MOC PowerPoint slide deck template - Seneca
advertisement
1 Chapter 4 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 2 UNDERSTANDING THE GLOBAL CATALOG Central repository for forest-wide data. Subset of attributes from objects forest-wide. First domain controller in the forest is automatically configured as a global catalog server. Other domain controllers can become global catalog servers. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FUNCTIONS OF THE GLOBAL CATALOG Facilitate searches for objects in the forest Resolve User Principal Names (UPNs) Provide universal group membership information If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on. 3 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 4 UNIVERSAL GROUP MEMBERSHIP CACHING New for Microsoft Windows Server 2003. When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server. Refreshed on an eight-hour interval. Eliminates the need to place a global catalog server in a remote site to facilitate logons. Provides better logon performance. Can be used to minimize wide area network (WAN) link usage. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 5 LOGON PROCESS AND THE GLOBAL CATALOG Universal group membership is used in creation of the access control list (ACL) when the user logs on. Global catalog is used to verify universal group membership. Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled. Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING 6 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 7 PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS There is additional global catalog replication traffic when a global catalog is configured. Additional hard disk space is required. Consider placing a global catalog server in each site or configure universal group membership caching for that site. Consider placing a global catalog server in each site where applications need to make global catalog queries. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLING A GLOBAL CATALOG SERVER 8 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES Flexible Single Master Operations (FSMO) roles Assigned automatically to the first domain controller in a domain Roles can be transferred to other domain controllers Used to reduce conflict and facilitate communication concerning replication between domain controllers 9 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FIVE FSMO ROLES Domain naming master Relative identifier (RID) master Infrastructure master Primary Domain Controller (PDC) emulator Schema master 10 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 11 DOMAIN-SPECIFIC ROLES RID master—Assigns RIDs to other domain controllers Infrastructure master—Allows security principals to be tracked between domains PDC emulator Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me) Time synchronization User account password change replication Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN-WIDE OPERATIONS MASTERS 12 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES RID MASTER Used when security principals are created RID makes the individual security principal security identifier (SID) unique within a domain Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 RID master gives other domain controllers RIDs to use when new objects are created 13 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 14 WHAT IF THE RID MASTER ISN’T AVAILABLE? Doesn’t affect existing users Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted Problems moving objects between domains Movetree.exe must be run on the RID master of the source domain. RID master of the target domain must also be available. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 15 INFRASTRUCTURE MASTER Manages user and group references for objects between domains Updates ACLs and group memberships as required Queries the global catalog to ensure that references are current Role should not be assigned to a global catalog server Exception 1: There is only a single domain in the forest Exception 2: All domain controllers are also global catalog servers Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 16 PDC EMULATOR Provides backward compatibility for pre–Windows 2000 client computers Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network Acts as a central manager for user password changes, replication, and account lockouts Handles time synchronization Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 17 ALTERNATE TCP/IP ADDRESS CONFIGURATION Domain naming master Schema master These roles are assigned to only one domain controller in the entire forest Usually these roles are assigned to domain controllers in the forest root domain Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 18 DOMAIN NAMING MASTER Allows additions or removals of domains. Ensures domain names are unique in the forest. Domains cannot be added or removed if the domain naming master is not available. Enterprise Admins level access is required in order to add and remove domains. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 19 SCHEMA MASTER Controls access to the schema. Ensures modifications are replicated to all domain controllers in the forest. The schema cannot be modified if the schema master is not available. Schema Admins level access is required to modify the schema. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PLACING FSMO SERVERS In a multi-domain environment, you’ll likely move some of the FSMO roles. Decisions on placing domain controllers involve. Number of domains that are a part of the forest Physical structure, including sites Number of domain controllers in each domain 20 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DEFAULT FSMO ROLE ASSIGNMENTS 21 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ADJUSTING FSMO ROLES IN FOREST ROOT 22 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES 23 MANAGING FSMO ROLES What happens when a domain controller holding a given FSMO role fails? Transferring roles. Seizing roles. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES WHAT ARE THE IMPLICATIONS OF FAILURE? Schema master Domain naming master PDC emulator RID master Infrastructure master 24 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES MANAGING ROLES Active Directory Users And Computers RID master Infrastructure master PDC emulator Active Directory Domains And Trusts—domain naming master Microsoft Management Console (MMC) Schema snap-in—schema master Repadmin NTDSUtil—All roles 25 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES SUMMARY Global catalog function Global catalog server placement Domain-wide operations masters Forest-wide operations masters Implications of FSMO failure Tools to manage FSMO roles 26
