJUSTING FSMO ROLES
IN FOREST ROOT
22
MANAGING FSMO ROLES
• What happens when a domain controller
holding a given FSMO role fails?
• Transferring roles.
• Seizing roles.
23
WHAT ARE THE
IMPLICATIONS OF FAILURE?
•
•
•
•
•
Schema master
Domain naming master
PDC emulator
RID master
Infrastructure master
24
MANAGING ROLES
• Active Directory Users And Computers
– RID master
– Infrastructure master
– PDC emulator
• Active Directory Domains And Trusts—domain naming
master
• Microsoft Management Console (MMC) Schema snapin—schema master
• Repadmin
• NTDSUtil—All roles
25
SUMMARY
•
•
•
•
•
•
Global catalog function
Global catalog server placement
Domain-wide operations masters
Forest-wide operations masters
Implications of FSMO failure
Tools to manage FSMO roles
26
27
Related documents
Syllabus Checklist
Syllabus Checklist
MDC-1 - srs
MDC-1 - srs
Co-Teaching - 2 Teach LLC
Co-Teaching - 2 Teach LLC
ITT TECHNICAL INSTITUTE NT1330 Client
ITT TECHNICAL INSTITUTE NT1330 Client
Fundamental Navigation Paths
Fundamental Navigation Paths
ACADEMIC INTEGRITY / PLAGIARISM
ACADEMIC INTEGRITY / PLAGIARISM
10” two piece chrome plated tub spout
10” two piece chrome plated tub spout
ch04
ch04
Career Schools & Colleges Form CSC
Career Schools & Colleges Form CSC
MOC PowerPoint slide deck template - Seneca
MOC PowerPoint slide deck template - Seneca
Ch04EOCQs
Ch04EOCQs
Using Ntdsutil.exe to Transfer or Seize FSMO
Using Ntdsutil.exe to Transfer or Seize FSMO
Transferring FSMO Roles
Transferring FSMO Roles
Seizing FSMO Roles http://www.petri.co.il/seizing_fsmo_roles.htm 1
Seizing FSMO Roles http://www.petri.co.il/seizing_fsmo_roles.htm 1
Transfer FSMO Roles Windows Server 2008
Transfer FSMO Roles Windows Server 2008
Download
advertisement