Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.

Published bySydney Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4."— Presentation transcript:

1 11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4

2 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES2 UNDERSTANDING THE GLOBAL CATALOG  Central repository for forest-wide data.  Subset of attributes from objects forest-wide.  First domain controller in the forest is automatically configured as a global catalog server.  Other domain controllers can become global catalog servers.  Central repository for forest-wide data.  Subset of attributes from objects forest-wide.  First domain controller in the forest is automatically configured as a global catalog server.  Other domain controllers can become global catalog servers.

3 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES3 FUNCTIONS OF THE GLOBAL CATALOG  Facilitate searches for objects in the forest  Resolve User Principal Names (UPNs)  Provide universal group membership information  If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.  Facilitate searches for objects in the forest  Resolve User Principal Names (UPNs)  Provide universal group membership information  If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.

4 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES4 UNIVERSAL GROUP MEMBERSHIP CACHING  New for Microsoft Windows Server 2003.  When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server.  Refreshed on an eight-hour interval.  Eliminates the need to place a global catalog server in a remote site to facilitate logons.  Provides better logon performance.  Can be used to minimize wide area network (WAN) link usage.  New for Microsoft Windows Server 2003.  When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server.  Refreshed on an eight-hour interval.  Eliminates the need to place a global catalog server in a remote site to facilitate logons.  Provides better logon performance.  Can be used to minimize wide area network (WAN) link usage.

5 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES5 LOGON PROCESS AND THE GLOBAL CATALOG  Universal group membership is used in creation of the access control list (ACL) when the user logs on.  Global catalog is used to verify universal group membership.  Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled.  Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.  Universal group membership is used in creation of the access control list (ACL) when the user logs on.  Global catalog is used to verify universal group membership.  Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled.  Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.

6 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES6 ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

7 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES7 PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS  There is additional global catalog replication traffic when a global catalog is configured.  Additional hard disk space is required.  Consider placing a global catalog server in each site or configure universal group membership caching for that site.  Consider placing a global catalog server in each site where applications need to make global catalog queries.  There is additional global catalog replication traffic when a global catalog is configured.  Additional hard disk space is required.  Consider placing a global catalog server in each site or configure universal group membership caching for that site.  Consider placing a global catalog server in each site where applications need to make global catalog queries.

8 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES8 ENABLING A GLOBAL CATALOG SERVER

9 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES9 UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES  Flexible Single Master Operations (FSMO) roles  Assigned automatically to the first domain controller in a domain  Roles can be transferred to other domain controllers  Used to reduce conflict and facilitate communication concerning replication between domain controllers  Flexible Single Master Operations (FSMO) roles  Assigned automatically to the first domain controller in a domain  Roles can be transferred to other domain controllers  Used to reduce conflict and facilitate communication concerning replication between domain controllers

10 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES10 FIVE FSMO ROLES  Domain naming master  Relative identifier (RID) master  Infrastructure master  Primary Domain Controller (PDC) emulator  Schema master  Domain naming master  Relative identifier (RID) master  Infrastructure master  Primary Domain Controller (PDC) emulator  Schema master

11 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES11 DOMAIN-SPECIFIC ROLES  RID master—Assigns RIDs to other domain controllers  Infrastructure master—Allows security principals to be tracked between domains  PDC emulator  Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me)  Time synchronization  User account password change replication  RID master—Assigns RIDs to other domain controllers  Infrastructure master—Allows security principals to be tracked between domains  PDC emulator  Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me)  Time synchronization  User account password change replication

12 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES12 DOMAIN-WIDE OPERATIONS MASTERS

13 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES13 RID MASTER  Used when security principals are created  RID makes the individual security principal security identifier (SID) unique within a domain  Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500  RID master gives other domain controllers RIDs to use when new objects are created  Used when security principals are created  RID makes the individual security principal security identifier (SID) unique within a domain  Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500  RID master gives other domain controllers RIDs to use when new objects are created

14 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES14 WHAT IF THE RID MASTER ISN’T AVAILABLE?  Doesn’t affect existing users  Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted  Problems moving objects between domains  Movetree.exe must be run on the RID master of the source domain.  RID master of the target domain must also be available.  Doesn’t affect existing users  Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted  Problems moving objects between domains  Movetree.exe must be run on the RID master of the source domain.  RID master of the target domain must also be available.

15 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES15 INFRASTRUCTURE MASTER  Manages user and group references for objects between domains  Updates ACLs and group memberships as required  Queries the global catalog to ensure that references are current  Role should not be assigned to a global catalog server  Exception 1: There is only a single domain in the forest  Exception 2: All domain controllers are also global catalog servers  Manages user and group references for objects between domains  Updates ACLs and group memberships as required  Queries the global catalog to ensure that references are current  Role should not be assigned to a global catalog server  Exception 1: There is only a single domain in the forest  Exception 2: All domain controllers are also global catalog servers

16 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES16 PDC EMULATOR  Provides backward compatibility for pre–Windows 2000 client computers  Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network  Acts as a central manager for user password changes, replication, and account lockouts  Handles time synchronization  Provides backward compatibility for pre–Windows 2000 client computers  Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network  Acts as a central manager for user password changes, replication, and account lockouts  Handles time synchronization

17 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES17 ALTERNATE TCP/IP ADDRESS CONFIGURATION  Domain naming master  Schema master  These roles are assigned to only one domain controller in the entire forest  Usually these roles are assigned to domain controllers in the forest root domain  Domain naming master  Schema master  These roles are assigned to only one domain controller in the entire forest  Usually these roles are assigned to domain controllers in the forest root domain

18 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES18 DOMAIN NAMING MASTER  Allows additions or removals of domains.  Ensures domain names are unique in the forest.  Domains cannot be added or removed if the domain naming master is not available.  Enterprise Admins level access is required in order to add and remove domains.  Allows additions or removals of domains.  Ensures domain names are unique in the forest.  Domains cannot be added or removed if the domain naming master is not available.  Enterprise Admins level access is required in order to add and remove domains.

19 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES19 SCHEMA MASTER  Controls access to the schema.  Ensures modifications are replicated to all domain controllers in the forest.  The schema cannot be modified if the schema master is not available.  Schema Admins level access is required to modify the schema.  Controls access to the schema.  Ensures modifications are replicated to all domain controllers in the forest.  The schema cannot be modified if the schema master is not available.  Schema Admins level access is required to modify the schema.

20 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES20 PLACING FSMO SERVERS  In a multi-domain environment, you’ll likely move some of the FSMO roles.  Decisions on placing domain controllers involve.  Number of domains that are a part of the forest  Physical structure, including sites  Number of domain controllers in each domain  In a multi-domain environment, you’ll likely move some of the FSMO roles.  Decisions on placing domain controllers involve.  Number of domains that are a part of the forest  Physical structure, including sites  Number of domain controllers in each domain

21 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES21 DEFAULT FSMO ROLE ASSIGNMENTS

22 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES22 ADJUSTING FSMO ROLES IN FOREST ROOT

23 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES23 MANAGING FSMO ROLES  What happens when a domain controller holding a given FSMO role fails?  Transferring roles.  Seizing roles.  What happens when a domain controller holding a given FSMO role fails?  Transferring roles.  Seizing roles.

24 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES24 WHAT ARE THE IMPLICATIONS OF FAILURE?  Schema master  Domain naming master  PDC emulator  RID master  Infrastructure master  Schema master  Domain naming master  PDC emulator  RID master  Infrastructure master

25 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES25 MANAGING ROLES  Active Directory Users And Computers  RID master  Infrastructure master  PDC emulator  Active Directory Domains And Trusts—domain naming master  Microsoft Management Console (MMC) Schema snap-in—schema master  Repadmin  NTDSUtil—All roles  Active Directory Users And Computers  RID master  Infrastructure master  PDC emulator  Active Directory Domains And Trusts—domain naming master  Microsoft Management Console (MMC) Schema snap-in—schema master  Repadmin  NTDSUtil—All roles

26 Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES26 SUMMARY  Global catalog function  Global catalog server placement  Domain-wide operations masters  Forest-wide operations masters  Implications of FSMO failure  Tools to manage FSMO roles  Global catalog function  Global catalog server placement  Domain-wide operations masters  Forest-wide operations masters  Implications of FSMO failure  Tools to manage FSMO roles

Download ppt "11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4."

Similar presentations

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Active Directory

Introduction to Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 10: Configuring and Maintaining the Active Directory Infrastructure.
Chapter 4: Active Directory Design and Security Concepts

Chapter 4: Active Directory Design and Security Concepts
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google