Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single.

Published byJustina Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single."— Presentation transcript:

1 Active Directory Operations Masters

2 Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single master Sometimes better to prevent conflict than to resolve later  E.g. schema updates Exceptions managed by Operations Masters

3 Operations Master Roles  Five roles in total  Two roles where there is one per forest Schema master Domain naming master  Three roles where there is one per domain Relative Identifier (RID) master Primary Domain Controller (PDC) Emulator Infrastructure master

4 Schema Master  Responsible for schema updates  Only DC that can process schema updates After update, replicates changes to other DCs  If this Operations master is unavailable, no schema changes can be made

5 Domain Naming Master  Responsible for changes to configuration naming context Adding and removing domains Adding and removing cross references to domains in external directories After update, replicates to other DCs  If unavailable, cannot add or remove domains  Domain Naming Master must also be a global catalog server May be unnecessary in single-domain forest?

6 RID Master  Objects e.g. users and groups, each have a unique security identifier (SID) Consists of domain SID and unique relative identifier (RID)  RID master allocates each DC a pool of RIDs  When a DC’s RID pool falls too low, it requests additional RIDs from RID master  RID master also controls moving objects between domains  With no RID master, when a DC runs out of RIDs, new security principals (i.e. users, groups etc.) cannot be created on that DC

7 Infrastructure Master  Object in domain referencing object in another domain uses GUID, SID and DN E.g. group in one domain referencing user or group in another domain  Infrastructure master updates SID and DN in cross-domain references E.g. if referenced object moves  Multiple-domain, infrastructure master role must not be held by GC server Not a problem in single-domain forests (because no external references)

8 PDC Emulator  Mixed Mode Acts as NT PDC to NT BDCs  Supports Netlogon replication  Native and Mixed Modes Password changes replicated preferentially to PDC emulator  Authentication failures due to bad password at another DC forwarded to PDC emulator before failing completely Manages password changes from 95, 98, NT clients

9 PDC Emulator cont.  Native and Mixed Modes By default, Group Policy snap-in runs on PDC emulator  Reduces potential for Group Policy replication conflicts  Can be changed

10 PDC Emulator cont.  Miscellaneous All DCs synchronize their clock to that of the PDC emulator  PDC emulator of forest root domain should be synchronized to external time source  In multi-domain forest, PDC emulator for domain synchronizes with PDC emulator of forest root domain Acts as Domain Master Browser

11 Default Placement of Roles  First DC in a forest holds all roles  First DC in a new domain within existing forest holds all domain roles RID master Infrastructure master PDC emulator

12 Guidelines for the Placement of Roles  Keep schema master and domain naming master roles on same DC DC should also be a global catalog server  Put RID master and PDC emulator roles on the same DC  In multi-domain forest, the infrastructure master must not be a global catalog server Should have good connection to global catalog server

13 Guidelines for the Placement of Roles cont.  Single-domain forest Keep all five roles on same DC which should also be a global catalog server  Multiple-domain forest Move infrastructure master role to a DC that is not a global catalog server

14 Determining Role Placement  Replication Monitor Easiest — Support Tools (2000 CD)  Active Directory Users and Computers PDC Emulator, Infrastructure master, RID master  Active Directory Domains and Trusts Domain Naming master  Active Directory Schema Snap-In Schema master NB Schmmgmt.dll must be registered before first use  Dumpfsmos Resource kit  NTDSUTIL Command line tool included with 2000 server

15 User Rights to Change Roles  By default, certain groups only have rights to change role holders  Schema Administrators Schema master  Enterprise Administrators Domain naming master  Domain Administrators All domain role holders  NB By default, Administrator of forest root domain is a member of all these groups

16 Modifying Permissions to Change Roles  Adsiedit (support tools) tool allows all permissions to be changed

17 Transferring Roles  Transfer only when source and destination DCs are up and running  Domain-specific roles Active Directory Users and Computers  Schema Master Schema Manager Snap-In  Domain Naming Master Active Directory Domains and Trusts

18 When to Transfer Roles  Initial setup of domain E.g. in a multi-domain forest, move Infrastructure master off global catalog server  Permanently demoting a DC Roles held by the DC transferred automatically but manual transfer gives control over location  Temporarily taking down a DC Probably unnecessary to transfer schema and domain naming masters (little used); also infrastructure master in single-domain forest Always transfer the PDC emulator; may be wise to transfer RID master, but probably unnecessary for short downtime

19 Seizing Roles  Generally only seize when originally role holder has failed irrecoverably and will not be restored from backup Exception — can fairly safely seize PDC emulator role Strangely, this is also the role that you can least do without

20 References — Overview  Managing Flexible Single-Master Operations http://www.microsoft.com/WINDOWS2000/techinfo/ reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook-0-2-1- 6.xml&tocPath=w2rkbook-0-2-1- 6&URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm http://www.microsoft.com/WINDOWS2000/techinfo/ reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook-0-2-1- 6.xml&tocPath=w2rkbook-0-2-1- 6&URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm  Windows 2000 Active Directory FSMO Roles http://support.microsoft.com/support/kb/article s/Q197/1/32.ASP http://support.microsoft.com/support/kb/article s/Q197/1/32.ASP

21 References — Placement  Windows 2000 Active Directory FSMO Roles http://support.microsoft.com/support/kb /articles/Q197/1/32.ASP http://support.microsoft.com/support/kb /articles/Q197/1/32.ASP  FSMO Placement and Optimization on Windows 2000 Domain Controllers http://support.microsoft.com/support/kb/arti cles/Q223/3/46.ASP http://support.microsoft.com/support/kb/arti cles/Q223/3/46.ASP

22 References — User Rights  Setting User Rights for Designating FSMO Roles in an Enterprise http://support.microsoft.com/support/kb/arti cles/Q228/7/76.ASP http://support.microsoft.com/support/kb/arti cles/Q228/7/76.ASP

23 References — Determining Operations Masters  How to Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles http://support.microsoft.com/support/kb/arti cles/Q297/2/30.ASP http://support.microsoft.com/support/kb/arti cles/Q297/2/30.ASP  How to Find FSMO Role Holders (Servers) http://support.microsoft.com/support/kb/arti cles/Q234/7/90.ASP http://support.microsoft.com/support/kb/arti cles/Q234/7/90.ASP

24 References — Transferring and Seizing Roles  How to View and Transfer FSMO Roles in the Graphical User Interface http://support.microsoft.com/support/kb/arti cles/Q255/6/90.ASP http://support.microsoft.com/support/kb/arti cles/Q255/6/90.ASP  Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller http://support.microsoft.com/support/kb/arti cles/Q255/5/04.ASP http://support.microsoft.com/support/kb/arti cles/Q255/5/04.ASP

25 References — Transferring and Seizing Roles  How to Change the Role Owner of the Operations Master After a Successful Seizure http://support.microsoft.com/support/kb/arti cles/Q283/5/95.ASP http://support.microsoft.com/support/kb/arti cles/Q283/5/95.ASP

Download ppt "Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single."

Similar presentations

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.

Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Active Directory Implementation Class 4

Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Week 2 - Domain Controllers and Operations Masters

Week 2 - Domain Controllers and Operations Masters
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google