GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES


1
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER
OPERATIONS (FSMO) ROLES
  • Chapter 4

2
UNDERSTANDING THE GLOBAL CATALOG
  • Central repository for forest-wide data.
  • Subset of attributes from objects forest-wide.
  • First domain controller in the forest is
    automatically configured as a global catalog
    server.
  • Other domain controllers can become global
    catalog servers.

3
FUNCTIONS OF THE GLOBAL CATALOG
  • Facilitate searches for objects in the forest
  • Resolve User Principal Names (UPNs)
  • Provide universal group membership information
  • If the domain is in Microsoft Windows 2000 native
    functional level or later, global catalog
    information is required in order for users to log
    on.

4
UNIVERSAL GROUP MEMBERSHIP CACHING
  • New for Microsoft Windows Server 2003.
  • When enabled, non-global catalog domain
    controllers can process logons without contacting
    a global catalog server.
  • Refreshed on an eight-hour interval.
  • Eliminates the need to place a global catalog
    server in a remote site to facilitate logons.
  • Provides better logon performance.
  • Can be used to minimize wide area network (WAN)
    link usage.

5
LOGON PROCESS AND THE GLOBAL CATALOG
  • Universal group membership is used in creation of
    the access control list (ACL) when the user logs
    on.
  • Global catalog is used to verify universal group
    membership.
  • Users might be denied logon if the global catalog
    is not available and universal group membership
    caching is not enabled.
  • Built-in Administrator account can logon,
    regardless of global catalog availability or the
    universal group membership caching configuration.

6
ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING
7
PLANNING GLOBAL CATALOG SERVER PLACEMENT
CONSIDERATIONS
  • There is additional global catalog replication
    traffic when a global catalog is configured.
  • Additional hard disk space is required.
  • Consider placing a global catalog server in each
    site or configure universal group membership
    caching for that site.
  • Consider placing a global catalog server in each
    site where applications need to make global
    catalog queries.

8
ENABLING A GLOBAL CATALOG SERVER
9
UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS
ROLES
  • Flexible Single Master Operations (FSMO) roles
  • Assigned automatically to the first domain
    controller in a domain
  • Roles can be transferred to other domain
    controllers
  • Used to reduce conflict and facilitate
    communication concerning replication between
    domain controllers

10
FIVE FSMO ROLES
  • Domain naming master
  • Relative identifier (RID) master
  • Infrastructure master
  • Primary Domain Controller (PDC) emulator
  • Schema master

11
DOMAIN-SPECIFIC ROLES
  • RID masterAssigns RIDs to other domain
    controllers
  • Infrastructure masterAllows security principals
    to be tracked between domains
  • PDC emulator
  • Backward compatibility with Microsoft Windows NT
    Server version 4.0 domains and later client
    computers (Microsoft Windows 98 and Windows Me)
  • Time synchronization
  • User account password change replication

12
DOMAIN-WIDE OPERATIONS MASTERS
13
RID MASTER
  • Used when security principals are created
  • RID makes the individual security principal
    security identifier (SID) unique within a domain
  • Built-in RIDs are consistent between domains, for
    example, Built-in Administrator has a RID of 500
  • RID master gives other domain controllers RIDs to
    use when new objects are created

14
WHAT IF THE RID MASTER ISNT AVAILABLE?
  • Doesnt affect existing users
  • Might cause a problem when creating new objects,
    if the existing RID pool on the domain controller
    is depleted
  • Problems moving objects between domains
  • Movetree.exe must be run on the RID master of the
    source domain.
  • RID master of the target domain must also be
    available.

15
INFRASTRUCTURE MASTER
  • Manages user and group references for objects
    between domains
  • Updates ACLs and group memberships as required
  • Queries the global catalog to ensure that
    references are current
  • Role should not be assigned to a global catalog
    server
  • Exception 1 There is only a single domain in the
    forest
  • Exception 2 All domain controllers are also
    global catalog servers

16
PDC EMULATOR
  • Provides backward compatibility for preWindows
    2000 client computers
  • Acts as the PDC in Windows 2000 mixed functional
    level for any Windows NT Server version 4.0
    backup domain controllers (BDCs) that are present
    on the network
  • Acts as a central manager for user password
    changes, replication, and account lockouts
  • Handles time synchronization

17
ALTERNATE TCP/IP ADDRESS CONFIGURATION
  • Domain naming master
  • Schema master
  • These roles are assigned to only one domain
    controller in the entire forest
  • Usually these roles are assigned to domain
    controllers in the forest root domain

18
DOMAIN NAMING MASTER
  • Allows additions or removals of domains.
  • Ensures domain names are unique in the forest.
  • Domains cannot be added or removed if the domain
    naming master is not available.
  • Enterprise Admins level access is required in
    order to add and remove domains.

19
SCHEMA MASTER
  • Controls access to the schema.
  • Ensures modifications are replicated to all
    domain controllers in the forest.
  • The schema cannot be modified if the schema
    master is not available.
  • Schema Admins level access is required to modify
    the schema.

20
PLACING FSMO SERVERS
  • In a multi-domain environment, youll likely move
    some of the FSMO roles.
  • Decisions on placing domain controllers involve.
  • Number of domains that are a part of the forest
  • Physical structure, including sites
  • Number of domain controllers in each domain

21
DEFAULT FSMO ROLE ASSIGNMENTS
22
ADJUSTING FSMO ROLES IN FOREST ROOT
23
MANAGING FSMO ROLES
  • What happens when a domain controller holding a
    given FSMO role fails?
  • Transferring roles.
  • Seizing roles.

24
WHAT ARE THE IMPLICATIONS OF FAILURE?
  • Schema master
  • Domain naming master
  • PDC emulator
  • RID master
  • Infrastructure master

25
MANAGING ROLES
  • Active Directory Users And Computers
  • RID master
  • Infrastructure master
  • PDC emulator
  • Active Directory Domains And Trustsdomain naming
    master
  • Microsoft Management Console (MMC) Schema
    snap-inschema master
  • Repadmin
  • NTDSUtilAll roles

26
SUMMARY
  • Global catalog function
  • Global catalog server placement
  • Domain-wide operations masters
  • Forest-wide operations masters
  • Implications of FSMO failure
  • Tools to manage FSMO roles
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!