1 / 35

Objectives

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 8: Active Directory Operations Masters. Objectives. Describe the forest-wide operations master roles and where they should be placed

noreen
Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 8: Active Directory Operations Masters

  2. Objectives • Describe the forest-wide operations master roles and where they should be placed • Describe the domain-wide operations master roles and where they should be placed • Describe the process of transferring and seizing roles from operations masters Guide to MCSE 70-294, Enhanced

  3. Forest-wide Roles • Certain operations can only be performed by single domain controller in entire forest • Forest-wide FSMO roles: • Schema master • Domain naming master • Can be located on different domain controllers • Most often located on same domain controller • Easier management Guide to MCSE 70-294, Enhanced

  4. Schema Master • Allowed to make modifications to Active Directory schema • Has writable copy of schema naming context for entire forest • Changes replicated to other domain controllers • Using standard, non-urgent replication Guide to MCSE 70-294, Enhanced

  5. Schema Master - Placement • Assigned to first domain controller in forest • Additional load is negligible • Often left on first domain controller in forest without any issues • May be necessary to move • If server frequently unavailable Guide to MCSE 70-294, Enhanced

  6. Schema Master - Impact if Unavailable • Users do not notice impact • Network administrators most likely do not notice loss • Unless they are attempting to modify schema Guide to MCSE 70-294, Enhanced

  7. Activity 8-1: Identifying the Schema Master of a Forest • Objective: Learn how to use the Active Directory Schema snap-in to identify the schema master of a forest • Follow instructions to identify schema master Guide to MCSE 70-294, Enhanced

  8. Identifying the Schema Master of the Forest Guide to MCSE 70-294, Enhanced

  9. Domain Naming Master • Every domain must have unique name • Adds domains to forest • Ensure name is unique • Removing domains from forest Guide to MCSE 70-294, Enhanced

  10. Domain Naming Master - Placement • Assigned to first domain controller in forest • Additional load negligible • Forest functional level of Windows 2000: • Only place on global catalog server • Forest functional level Windows Server 2003: • Not necessary to place on global catalog server Guide to MCSE 70-294, Enhanced

  11. Domain Naming Master - Impact if Unavailable • Users do not notice any impact • Network administrators most likely do not notice loss • Unless they are attempting to add or remove domain from forest Guide to MCSE 70-294, Enhanced

  12. Domain-wide Roles • Some operations can only be performed by single domain controller in domain • Domain-wide FSMO roles: • PDC emulator • RID master • Infrastructure master Guide to MCSE 70-294, Enhanced

  13. Domain-wide Roles – Placement Options • All three reside on one domain controller • All three reside on different domain controllers • Any combination of: • Two of the roles are on one domain controller • Third role on its own domain controller • Domain controller may even hold domain-wide roles and forest-wide roles Guide to MCSE 70-294, Enhanced

  14. PDC Emulator • Acts as Windows NT 4.0 PDC for domain • Replicate appropriate change(s) to Windows NT 4.0 BDCs in domain • Responsible for performing operations for client workstations running: • Windows NT 4.0 Workstation • Windows 98 Guide to MCSE 70-294, Enhanced

  15. PDC Emulator (continued) • Used for synchronizing system clock • Password updates preferentially replicated to PDC emulator Guide to MCSE 70-294, Enhanced

  16. PDC Emulator - Placement • Assigned to first domain controller in every new domain • Should be highly available • Need additional processing power for PDC emulator in a large domain • Or do not place on global catalog server • Centrally located on network Guide to MCSE 70-294, Enhanced

  17. PDC Emulator - Impact if Unavailable • Users may notice impact • Validation of user passwords may randomly pass or fail • Replication of updates to Windows NT 4.0 BDCs will not occur Guide to MCSE 70-294, Enhanced

  18. RID Master • Security principle has own unique security identifier (SID) • Made up of • SID of domain • Relative identifier (RID) • RID is unique for every security principle in domain • RID master • Allocates blocks of RIDs to domain controllers Guide to MCSE 70-294, Enhanced

  19. RID Master (continued) • Responsible for moving objects between domains to prevent object duplication • Move object to new domain • Then delete it from old domain Guide to MCSE 70-294, Enhanced

  20. RID Master - Placement • Assigned to first domain controller in every new domain • Additional load negligible • Highly available • Locate in site where most new security principles are created Guide to MCSE 70-294, Enhanced

  21. RID Master - Impact if Unavailable • Users do not notice any impact • Network administrators most likely do not notice loss • Unless they are attempting to create many security principles • Domain controller runs out of RIDs Guide to MCSE 70-294, Enhanced

  22. Infrastructure Master • Update object references in its domain that point to objects located in another domain • Updates distinguished name and SID if object moves within or between domains • Object references contain: • GUID of object • Distinguished name of object • Possibly SID of object if it is security principle Guide to MCSE 70-294, Enhanced

  23. Infrastructure Master - Placement • Forest with multiple domains: • Do not place on global catalog server • Do locate in site that contains global catalog server • Assigned to first domain controller in every new domain • Does not place much additional load Guide to MCSE 70-294, Enhanced

  24. Infrastructure Master - Impact if Unavailable • Users typically do not notice any impact • Network administrators may notice that group membership does not appear to be updated • User accounts may appear with incorrect names in group’s membership list Guide to MCSE 70-294, Enhanced

  25. Activity 8-3: Identifying the Domain-wide FSMO Role Holders • Objective: Learn how to use the Active Directory Users and Computers console to identify the PDC emulator, RID master, and infrastructure master of a domain • Follow instructions to view masters Guide to MCSE 70-294, Enhanced

  26. Transferring and Seizing Roles • May be necessary to transfer FSMO roles • Usually orderly process • May be situations where original role holder is permanently unavailable • Role will be seized by another domain controller Guide to MCSE 70-294, Enhanced

  27. Transfer Roles • Preferred method: • Perform transfer operation • Both domain controllers must be available • Ensures no data loss occurs • Administrator needs to be member of certain group • Depends on role being moved Guide to MCSE 70-294, Enhanced

  28. Groups Authorized to Move FSMO Roles Between Domain Controllers Guide to MCSE 70-294, Enhanced

  29. Activity 8-4: Transferring Domain-wide FSMO Roles • Objective: Learn how to transfer the infrastructure master role to another domain controller • Use Active Directory Users and Computers to transfer role Guide to MCSE 70-294, Enhanced

  30. Seizing Roles • Transfer when original role holder is unavailable • Should only be done as last step • Any recent changes cannot be replicated • May be lost • Original role holder cannot be informed that it no longer holds the role • Never place server back on network unless it is formatted and Windows is reinstalled Guide to MCSE 70-294, Enhanced

  31. Consequences of Bringing a Domain Controller Back Online After FSMO Role Seizure Guide to MCSE 70-294, Enhanced

  32. Seizing Roles • Methods: • Active Directory Users and Computers • Use only for PDC emulator or infrastructure master • NTDSUTIL Guide to MCSE 70-294, Enhanced

  33. Activity 8-5: Using NTDSUTIL to Seize a FSMO Role • Objective: Learn how to seize the infrastructure master role using NTDSUTIL • Use NTDSUTIL to seize role Guide to MCSE 70-294, Enhanced

  34. Seizing a FSMO Role Using NTDSUTIL Guide to MCSE 70-294, Enhanced

  35. Summary • Forest-wide operations master roles: • Schema master • Domain naming master • Domain-wide operations master roles: • PDC emulator • RID master • Infrastructure master • Roles can be transferred/seized and given to another domain controller Guide to MCSE 70-294, Enhanced

More Related