1 / 26

Maximizing Global Catalog and FSMO Roles

Understand the importance, functions, and benefits of the global catalog server and the flexible single master operations (FSMO) roles in an Active Directory environment. Learn about universal group membership caching, logon processes, and planning server placement for optimal performance.

emily
Download Presentation

Maximizing Global Catalog and FSMO Roles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 4 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

  2. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNDERSTANDING THE GLOBAL CATALOG • Central repository for forest-wide data. • Subset of attributes from objects forest-wide. • First domain controller in the forest is automatically configured as a global catalog server. • Other domain controllers can become global catalog servers.

  3. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FUNCTIONS OF THE GLOBAL CATALOG • Facilitate searches for objects in the forest • Resolve User Principal Names (UPNs) • Provide universal group membership information • If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.

  4. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNIVERSAL GROUP MEMBERSHIP CACHING • New for Microsoft Windows Server 2003. • When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server. • Refreshed on an eight-hour interval. • Eliminates the need to place a global catalog server in a remote site to facilitate logons. • Provides better logon performance. • Can be used to minimize wide area network (WAN) link usage.

  5. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES LOGON PROCESS AND THE GLOBAL CATALOG • Universal group membership is used in creation of the access control list (ACL) when the user logs on. • Global catalog is used to verify universal group membership. • Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled. • Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.

  6. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

  7. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS • There is additional global catalog replication traffic when a global catalog is configured. • Additional hard disk space is required. • Consider placing a global catalog server in each site or configure universal group membership caching for that site. • Consider placing a global catalog server in each site where applications need to make global catalog queries.

  8. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLING A GLOBAL CATALOG SERVER

  9. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES • Flexible Single Master Operations (FSMO) roles • Assigned automatically to the first domain controller in a domain • Roles can be transferred to other domain controllers • Used to reduce conflict and facilitate communication concerning replication between domain controllers

  10. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FIVE FSMO ROLES • Domain naming master • Relative identifier (RID) master • Infrastructure master • Primary Domain Controller (PDC) emulator • Schema master

  11. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN-SPECIFIC ROLES • RID master—Assigns RIDs to other domain controllers • Infrastructure master—Allows security principals to be tracked between domains • PDC emulator • Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me) • Time synchronization • User account password change replication

  12. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN-WIDE OPERATIONS MASTERS

  13. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES RID MASTER • Used when security principals are created • RID makes the individual security principal security identifier (SID) unique within a domain • Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 • RID master gives other domain controllers RIDs to use when new objects are created

  14. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES WHAT IF THE RID MASTER ISN’T AVAILABLE? • Doesn’t affect existing users • Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted • Problems moving objects between domains • Movetree.exe must be run on the RID master of the source domain. • RID master of the target domain must also be available.

  15. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES INFRASTRUCTURE MASTER • Manages user and group references for objects between domains • Updates ACLs and group memberships as required • Queries the global catalog to ensure that references are current • Role should not be assigned to a global catalog server • Exception 1: There is only a single domain in the forest • Exception 2: All domain controllers are also global catalog servers

  16. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PDC EMULATOR • Provides backward compatibility for pre–Windows 2000 client computers • Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network • Acts as a central manager for user password changes, replication, and account lockouts • Handles time synchronization

  17. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ALTERNATE TCP/IP ADDRESS CONFIGURATION • Domain naming master • Schema master • These roles are assigned to only one domain controller in the entire forest • Usually these roles are assigned to domain controllers in the forest root domain

  18. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN NAMING MASTER • Allows additions or removals of domains. • Ensures domain names are unique in the forest. • Domains cannot be added or removed if the domain naming master is not available. • Enterprise Admins level access is required in order to add and remove domains.

  19. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES SCHEMA MASTER • Controls access to the schema. • Ensures modifications are replicated to all domain controllers in the forest. • The schema cannot be modified if the schema master is not available. • Schema Admins level access is required to modify the schema.

  20. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PLACING FSMO SERVERS • In a multi-domain environment, you’ll likely move some of the FSMO roles. • Decisions on placing domain controllers involve. • Number of domains that are a part of the forest • Physical structure, including sites • Number of domain controllers in each domain

  21. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DEFAULT FSMO ROLE ASSIGNMENTS

  22. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ADJUSTING FSMO ROLES IN FOREST ROOT

  23. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES MANAGING FSMO ROLES • What happens when a domain controller holding a given FSMO role fails? • Transferring roles. • Seizing roles.

  24. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES WHAT ARE THE IMPLICATIONS OF FAILURE? • Schema master • Domain naming master • PDC emulator • RID master • Infrastructure master

  25. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES MANAGING ROLES • Active Directory Users And Computers • RID master • Infrastructure master • PDC emulator • Active Directory Domains And Trusts—domain naming master • Microsoft Management Console (MMC) Schema snap-in—schema master • Repadmin • NTDSUtil—All roles

  26. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES SUMMARY • Global catalog function • Global catalog server placement • Domain-wide operations masters • Forest-wide operations masters • Implications of FSMO failure • Tools to manage FSMO roles

More Related