A Course on

Global Catalog And Flexible Single

Master Operations (Fsmo) Roles

Prepared for: *Stars*

New Horizons Certified Professional
Course

Company Confidential

UNDERSTANDING THE
GLOBAL CATALOG
Central repository for forest-wide data.
Subset of attributes from objects forestwide.
First domain controller in the forest is
automatically configured as a global
catalog server.
Other domain controllers can become
global catalog servers.

FUNCTIONS OF THE
GLOBAL CATALOG
Facilitate searches for objects in the forest
Resolve User Principal Names (UPNs)
Provide universal group membership
information
If the domain is in Microsoft Windows 2000
native functional level or later, global catalog
information is required in order for users to log
on.

UNIVERSAL GROUP
MEMBERSHIP CACHING
New for Microsoft Windows Server 2003.
When enabled, non-global catalog domain
controllers can process logons without contacting
a global catalog server.
Refreshed on an eight-hour interval.
Eliminates the need to place a global catalog
server in a remote site to facilitate logons.
Provides better logon performance.
Can be used to minimize wide area network
(WAN) link usage.

LOGON PROCESS AND

THE GLOBAL CATALOG
Universal group membership is used in creation of
the access control list (ACL) when the user logs on.
Global catalog is used to verify universal group
membership.
Users might be denied logon if the global catalog is
not available and universal group membership
caching is not enabled.
Built-in Administrator account can logon, regardless
of global catalog availability or the universal group
membership caching configuration.

ENABLE UNIVERSAL GROUP

MEMBERSHIP CACHING

PLANNING GLOBAL CATALOG

SERVER PLACEMENT CONSIDERATIONS

There is additional global catalog

replication traffic when a global catalog
is configured.
Consider placing a global catalog server
in each site or configure universal group
membership caching for that site.
Consider placing a global catalog server
in each site where applications need to
make global catalog queries.

ENABLING A GLOBAL
CATALOG SERVER

UNDERSTANDING
FLEXIBLE SINGLE MASTER
OPERATIONS ROLES
Flexible Single Master Operations (FSMO)
roles
Assigned automatically to the first domain
controller in a domain
Roles can be transferred to other domain
controllers

Used to reduce conflict and facilitate

communication concerning replication
between domain controllers

FIVE FSMO ROLES

Domain naming master

Relative identifier (RID) master
Infrastructure master
Primary Domain Controller (PDC)
emulator
Schema master

10

DOMAIN-SPECIFIC ROLES
RID masterAssigns RIDs to other domain
controllers
Infrastructure masterAllows security principals
to be tracked between domains
PDC emulator
Backward compatibility with Microsoft Windows NT
Server version 4.0 domains and later client computers
(Microsoft Windows 98 and Windows Me)
Time synchronization
User account password change replication

11

DOMAIN-WIDE
OPERATIONS MASTERS

12

RID MASTER
Used when security principals are created
RID makes the individual security principal
security identifier (SID) unique within a
domain
Built-in RIDs are consistent between domains,
for example, Built-in Administrator has a RID
of 500

RID master gives other domain controllers

RIDs to use when new objects are created

13

WHAT IF THE RID MASTER

ISNT AVAILABLE?
Doesnt affect existing users
Might cause a problem when creating new
objects, if the existing RID pool on the
domain controller is depleted
Problems
moving
objects
between
domains

14

INFRASTRUCTURE MASTER
Manages user and group references for objects between
domains
Updates ACLs and group memberships as required
Queries the global catalog to ensure that references are
current
Role should not be assigned to a global catalog server
Exception 1: There is only a single domain in the forest
Exception 2: All domain controllers are also global catalog
servers

15

PDC EMULATOR
Provides backward compatibility for pre
Windows 2000 client computers
Acts as the PDC in Windows 2000 mixed
functional level for any Windows NT Server
version 4.0 backup domain controllers
(BDCs) that are present on the network
Acts as a central manager for user password
changes, replication, and account lockouts
Handles time synchronization

16

ALTERNATE TCP/IP ADDRESS

CONFIGURATION
Domain naming master
Schema master
These roles are assigned to only one
domain controller in the entire forest
Usually these roles are assigned to
domain controllers in the forest root
domain

17

DOMAIN NAMING MASTER

Allows additions or removals of domains.
Ensures domain names are unique in the
forest.
Domains cannot be added or removed if
the domain naming master is not
available.
Enterprise Admins level access is required
in order to add and remove domains.

18

SCHEMA MASTER
Controls access to the schema.
Ensures modifications are replicated to all
domain controllers in the forest.
The schema cannot be modified if the
schema master is not available.
Schema Admins level access is required
to modify the schema.

19

PLACING FSMO SERVERS

In a multi-domain environment, youll likely
move some of the FSMO roles.
Decisions on placing domain controllers
involve.
Number of domains that are a part of the
forest
Physical structure, including sites
Number of domain controllers in each domain

20

DEFAULT FSMO ROLE

ASSIGNMENTS

21

ADJUSTING FSMO ROLES

IN FOREST ROOT

22

MANAGING FSMO ROLES

What happens when a domain controller
holding a given FSMO role fails?
Transferring roles.
Seizing roles.

23

WHAT ARE THE

IMPLICATIONS OF FAILURE?

Schema master
Domain naming master
PDC emulator
RID master
Infrastructure master

24

MANAGING ROLES
Active Directory Users And Computers
RID master
Infrastructure master
PDC emulator

Active Directory Domains And Trustsdomain naming

master
Microsoft Management Console (MMC) Schema snapinschema master
Repadmin
NTDSUtilAll roles

25

SUMMARY

Global catalog function

Global catalog server placement
Domain-wide operations masters
Forest-wide operations masters
Implications of FSMO failure
Tools to manage FSMO roles

26

27