Domain-wide Roles

advertisement
70-294: MCSE Guide to Microsoft
Windows Server 2003 Active
Directory, Enhanced
Chapter 8:
Active Directory
Operations Masters
Objectives
• Describe the forest-wide operations master roles
and where they should be placed
• Describe the domain-wide operations master roles
and where they should be placed
• Describe the process of transferring and seizing
roles from operations masters
Guide to MCSE 70-294, Enhanced
2
Forest-wide Roles
• Certain operations can only be performed by
single domain controller in entire forest
• Forest-wide FSMO roles:
• Schema master
• Domain naming master
• Can be located on different domain controllers
• Most often located on same domain controller
• Easier management
Guide to MCSE 70-294, Enhanced
3
Schema Master
• Allowed to make modifications to Active
Directory schema
• Has writable copy of schema naming context for
entire forest
• Changes replicated to other domain controllers
• Using standard, non-urgent replication
Guide to MCSE 70-294, Enhanced
4
Schema Master - Placement
• Assigned to first domain controller in forest
• Additional load is negligible
• Often left on first domain controller in forest without
any issues
• May be necessary to move
• If server frequently unavailable
Guide to MCSE 70-294, Enhanced
5
Schema Master - Impact if
Unavailable
• Users do not notice impact
• Network administrators most likely do not notice
loss
• Unless they are attempting to modify schema
Guide to MCSE 70-294, Enhanced
6
Activity 8-1: Identifying the
Schema Master of a Forest
• Objective: Learn how to use the Active Directory
Schema snap-in to identify the schema master of a
forest
• Follow instructions to identify schema master
Guide to MCSE 70-294, Enhanced
7
Identifying the Schema Master of the
Forest
Guide to MCSE 70-294, Enhanced
8
Domain Naming Master
• Every domain must have unique name
• Adds domains to forest
• Ensure name is unique
• Removing domains from forest
Guide to MCSE 70-294, Enhanced
9
Domain Naming Master Placement
• Assigned to first domain controller in forest
• Additional load negligible
• Forest functional level of Windows 2000:
• Only place on global catalog server
• Forest functional level Windows Server 2003:
• Not necessary to place on global catalog server
Guide to MCSE 70-294, Enhanced
10
Domain Naming Master Impact if Unavailable
• Users do not notice any impact
• Network administrators most likely do not notice
loss
• Unless they are attempting to add or remove domain
from forest
Guide to MCSE 70-294, Enhanced
11
Domain-wide Roles
• Some operations can only be performed by single
domain controller in domain
• Domain-wide FSMO roles:
• PDC emulator
• RID master
• Infrastructure master
Guide to MCSE 70-294, Enhanced
12
Domain-wide Roles –
Placement Options
• All three reside on one domain controller
• All three reside on different domain controllers
• Any combination of:
• Two of the roles are on one domain controller
• Third role on its own domain controller
• Domain controller may even hold domain-wide
roles and forest-wide roles
Guide to MCSE 70-294, Enhanced
13
PDC Emulator
• Acts as Windows NT 4.0 PDC for domain
• Replicate appropriate change(s) to Windows NT 4.0
BDCs in domain
• Responsible for performing operations for client
workstations running:
• Windows NT 4.0 Workstation
• Windows 98
Guide to MCSE 70-294, Enhanced
14
PDC Emulator (continued)
• Used for synchronizing system clock
• Password updates preferentially replicated to PDC
emulator
Guide to MCSE 70-294, Enhanced
15
PDC Emulator - Placement
• Assigned to first domain controller in every new
domain
• Should be highly available
• Need additional processing power for PDC
emulator in a large domain
• Or do not place on global catalog server
• Centrally located on network
Guide to MCSE 70-294, Enhanced
16
PDC Emulator - Impact if
Unavailable
• Users may notice impact
• Validation of user passwords may randomly pass or fail
• Replication of updates to Windows NT 4.0 BDCs will
not occur
Guide to MCSE 70-294, Enhanced
17
RID Master
• Security principle has own unique security
identifier (SID)
• Made up of
• SID of domain
• Relative identifier (RID)
• RID is unique for every security principle in
domain
• RID master
• Allocates blocks of RIDs to domain controllers
Guide to MCSE 70-294, Enhanced
18
RID Master (continued)
• Responsible for moving objects between domains
to prevent object duplication
• Move object to new domain
• Then delete it from old domain
Guide to MCSE 70-294, Enhanced
19
RID Master - Placement
• Assigned to first domain controller in every new
domain
• Additional load negligible
• Highly available
• Locate in site where most new security principles
are created
Guide to MCSE 70-294, Enhanced
20
RID Master - Impact if
Unavailable
• Users do not notice any impact
• Network administrators most likely do not notice
loss
• Unless they are attempting to create many security
principles
• Domain controller runs out of RIDs
Guide to MCSE 70-294, Enhanced
21
Infrastructure Master
• Update object references in its domain that point
to objects located in another domain
• Updates distinguished name and SID if object
moves within or between domains
• Object references contain:
• GUID of object
• Distinguished name of object
• Possibly SID of object if it is security principle
Guide to MCSE 70-294, Enhanced
22
Infrastructure Master Placement
• Forest with multiple domains:
• Do not place on global catalog server
• Do locate in site that contains global catalog server
• Assigned to first domain controller in every new
domain
• Does not place much additional load
Guide to MCSE 70-294, Enhanced
23
Infrastructure Master - Impact
if Unavailable
• Users typically do not notice any impact
• Network administrators may notice that group
membership does not appear to be updated
• User accounts may appear with incorrect names in
group’s membership list
Guide to MCSE 70-294, Enhanced
24
Activity 8-3: Identifying the
Domain-wide FSMO Role
Holders
• Objective: Learn how to use the Active Directory
Users and Computers console to identify the PDC
emulator, RID master, and infrastructure master of
a domain
• Follow instructions to view masters
Guide to MCSE 70-294, Enhanced
25
Transferring and Seizing Roles
• May be necessary to transfer FSMO roles
• Usually orderly process
• May be situations where original role holder is
permanently unavailable
• Role will be seized by another domain controller
Guide to MCSE 70-294, Enhanced
26
Transfer Roles
• Preferred method:
• Perform transfer operation
• Both domain controllers must be available
• Ensures no data loss occurs
• Administrator needs to be member of certain
group
• Depends on role being moved
Guide to MCSE 70-294, Enhanced
27
Groups Authorized to Move
FSMO Roles Between Domain
Controllers
Guide to MCSE 70-294, Enhanced
28
Activity 8-4: Transferring
Domain-wide FSMO Roles
• Objective: Learn how to transfer the
infrastructure master role to another domain
controller
• Use Active Directory Users and Computers to
transfer role
Guide to MCSE 70-294, Enhanced
29
Seizing Roles
• Transfer when original role holder is unavailable
• Should only be done as last step
• Any recent changes cannot be replicated
• May be lost
• Original role holder cannot be informed that it no
longer holds the role
• Never place server back on network unless it is
formatted and Windows is reinstalled
Guide to MCSE 70-294, Enhanced
30
Consequences of Bringing a Domain
Controller Back Online After FSMO Role
Seizure
Guide to MCSE 70-294, Enhanced
31
Seizing Roles
• Methods:
• Active Directory Users and Computers
• Use only for PDC emulator or infrastructure master
• NTDSUTIL
Guide to MCSE 70-294, Enhanced
32
Activity 8-5: Using NTDSUTIL
to Seize a FSMO Role
• Objective: Learn how to seize the infrastructure
master role using NTDSUTIL
• Use NTDSUTIL to seize role
Guide to MCSE 70-294, Enhanced
33
Seizing a FSMO Role Using NTDSUTIL
Guide to MCSE 70-294, Enhanced
34
Summary
• Forest-wide operations master roles:
• Schema master
• Domain naming master
• Domain-wide operations master roles:
• PDC emulator
• RID master
• Infrastructure master
• Roles can be transferred/seized and given to
another domain controller
Guide to MCSE 70-294, Enhanced
35
Download