1 / 25

Active Directory

Active Directory. Operations Masters. Overview. Active Directory updates generally multimaster Changes can be made on any DC Some exceptions — single master Sometimes better to prevent conflict than to resolve later E.g. schema updates Exceptions managed by Operations Masters.

daniel_millan
Download Presentation

Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory Operations Masters

  2. Overview • Active Directory updates generally multimaster • Changes can be made on any DC • Some exceptions — single master • Sometimes better to prevent conflict than to resolve later • E.g. schema updates • Exceptions managed by Operations Masters

  3. Operations Master Roles • Five roles in total • Two roles where there is one per forest • Schema master • Domain naming master • Three roles where there is one per domain • Relative Identifier (RID) master • Primary Domain Controller (PDC) Emulator • Infrastructure master

  4. Schema Master • Responsible for schema updates • Only DC that can process schema updates • After update, replicates changes to other DCs • If this Operations master is unavailable, no schema changes can be made

  5. Domain Naming Master • Responsible for changes to configuration naming context • Adding and removing domains • Adding and removing cross references to domains in external directories • After update, replicates to other DCs • If unavailable, cannot add or remove domains • Domain Naming Master must also be a global catalog server • May be unnecessary in single-domain forest?

  6. RID Master • Objects e.g. users and groups, each have a unique security identifier (SID) • Consists of domain SID and unique relative identifier (RID) • RID master allocates each DC a pool of RIDs • When a DC’s RID pool falls too low, it requests additional RIDs from RID master • RID master also controls moving objects between domains • With no RID master, when a DC runs out of RIDs, new security principals (i.e. users, groups etc.) cannot be created on that DC

  7. Infrastructure Master • Object in domain referencing object in another domain uses GUID, SID and DN • E.g. group in one domain referencing user or group in another domain • Infrastructure master updates SID and DN in cross-domain references • E.g. if referenced object moves • Multiple-domain, infrastructure master role must not be held by GC server • Not a problem in single-domain forests (because no external references)

  8. PDC Emulator • Mixed Mode • Acts as NT PDC to NT BDCs • Supports Netlogon replication • Native and Mixed Modes • Password changes replicated preferentially to PDC emulator • Authentication failures due to bad password at another DC forwarded to PDC emulator before failing completely • Manages password changes from 95, 98, NT clients

  9. PDC Emulator cont. • Native and Mixed Modes • By default, Group Policy snap-in runs on PDC emulator • Reduces potential for Group Policy replication conflicts • Can be changed

  10. PDC Emulator cont. • Miscellaneous • All DCs synchronize their clock to that of the PDC emulator • PDC emulator of forest root domain should be synchronized to external time source • In multi-domain forest, PDC emulator for domain synchronizes with PDC emulator of forest root domain • Acts as Domain Master Browser

  11. Default Placement of Roles • First DC in a forest holds all roles • First DC in a new domain within existing forest holds all domain roles • RID master • Infrastructure master • PDC emulator

  12. Guidelines for the Placement of Roles • Keep schema master and domain naming master roles on same DC • DC should also be a global catalog server • Put RID master and PDC emulator roles on the same DC • In multi-domain forest, the infrastructure master must not be a global catalog server • Should have good connection to global catalog server

  13. Guidelines for the Placement of Roles cont. • Single-domain forest • Keep all five roles on same DC which should also be a global catalog server • Multiple-domain forest • Move infrastructure master role to a DC that is not a global catalog server

  14. Determining Role Placement • Replication Monitor • Easiest — Support Tools (2000 CD) • Active Directory Users and Computers • PDC Emulator, Infrastructure master, RID master • Active Directory Domains and Trusts • Domain Naming master • Active Directory Schema Snap-In • Schema master • NB Schmmgmt.dll must be registered before first use • Dumpfsmos • Resource kit • NTDSUTIL • Command line tool included with 2000 server

  15. User Rights to Change Roles • By default, certain groups only have rights to change role holders • Schema Administrators • Schema master • Enterprise Administrators • Domain naming master • Domain Administrators • All domain role holders • NB By default, Administrator of forest root domain is a member of all these groups

  16. Modifying Permissions to Change Roles • Adsiedit (support tools) tool allows all permissions to be changed

  17. Transferring Roles • Transfer only when source and destination DCs are up and running • Domain-specific roles • Active Directory Users and Computers • Schema Master • Schema Manager Snap-In • Domain Naming Master • Active Directory Domains and Trusts

  18. When to Transfer Roles • Initial setup of domain • E.g. in a multi-domain forest, move Infrastructure master off global catalog server • Permanently demoting a DC • Roles held by the DC transferred automatically but manual transfer gives control over location • Temporarily taking down a DC • Probably unnecessary to transfer schema and domain naming masters (little used); also infrastructure master in single-domain forest • Always transfer the PDC emulator; may be wise to transfer RID master, but probably unnecessary for short downtime

  19. Seizing Roles • Generally only seize when originally role holder has failed irrecoverably and will not be restored from backup • Exception — can fairly safely seize PDC emulator role • Strangely, this is also the role that you can least do without

  20. References — Overview • Managing Flexible Single-Master Operations • http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/default.asp?PP=/windows2000/techinfo/reskit/en/toc/w2rkbook-0-2-1-6.xml&tocPath=w2rkbook-0-2-1-6&URL=/windows2000/techinfo/reskit/en/distrib/dsbl_fsm_djnw.htm • Windows 2000 Active Directory FSMO Roles • http://support.microsoft.com/support/kb/articles/Q197/1/32.ASP

  21. References — Placement • Windows 2000 Active Directory FSMO Roles • http://support.microsoft.com/support/kb/articles/Q197/1/32.ASP • FSMO Placement and Optimization on Windows 2000 Domain Controllers • http://support.microsoft.com/support/kb/articles/Q223/3/46.ASP

  22. References — User Rights • Setting User Rights for Designating FSMO Roles in an Enterprise • http://support.microsoft.com/support/kb/articles/Q228/7/76.ASP

  23. References — Determining Operations Masters • How to Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles • http://support.microsoft.com/support/kb/articles/Q297/2/30.ASP • How to Find FSMO Role Holders (Servers) • http://support.microsoft.com/support/kb/articles/Q234/7/90.ASP

  24. References — Transferring and Seizing Roles • How to View and Transfer FSMO Roles in the Graphical User Interface • http://support.microsoft.com/support/kb/articles/Q255/6/90.ASP • Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller • http://support.microsoft.com/support/kb/articles/Q255/5/04.ASP

  25. References — Transferring and Seizing Roles • How to Change the Role Owner of the Operations Master After a Successful Seizure • http://support.microsoft.com/support/kb/articles/Q283/5/95.ASP

More Related