Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single.

Slides:



Advertisements
Similar presentations
Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
Advertisements

Lesson 16: Configuring Domain Controllers
Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.
Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Week 2 - Domain Controllers and Operations Masters
Module 1: Installing Active Directory Domain Services
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
COMP2017 – Server Administration
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Understand Active Directory Infrastructure
Managing Active Directory Domain Services Objects
Chapter 7: WORKING WITH GROUPS
Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
Maintaining Active Directory Domain Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 7 Active Directory and Account Management.
Session 7 Windows Platform Eng. Dina Alkhoudari. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation.
Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.
Operations Master / FSMO Roles in Active Directory : Suhail Ashfaq Butt.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 1: Implementing Active Directory ® Domain Services.
10.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 10: Planning.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Installing a Domain Controller
Module 12: Managing Operations Masters
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
MIS Chapter 41 Chapter 4 – Implementing and Managing Group and Computer Accounts MIS 431 – Created Spring 2006.
© Compiled by David Brewster Networking Diploma – Orange Group S Class Presentation: Operations Master Roles.
11 UPGRADING AND MIGRATING TO WINDOWS SERVER 2003 Chapter 12.
Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516.
Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
1 Implementing Active Directory Planning Active Directory Implementation Installing Active Directory Operations Master Roles Implementing an Organizational.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Module 9: Managing Operations Masters. Overview Introduction to Operations Master Roles Transferring and Seizing Operations Master Roles Planning the.
Active Directories: Purpose and Structure Chrystom Ciganko IFMG352 Final Presentation.
Microsoft Exam
Overview of Active Directory Domain Services
Active Directory Replication (Part 1) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Active Directory Fundamentals
Active Directory and Group Policy
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Examining a Windows NT Infrastructure (2)
Microsoft Windows Server 2003 Active Directory Infrastructure
FSMO Roles and Global Catalog Servers
BACHELOR’S THESIS DEFENSE
Unit 5 NT1330 Client-Server Networking II Date: 7/12/2016
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Presentation transcript:

Active Directory Operations Masters

Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single master Sometimes better to prevent conflict than to resolve later  E.g. schema updates Exceptions managed by Operations Masters

Operations Master Roles  Five roles in total  Two roles where there is one per forest Schema master Domain naming master  Three roles where there is one per domain Relative Identifier (RID) master Primary Domain Controller (PDC) Emulator Infrastructure master

Schema Master  Responsible for schema updates  Only DC that can process schema updates After update, replicates changes to other DCs  If this Operations master is unavailable, no schema changes can be made

Domain Naming Master  Responsible for changes to configuration naming context Adding and removing domains Adding and removing cross references to domains in external directories After update, replicates to other DCs  If unavailable, cannot add or remove domains  Domain Naming Master must also be a global catalog server May be unnecessary in single-domain forest?

RID Master  Objects e.g. users and groups, each have a unique security identifier (SID) Consists of domain SID and unique relative identifier (RID)  RID master allocates each DC a pool of RIDs  When a DC’s RID pool falls too low, it requests additional RIDs from RID master  RID master also controls moving objects between domains  With no RID master, when a DC runs out of RIDs, new security principals (i.e. users, groups etc.) cannot be created on that DC

Infrastructure Master  Object in domain referencing object in another domain uses GUID, SID and DN E.g. group in one domain referencing user or group in another domain  Infrastructure master updates SID and DN in cross-domain references E.g. if referenced object moves  Multiple-domain, infrastructure master role must not be held by GC server Not a problem in single-domain forests (because no external references)

PDC Emulator  Mixed Mode Acts as NT PDC to NT BDCs  Supports Netlogon replication  Native and Mixed Modes Password changes replicated preferentially to PDC emulator  Authentication failures due to bad password at another DC forwarded to PDC emulator before failing completely Manages password changes from 95, 98, NT clients

PDC Emulator cont.  Native and Mixed Modes By default, Group Policy snap-in runs on PDC emulator  Reduces potential for Group Policy replication conflicts  Can be changed

PDC Emulator cont.  Miscellaneous All DCs synchronize their clock to that of the PDC emulator  PDC emulator of forest root domain should be synchronized to external time source  In multi-domain forest, PDC emulator for domain synchronizes with PDC emulator of forest root domain Acts as Domain Master Browser

Default Placement of Roles  First DC in a forest holds all roles  First DC in a new domain within existing forest holds all domain roles RID master Infrastructure master PDC emulator

Guidelines for the Placement of Roles  Keep schema master and domain naming master roles on same DC DC should also be a global catalog server  Put RID master and PDC emulator roles on the same DC  In multi-domain forest, the infrastructure master must not be a global catalog server Should have good connection to global catalog server

Guidelines for the Placement of Roles cont.  Single-domain forest Keep all five roles on same DC which should also be a global catalog server  Multiple-domain forest Move infrastructure master role to a DC that is not a global catalog server

Determining Role Placement  Replication Monitor Easiest — Support Tools (2000 CD)  Active Directory Users and Computers PDC Emulator, Infrastructure master, RID master  Active Directory Domains and Trusts Domain Naming master  Active Directory Schema Snap-In Schema master NB Schmmgmt.dll must be registered before first use  Dumpfsmos Resource kit  NTDSUTIL Command line tool included with 2000 server

User Rights to Change Roles  By default, certain groups only have rights to change role holders  Schema Administrators Schema master  Enterprise Administrators Domain naming master  Domain Administrators All domain role holders  NB By default, Administrator of forest root domain is a member of all these groups

Modifying Permissions to Change Roles  Adsiedit (support tools) tool allows all permissions to be changed

Transferring Roles  Transfer only when source and destination DCs are up and running  Domain-specific roles Active Directory Users and Computers  Schema Master Schema Manager Snap-In  Domain Naming Master Active Directory Domains and Trusts

When to Transfer Roles  Initial setup of domain E.g. in a multi-domain forest, move Infrastructure master off global catalog server  Permanently demoting a DC Roles held by the DC transferred automatically but manual transfer gives control over location  Temporarily taking down a DC Probably unnecessary to transfer schema and domain naming masters (little used); also infrastructure master in single-domain forest Always transfer the PDC emulator; may be wise to transfer RID master, but probably unnecessary for short downtime

Seizing Roles  Generally only seize when originally role holder has failed irrecoverably and will not be restored from backup Exception — can fairly safely seize PDC emulator role Strangely, this is also the role that you can least do without

References — Overview  Managing Flexible Single-Master Operations reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook xml&tocPath=w2rkbook &URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook xml&tocPath=w2rkbook &URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm  Windows 2000 Active Directory FSMO Roles s/Q197/1/32.ASP s/Q197/1/32.ASP

References — Placement  Windows 2000 Active Directory FSMO Roles /articles/Q197/1/32.ASP /articles/Q197/1/32.ASP  FSMO Placement and Optimization on Windows 2000 Domain Controllers cles/Q223/3/46.ASP cles/Q223/3/46.ASP

References — User Rights  Setting User Rights for Designating FSMO Roles in an Enterprise cles/Q228/7/76.ASP cles/Q228/7/76.ASP

References — Determining Operations Masters  How to Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles cles/Q297/2/30.ASP cles/Q297/2/30.ASP  How to Find FSMO Role Holders (Servers) cles/Q234/7/90.ASP cles/Q234/7/90.ASP

References — Transferring and Seizing Roles  How to View and Transfer FSMO Roles in the Graphical User Interface cles/Q255/6/90.ASP cles/Q255/6/90.ASP  Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller cles/Q255/5/04.ASP cles/Q255/5/04.ASP

References — Transferring and Seizing Roles  How to Change the Role Owner of the Operations Master After a Successful Seizure cles/Q283/5/95.ASP cles/Q283/5/95.ASP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.