1 / 27

A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles

A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles. Prepared for: *Stars* New Horizons Certified Professional Course. UNDERSTANDING THE GLOBAL CATALOG. Central repository for forest-wide data. Subset of attributes from objects forest-wide.

gzifa
Download Presentation

A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional Course

  2. UNDERSTANDING THE GLOBAL CATALOG • Central repository for forest-wide data. • Subset of attributes from objects forest-wide. • First domain controller in the forest is automatically configured as a global catalog server. • Other domain controllers can become global catalog servers.

  3. FUNCTIONS OF THE GLOBAL CATALOG • Facilitate searches for objects in the forest • Resolve User Principal Names (UPNs) • Provide universal group membership information • If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.

  4. UNIVERSAL GROUP MEMBERSHIP CACHING • New for Microsoft Windows Server 2003. • When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server. • Refreshed on an eight-hour interval. • Eliminates the need to place a global catalog server in a remote site to facilitate logons. • Provides better logon performance. • Can be used to minimize wide area network (WAN) link usage.

  5. LOGON PROCESS AND THE GLOBAL CATALOG • Universal group membership is used in creation of the access control list (ACL) when the user logs on. • Global catalog is used to verify universal group membership. • Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled. • Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.

  6. ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

  7. PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS • There is additional global catalog replication traffic when a global catalog is configured. • Consider placing a global catalog server in each site or configure universal group membership caching for that site. • Consider placing a global catalog server in each site where applications need to make global catalog queries.

  8. ENABLING A GLOBAL CATALOG SERVER

  9. UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES • Flexible Single Master Operations (FSMO) roles • Assigned automatically to the first domain controller in a domain • Roles can be transferred to other domain controllers • Used to reduce conflict and facilitate communication concerning replication between domain controllers

  10. FIVE FSMO ROLES • Domain naming master • Relative identifier (RID) master • Infrastructure master • Primary Domain Controller (PDC) emulator • Schema master

  11. DOMAIN-SPECIFIC ROLES • RID master—Assigns RIDs to other domain controllers • Infrastructure master—Allows security principals to be tracked between domains • PDC emulator • Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me) • Time synchronization • User account password change replication

  12. DOMAIN-WIDE OPERATIONS MASTERS

  13. RID MASTER • Used when security principals are created • RID makes the individual security principal security identifier (SID) unique within a domain • Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 • RID master gives other domain controllers RIDs to use when new objects are created

  14. WHAT IF THE RID MASTER ISN’T AVAILABLE? • Doesn’t affect existing users • Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted • Problems moving objects between domains

  15. INFRASTRUCTURE MASTER • Manages user and group references for objects between domains • Updates ACLs and group memberships as required • Queries the global catalog to ensure that references are current • Role should not be assigned to a global catalog server • Exception 1: There is only a single domain in the forest • Exception 2: All domain controllers are also global catalog servers

  16. PDC EMULATOR • Provides backward compatibility for pre–Windows 2000 client computers • Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network • Acts as a central manager for user password changes, replication, and account lockouts • Handles time synchronization

  17. ALTERNATE TCP/IP ADDRESS CONFIGURATION • Domain naming master • Schema master • These roles are assigned to only one domain controller in the entire forest • Usually these roles are assigned to domain controllers in the forest root domain

  18. DOMAIN NAMING MASTER • Allows additions or removals of domains. • Ensures domain names are unique in the forest. • Domains cannot be added or removed if the domain naming master is not available. • Enterprise Admins level access is required in order to add and remove domains.

  19. SCHEMA MASTER • Controls access to the schema. • Ensures modifications are replicated to all domain controllers in the forest. • The schema cannot be modified if the schema master is not available. • Schema Admins level access is required to modify the schema.

  20. PLACING FSMO SERVERS • In a multi-domain environment, you’ll likely move some of the FSMO roles. • Decisions on placing domain controllers involve. • Number of domains that are a part of the forest • Physical structure, including sites • Number of domain controllers in each domain

  21. DEFAULT FSMO ROLE ASSIGNMENTS

  22. ADJUSTING FSMO ROLES IN FOREST ROOT

  23. MANAGING FSMO ROLES • What happens when a domain controller holding a given FSMO role fails? • Transferring roles. • Seizing roles.

  24. WHAT ARE THE IMPLICATIONS OF FAILURE? • Schema master • Domain naming master • PDC emulator • RID master • Infrastructure master

  25. MANAGING ROLES • Active Directory Users And Computers • RID master • Infrastructure master • PDC emulator • Active Directory Domains And Trusts—domain naming master • Microsoft Management Console (MMC) Schema snap-in—schema master • Repadmin • NTDSUtil—All roles

  26. SUMMARY • Global catalog function • Global catalog server placement • Domain-wide operations masters • Forest-wide operations masters • Implications of FSMO failure • Tools to manage FSMO roles

More Related