Add to collection(s) Add to saved
  1. Business
  2. Management

Global Catalog and FSMO

advertisement 
A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
UNIT 3
Global Catalog & Flexible Single M t O
Master Operations (FSMO)
ti
(FSMO)
DPW
DPW
© Donna Warren
© 2005-2010
A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Topics for this Unit
• Functions
Functions of the Global Catalog of the Global Catalog
• Functions of Universal Group Membership Caching
Caching • The Five FSMO roles • Management of FSMO roles • Transfer and seizing of FSMO roles g
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Global Catalog
• Critical component of Active Directory
Acts as a central repository by holding
• Acts as a central repository by holding
– A complete copy of objects from the host server’s local domain
– A partial copy of objects from other domains within the same forest
• U
Used for logon, object searches, and universal group df l
bj t
h
d i
l
memberships
• By default, the first domain controller installed in the By default the first domain controller installed in the
forest root domain is designated as a global catalog server • Any or all domain controllers in a domain can be DPW
DPW
designated as global catalog server © Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Global Catalog
• Where you put the global catalog depends on
– The speed and reliability of the WAN link
h
d d li bili
f h
li k
– The amount of traffic that will be generated by replication
li ti
– The size of the global catalog database
• Active Directory searches are automatically sent h
ll
to TCP port 3268 • Global catalogs are identified by DNS through Gl b l t l
id tifi d b DNS th
h
SRV records (global catalog, or _gc, service)
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Universal Group Membership Caching
p
p
g
• Server 2003 and Windows Server 2008
• Used for sites that do not have a global catalog Used for sites that do not have a global catalog
server available
g p
p
• Stores universal group memberships on a local domain controller so no global catalog is needed provided – The user successfully logged on at some point
– Universal group caching was turned on
• Enabled on a per‐site basis
• By default, cache is refreshed every eight hours
• If caching not available and link down, can’t login
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Adding a Global Catalog Server
• Use Active Directory Sites and Services from the Administrative Tools folder
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Enabling Univ Group Membership Caching
• Use Active Directory Sites and Services
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
FSMO Roles
• First domain controller in a new forest h ld b th f th f
holds both of the forest‐wide FSMOs and t id FSMO
d
the three domain‐wide FSMOs
• Flexible Single Master Operations (FSMO) roles
– Relative Identifier Master – Infrastructure Master
– Primary Domain Controller (PDC) Emulator
– Domain Naming Master
Domain Naming Master
– Schema Master
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
FSMO Roles
• Relative Identifier (RID) Master
– One per domain
p
– Responsible for assigning relative identifiers to domain controllers in the domain
– Relative identifiers are variable‐length numbers assigned by a domain controller when a new object is created
object is created
• Infrastructure Master
–O
One per domain
d
i
– Responsible for reference updates to other domains
domains – Assists in tracking which domains own which objects
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
FSMO Roles
• PDC Emulator
– one per domain
one per domain
– Provides backward compatibility with Microsoft Windows NT 4.0 domains and other down‐level clients
– Manages account lockouts
– Manages time synchronization for the domain
– Managers password changes and replicates Managers password changes and replicates
immediately
– Managing edits to Group Policy Objects (GPO)
• Schema Master
– One per forest
– Responsible for managing changes to the Active Directory schema
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
FSMO Roles
• Domain Naming Master
– One per forest
O
f
t
– Has the authority to manage the creation and deletion of domains, domain trees, and application data partitions in the forest
– When any of these is created, the Domain Naming Master ensures that the name assigned is unique to the forest
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
MANAGING FSMO ROLES
• Active Directory Users And Computers
– RID master
– Infrastructure master
– PDC emulator
• Active
Active Directory Domains And Trusts
Directory Domains And Trusts—domain
domain naming master
• Microsoft
Microsoft Management Console (MMC) Schema Management Console (MMC) Schema
snap‐in—schema master
• Repadmin
• NTDSUtil—All roles
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Managing FSMO Roles
• Role seizure ‐ Used only when you have experienced a failure of a domain
experienced a failure of a domain controller that holds a FSMO role and you forced an ungraceful transfer
forced an ungraceful transfer
– Use the ntdsutil command to access the fmso maintenance prompt and use the seize
maintenance prompt and use the seize command
• Role
Role transfer ‐
transfer Used to move a FSMO role Used to move a FSMO role
gracefully from one domain controller to another
another DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Transferring Schema Master FSMO Role
• Open the Active Directory Schema snap‐in
• Right‐click Active Directory Schema from the console tree and select Change Operations Master
• Remember that before you can access the y
Active Directory Schema snap‐in, you need g
g
g
to register the schmmgmt.dll DLL file using the following syntax
regsvr32 schmmgmt.dll
regsvr32 schmmgmt.dll
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
FAILURE
• Schema master – can’t change the schema but has no effect on users
but has no effect on users
• Domain naming master – can’t add or delete domains
• PDC emulator – users that logon through the PDC emulator will not be able to log on
• RID master – can’t move objects from one domain to another and if all the RIDs are used up you can’tt create new objects
used up you can
create new objects
• Infrastructure master – the active directory database can become corrupted
directory database can become corrupted
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Summary
• The global catalog server acts as a central repository for Active Directory by holding
repository for Active Directory by holding – Complete copy of all objects within its local domain
domain – Copy of all objects from other domains within the same forest
• The global catalog has three main functions
– Do searches for objects in the forest
– Resolve UPN names
– Provide universal group membership information
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Summary
• A global catalog should be placed in each site when possible
site when possible. • If not possible, universal group membership caching can be enabled for b h
h
b
bl d f
the site to facilitate logon requests
• Global catalog placement
– Speed and reliability of the WAN link
– Amount of traffic that will be generated by replication
– Size of the global catalog database
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Summary
• Operations master roles are assigned to domain controllers to perform single‐master
domain controllers to perform single
master operations
• The Schema Master and Domain Naming The Schema Master and Domain Naming
Master roles are forest‐wide.
– Every forest must have one and only one of Every forest must have one and only one of
each of these roles
• The RID Master, PDC Emulator, and The RID Master PDC Emulator and
Infrastructure Master roles are domain‐wide
– Every domain must have only one of each Every domain must have only one of each
of these roles
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Summary
• FSMO roles can be managed in two ways: – Role transfer Role transfer ‐ Transfer a FSMO role to other Transfer a FSMO role to other
domain controllers in the domain or forest to
• balance the load among domain controllers balance the load among domain controllers
• accommodate domain controller maintenance and hardware upgrades – Role seizure ‐ Seize a FSMO role assignment when a server holding the role fails and you do not intend to restore it • Seizing a FSMO role is a drastic step that should be considered only if the current FSMO h ld b
id d l if th
t FSMO
role holder will never be available again
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Summary
• Use repadmin to check the status of the update sequence numbers (USNs) when d
b (USN ) h
seizing the FSMO role from the current role holder
l h ld
• Use ntdsutil to actually perform a seizure of the FSMO role
DPW
DPW
© Donna Warren © 2005‐2010 A
C
T
I
V
E
D
I
R
E
C
T
O
R
Y
Lab 4
• Create a Global Catalog Failure
• Enable Universal Group Membership Caching
• Transfer FSMO Roles DPW
DPW
© Donna Warren © 2005‐2010
Related documents
AUTOMATIC WATER BILL PAYMENT REQUEST
AUTOMATIC WATER BILL PAYMENT REQUEST
1. pa state police criminal check
1. pa state police criminal check
The Village of Corinth DPW, along with Eastside Recycling, will be
The Village of Corinth DPW, along with Eastside Recycling, will be
Capital Works Management Framework compliance checklist
Capital Works Management Framework compliance checklist
1. pa state police criminal check
1. pa state police criminal check
How to resolve DPW liens
How to resolve DPW liens
Electronics Recycling 2014
Electronics Recycling 2014
OCYF Policy Day Presentation
OCYF Policy Day Presentation
Seizing FSMO Roles http://www.petri.co.il/seizing_fsmo_roles.htm 1
Seizing FSMO Roles http://www.petri.co.il/seizing_fsmo_roles.htm 1
Download
advertisement