Global Catalog and Flexible Single Master Operations (Fsmo) Roles

1
Chapter 4
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES
Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES
UNDERSTANDING THE GLOBAL CATALOG

Central repository for forest-wide data.
Subset of attributes from objects forest-wide. First domain controller in the forest is automatically
configured as a global catalog server.

servers.
Other domain controllers can become global catalog
FUNCTIONS OF THE GLOBAL CATALOG

Facilitate searches for objects in the forest
Resolve User Principal Names (UPNs) Provide universal group membership information
If the domain is in Microsoft Windows 2000 native
functional level or later, global catalog information is required in order for users to log on.
UNIVERSAL GROUP MEMBERSHIP CACHING

New for Microsoft Windows Server 2003.
When enabled, non-global catalog domain
controllers can process logons without contacting a global catalog server.
Refreshed on an eight-hour interval. Eliminates the need to place a global catalog server
in a remote site to facilitate logons.
Provides better logon performance. Can be used to minimize wide area network (WAN)
link usage.
LOGON PROCESS AND THE GLOBAL CATALOG

Universal group membership is used in creation of
Global catalog is used to verify universal group
the access control list (ACL) when the user logs on. membership.
Users might be denied logon if the global catalog is
not available and universal group membership caching is not enabled.
Built-in Administrator account can logon, regardless
of global catalog availability or the universal group membership caching configuration.
ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING
PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS

There is additional global catalog replication traffic
when a global catalog is configured.
Additional hard disk space is required.
Consider placing a global catalog server in each site
or configure universal group membership caching for that site. where applications need to make global catalog queries.
Consider placing a global catalog server in each site
ENABLING A GLOBAL CATALOG SERVER
UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES

Flexible Single Master Operations (FSMO) roles
Assigned automatically to the first domain controller
in a domain
Roles can be transferred to other domain controllers
Used to reduce conflict and facilitate
communication concerning replication between domain controllers
10
FIVE FSMO ROLES

Domain naming master
Relative identifier (RID) master Infrastructure master Primary Domain Controller (PDC) emulator Schema master
11
DOMAIN-SPECIFIC ROLES
RID masterAssigns RIDs to other domain
controllers
Infrastructure masterAllows security principals to
be tracked between domains
PDC emulator
Backward compatibility with Microsoft Windows NT
Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me)
Time synchronization User account password change replication
12
DOMAIN-WIDE OPERATIONS MASTERS
13
RID MASTER
Used when security principals are created
RID makes the individual security principal security
identifier (SID) unique within a domain
Built-in RIDs are consistent between domains, for
example, Built-in Administrator has a RID of 500
RID master gives other domain controllers RIDs to
use when new objects are created
14
WHAT IF THE RID MASTER ISNT AVAILABLE?

Doesnt affect existing users
Might cause a problem when creating new objects,
if the existing RID pool on the domain controller is depleted

Movetree.exe must be run on the RID master of the
Problems moving objects between domains
source domain.
available.
RID master of the target domain must also be
15
INFRASTRUCTURE MASTER
Manages user and group references for objects
between domains
Updates ACLs and group memberships as required Queries the global catalog to ensure that references
are current server
Role should not be assigned to a global catalog

Exception 1: There is only a single domain in the
forest
Exception 2: All domain controllers are also global
catalog servers
16
PDC EMULATOR
Provides backward compatibility for preWindows
2000 client computers
Acts as the PDC in Windows 2000 mixed functional
level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network
Acts as a central manager for user password
changes, replication, and account lockouts
Handles time synchronization
17
ALTERNATE TCP/IP ADDRESS CONFIGURATION

Domain naming master
Schema master These roles are assigned to only one domain
controller in the entire forest
Usually these roles are assigned to domain
controllers in the forest root domain
18
DOMAIN NAMING MASTER

Allows additions or removals of domains.
Ensures domain names are unique in the forest. Domains cannot be added or removed if the domain
naming master is not available.

to add and remove domains.
Enterprise Admins level access is required in order
19
SCHEMA MASTER
Controls access to the schema.
Ensures modifications are replicated to all domain
controllers in the forest. master is not available.
The schema cannot be modified if the schema

Schema Admins level access is required to modify
the schema.
20
PLACING FSMO SERVERS

In a multi-domain environment, youll likely move
some of the FSMO roles.
Decisions on placing domain controllers involve.

Number of domains that are a part of the forest
Physical structure, including sites Number of domain controllers in each domain
21
DEFAULT FSMO ROLE ASSIGNMENTS
22
ADJUSTING FSMO ROLES IN FOREST ROOT
23
MANAGING FSMO ROLES

What happens when a domain controller holding a
given FSMO role fails?
Transferring roles.
Seizing roles.
24
WHAT ARE THE IMPLICATIONS OF FAILURE?

Schema master
Domain naming master PDC emulator RID master Infrastructure master
25
MANAGING ROLES
Active Directory Users And Computers
RID master
Infrastructure master
PDC emulator
Active Directory Domains And Trustsdomain
naming master
Microsoft Management Console (MMC) Schema
snap-inschema master
Repadmin
NTDSUtilAll roles
26
SUMMARY
Global catalog function
Global catalog server placement Domain-wide operations masters Forest-wide operations masters Implications of FSMO failure
Tools to manage FSMO roles

Global Catalog and Flexible Single Master Operations (Fsmo) Roles

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Global Catalog and Flexible Single Master Operations (Fsmo) Roles

Caricato da

Copyright:

Formati disponibili

1

GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

UNDERSTANDING THE GLOBAL CATALOG

configured as a global catalog server.

Other domain controllers can become global catalog

FUNCTIONS OF THE GLOBAL CATALOG

UNIVERSAL GROUP MEMBERSHIP CACHING

controllers can process logons without contacting a global catalog server.

in a remote site to facilitate logons.

LOGON PROCESS AND THE GLOBAL CATALOG

Users might be denied logon if the global catalog is

not available and universal group membership caching is not enabled.

Built-in Administrator account can logon, regardless

of global catalog availability or the universal group membership caching configuration.

ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS

when a global catalog is configured.

Additional hard disk space is required.

Consider placing a global catalog server in each site

Consider placing a global catalog server in each site

ENABLING A GLOBAL CATALOG SERVER

UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES

Roles can be transferred to other domain controllers

Used to reduce conflict and facilitate

communication concerning replication between domain controllers

FIVE FSMO ROLES

Infrastructure masterAllows security principals to

be tracked between domains

Time synchronization User account password change replication

DOMAIN-WIDE OPERATIONS MASTERS

identifier (SID) unique within a domain

Built-in RIDs are consistent between domains, for

example, Built-in Administrator has a RID of 500

RID master gives other domain controllers RIDs to

use when new objects are created

WHAT IF THE RID MASTER ISNT AVAILABLE?

if the existing RID pool on the domain controller is depleted

Problems moving objects between domains

RID master of the target domain must also be

are current server

Role should not be assigned to a global catalog

Exception 2: All domain controllers are also global

2000 client computers

Acts as the PDC in Windows 2000 mixed functional

Acts as a central manager for user password

changes, replication, and account lockouts

Handles time synchronization

ALTERNATE TCP/IP ADDRESS CONFIGURATION

controller in the entire forest

Usually these roles are assigned to domain

controllers in the forest root domain

DOMAIN NAMING MASTER

naming master is not available.

Enterprise Admins level access is required in order

controllers in the forest. master is not available.

The schema cannot be modified if the schema

PLACING FSMO SERVERS

some of the FSMO roles.

Decisions on placing domain controllers involve.

DEFAULT FSMO ROLE ASSIGNMENTS

ADJUSTING FSMO ROLES IN FOREST ROOT

MANAGING FSMO ROLES

given FSMO role fails?