Active Directory Operations Masters - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Active Directory Operations Masters

Description:

PDC Emulator (continued) Used for synchronizing system clock ... Need additional processing power for PDC emulator in a large domain ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 36
Provided by: pbcc
Category:

less

Transcript and Presenter's Notes

Title: Active Directory Operations Masters


1
Active Directory Operations Masters
  • Chapter Eight

2
Operations Masters
  • Schema master
  • Domain naming master
  • Relative ID master
  • Primary Domain Controller (PDC) emulator
  • Infrastructure master

3
Forest-wide Roles
  • Certain operations can only be performed by
    single domain controller in entire forest
  • Forest-wide FSMO roles
  • Schema master
  • Domain naming master
  • Can be located on different domain controllers
  • Most often located on same domain controller

4
Schema Master
  • Schema master controls all updates and
    modifications to the schema
  • To change it, use the AD Schema Manager
  • Has writable copy of schema naming context for
    entire forest
  • Changes replicated to other domain controllers
  • Using standard, non-urgent replication

5
Schema Master - Placement
  • Assigned to first domain controller in forest
  • Additional load is negligible
  • Often left on first domain controller in forest
    without any issues
  • May be necessary to move
  • If server frequently unavailable

6
Schema Master - Impact if Unavailable
  • Users do not notice impact
  • Network administrators most likely do not notice
    loss
  • Unless they are attempting to modify schema

7
Operations Masters
  • AD Schema Manager mmc

8
Operations Masters
9
Identifying the Schema Master of the Forest
10
Domain Naming Master
  • Every domain must have unique name
  • Adds domains to forest
  • Ensure name is unique
  • Removing domains from forest
  • To modify, use AD Domains and Trusts

11
Domain Naming Master - Placement
  • Assigned to first domain controller in forest
  • Additional load negligible
  • Forest functional level of Windows 2000
  • Only place on global catalog server
  • Forest functional level Windows Server 2003
  • Not necessary to place on global catalog server

12
Domain Naming Master - Impact if Unavailable
  • Users do not notice any impact
  • Network administrators most likely do not notice
    loss
  • Unless they are attempting to add or remove
    domain from forest

13
Domain-wide Roles
  • Some operations can only be performed by single
    domain controller in domain
  • Domain-wide FSMO roles
  • PDC emulator
  • RID master
  • Infrastructure master

14
Domain-wide Roles
  • To modify, use AD Users and Computers

15
Domain-wide Roles Placement Options
  • All three reside on one domain controller
  • All three reside on different domain controllers
  • Any combination of
  • Two of the roles are on one domain controller
  • Third role on its own domain controller
  • Domain controller may even hold domain-wide roles
    and forest-wide roles

16
PDC Emulator
  • Acts as Windows NT 4.0 PDC for domain
  • Replicate appropriate change(s) to Windows NT 4.0
    BDCs in domain
  • Responsible for performing operations for client
    workstations running
  • Windows NT 4.0 Workstation
  • Windows 98

17
PDC Emulator (continued)
  • Used for synchronizing system clock
  • Password updates preferentially replicated to PDC
    emulator

18
PDC Emulator - Placement
  • Assigned to first domain controller in every new
    domain
  • Should be highly available
  • Need additional processing power for PDC emulator
    in a large domain
  • Or do not place on global catalog server
  • Centrally located on network

19
PDC Emulator - Impact if Unavailable
  • Users may notice impact
  • Validation of user passwords may randomly pass or
    fail
  • Replication of updates to Windows NT 4.0 BDCs
    will not occur

20
RID Master
  • Security principle has own unique security
    identifier (SID)
  • Made up of
  • SID of domain
  • Relative identifier (RID)
  • RID is unique for every security principle in
    domain
  • RID master
  • Allocates blocks of RIDs to domain controllers

21
RID Master (continued)
  • Responsible for moving objects between domains to
    prevent object duplication
  • Move object to new domain
  • Then delete it from old domain

22
RID Master - Placement
  • Assigned to first domain controller in every new
    domain
  • Additional load negligible
  • Highly available
  • Locate in site where most new security principles
    are created

23
RID Master - Impact if Unavailable
  • Users do not notice any impact
  • Network administrators most likely do not notice
    loss
  • Unless they are attempting to create many
    security principles (users, groups, or computers)
  • Since domain controller will run out of RIDs

24
Infrastructure Master
  • Update object references in its domain that point
    to objects located in another domain (groups that
    have members in other domains) and all other
    inter-domain object references
  • Updates distinguished name and SID if object
    moves within or between domains
  • Object references contain
  • GUID of object
  • Distinguished name of object
  • Possibly SID of object if it is security principle

25
Infrastructure Master - Placement
  • Forest with multiple domains
  • Do not place on global catalog server
  • Do locate in site that contains global catalog
    server
  • Assigned to first domain controller in every new
    domain
  • Does not place much additional load

26
Infrastructure Master - Impact if Unavailable
  • Users typically do not notice any impact
  • Network administrators may notice that group
    membership does not appear to be updated
  • User accounts may appear with incorrect names in
    groups membership list

27
Transferring and Seizing Roles
  • May be necessary to transfer FSMO roles
  • Usually orderly process
  • May be situations where original role holder is
    permanently unavailable
  • Role will be seized by another domain controller

28
Transfer Roles
  • Preferred method
  • Perform transfer operation
  • Both domain controllers must be available
  • Ensures no data loss occurs
  • Administrator needs to be member of certain group
  • Depends on role being moved

29
Groups Authorized to Move FSMO Roles Between
Domain Controllers
30
Viewing Roles
  • Dcdiag /testKnowsofroleholders /v
  • ntdsutil
  • domain management
  • connections
  • connect to tcpip1.central.pbcc.edu
  • quit
  • select operation target
  • list roles for connected server

31
Seizing Roles
  • Transfer when original role holder is unavailable
  • Should only be done as last step
  • Any recent changes cannot be replicated
  • May be lost
  • Original role holder cannot be informed that it
    no longer holds the role
  • Never place server back on network unless it is
    formatted and Windows is reinstalled

32
Consequences of Bringing a Domain Controller
Back Online After FSMO Role Seizure
33
Seizing Roles
  • Methods
  • Active Directory Users and Computers
  • Use only for PDC emulator or infrastructure
    master
  • NTDSUTIL

34
Seizing a FSMO Role Using NTDSUTIL
35
Seizing a FSMO Role Using NTDSUTIL
  • ntdsutil
  • roles
  • connections
  • connect to tcpip1.central.pbcc.edu
  • quit
  • seize RID master
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Active Directory Operations Masters" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!