70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 8: Active Directory Operations Masters Objectives • Describe the forest-wide operations master roles and where they should be placed • Describe the domain-wide operations master roles and where they should be placed • Describe the process of transferring and seizing roles from operations masters Guide to MCSE 70-294, Enhanced 2 Forest-wide Roles • Certain operations can only be performed by single domain controller in entire forest • Forest-wide FSMO roles: • Schema master • Domain naming master • Can be located on different domain controllers • Most often located on same domain controller • Easier management Guide to MCSE 70-294, Enhanced 3 Schema Master • Allowed to make modifications to Active Directory schema • Has writable copy of schema naming context for entire forest • Changes replicated to other domain controllers • Using standard, non-urgent replication Guide to MCSE 70-294, Enhanced 4 Schema Master - Placement • Assigned to first domain controller in forest • Additional load is negligible • Often left on first domain controller in forest without any issues • May be necessary to move • If server frequently unavailable Guide to MCSE 70-294, Enhanced 5 Schema Master - Impact if Unavailable • Users do not notice impact • Network administrators most likely do not notice loss • Unless they are attempting to modify schema Guide to MCSE 70-294, Enhanced 6 Activity 8-1: Identifying the Schema Master of a Forest • Objective: Learn how to use the Active Directory Schema snap-in to identify the schema master of a forest • Follow instructions to identify schema master Guide to MCSE 70-294, Enhanced 7 Identifying the Schema Master of the Forest Guide to MCSE 70-294, Enhanced 8 Domain Naming Master • Every domain must have unique name • Adds domains to forest • Ensure name is unique • Removing domains from forest Guide to MCSE 70-294, Enhanced 9 Domain Naming Master Placement • Assigned to first domain controller in forest • Additional load negligible • Forest functional level of Windows 2000: • Only place on global catalog server • Forest functional level Windows Server 2003: • Not necessary to place on global catalog server Guide to MCSE 70-294, Enhanced 10 Domain Naming Master Impact if Unavailable • Users do not notice any impact • Network administrators most likely do not notice loss • Unless they are attempting to add or remove domain from forest Guide to MCSE 70-294, Enhanced 11 Domain-wide Roles • Some operations can only be performed by single domain controller in domain • Domain-wide FSMO roles: • PDC emulator • RID master • Infrastructure master Guide to MCSE 70-294, Enhanced 12 Domain-wide Roles – Placement Options • All three reside on one domain controller • All three reside on different domain controllers • Any combination of: • Two of the roles are on one domain controller • Third role on its own domain controller • Domain controller may even hold domain-wide roles and forest-wide roles Guide to MCSE 70-294, Enhanced 13 PDC Emulator • Acts as Windows NT 4.0 PDC for domain • Replicate appropriate change(s) to Windows NT 4.0 BDCs in domain • Responsible for performing operations for client workstations running: • Windows NT 4.0 Workstation • Windows 98 Guide to MCSE 70-294, Enhanced 14 PDC Emulator (continued) • Used for synchronizing system clock • Password updates preferentially replicated to PDC emulator Guide to MCSE 70-294, Enhanced 15 PDC Emulator - Placement • Assigned to first domain controller in every new domain • Should be highly available • Need additional processing power for PDC emulator in a large domain • Or do not place on global catalog server • Centrally located on network Guide to MCSE 70-294, Enhanced 16 PDC Emulator - Impact if Unavailable • Users may notice impact • Validation of user passwords may randomly pass or fail • Replication of updates to Windows NT 4.0 BDCs will not occur Guide to MCSE 70-294, Enhanced 17 RID Master • Security principle has own unique security identifier (SID) • Made up of • SID of domain • Relative identifier (RID) • RID is unique for every security principle in domain • RID master • Allocates blocks of RIDs to domain controllers Guide to MCSE 70-294, Enhanced 18 RID Master (continued) • Responsible for moving objects between domains to prevent object duplication • Move object to new domain • Then delete it from old domain Guide to MCSE 70-294, Enhanced 19 RID Master - Placement • Assigned to first domain controller in every new domain • Additional load negligible • Highly available • Locate in site where most new security principles are created Guide to MCSE 70-294, Enhanced 20 RID Master - Impact if Unavailable • Users do not notice any impact • Network administrators most likely do not notice loss • Unless they are attempting to create many security principles • Domain controller runs out of RIDs Guide to MCSE 70-294, Enhanced 21 Infrastructure Master • Update object references in its domain that point to objects located in another domain • Updates distinguished name and SID if object moves within or between domains • Object references contain: • GUID of object • Distinguished name of object • Possibly SID of object if it is security principle Guide to MCSE 70-294, Enhanced 22 Infrastructure Master Placement • Forest with multiple domains: • Do not place on global catalog server • Do locate in site that contains global catalog server • Assigned to first domain controller in every new domain • Does not place much additional load Guide to MCSE 70-294, Enhanced 23 Infrastructure Master - Impact if Unavailable • Users typically do not notice any impact • Network administrators may notice that group membership does not appear to be updated • User accounts may appear with incorrect names in group’s membership list Guide to MCSE 70-294, Enhanced 24 Activity 8-3: Identifying the Domain-wide FSMO Role Holders • Objective: Learn how to use the Active Directory Users and Computers console to identify the PDC emulator, RID master, and infrastructure master of a domain • Follow instructions to view masters Guide to MCSE 70-294, Enhanced 25 Transferring and Seizing Roles • May be necessary to transfer FSMO roles • Usually orderly process • May be situations where original role holder is permanently unavailable • Role will be seized by another domain controller Guide to MCSE 70-294, Enhanced 26 Transfer Roles • Preferred method: • Perform transfer operation • Both domain controllers must be available • Ensures no data loss occurs • Administrator needs to be member of certain group • Depends on role being moved Guide to MCSE 70-294, Enhanced 27 Groups Authorized to Move FSMO Roles Between Domain Controllers Guide to MCSE 70-294, Enhanced 28 Activity 8-4: Transferring Domain-wide FSMO Roles • Objective: Learn how to transfer the infrastructure master role to another domain controller • Use Active Directory Users and Computers to transfer role Guide to MCSE 70-294, Enhanced 29 Seizing Roles • Transfer when original role holder is unavailable • Should only be done as last step • Any recent changes cannot be replicated • May be lost • Original role holder cannot be informed that it no longer holds the role • Never place server back on network unless it is formatted and Windows is reinstalled Guide to MCSE 70-294, Enhanced 30 Consequences of Bringing a Domain Controller Back Online After FSMO Role Seizure Guide to MCSE 70-294, Enhanced 31 Seizing Roles • Methods: • Active Directory Users and Computers • Use only for PDC emulator or infrastructure master • NTDSUTIL Guide to MCSE 70-294, Enhanced 32 Activity 8-5: Using NTDSUTIL to Seize a FSMO Role • Objective: Learn how to seize the infrastructure master role using NTDSUTIL • Use NTDSUTIL to seize role Guide to MCSE 70-294, Enhanced 33 Seizing a FSMO Role Using NTDSUTIL Guide to MCSE 70-294, Enhanced 34 Summary • Forest-wide operations master roles: • Schema master • Domain naming master • Domain-wide operations master roles: • PDC emulator • RID master • Infrastructure master • Roles can be transferred/seized and given to another domain controller Guide to MCSE 70-294, Enhanced 35