1

Company Confidential

1

A Course on

Global Catalog And Flexible Single

Master Operations (Fsmo) RolesPrepared for: *Stars*

New Horizons Certified Professional

Course

2

UNDERSTANDING THE

GLOBAL CATALOG

• Central repository for forest-wide data.

• Subset of attributes from objects forest-

wide.

• First domain controller in the forest is

automatically configured as a global

catalog server.

• Other domain controllers can become

global catalog servers.

3

FUNCTIONS OF THE

GLOBAL CATALOG

• Facilitate searches for objects in the forest

• Resolve User Principal Names (UPNs)

• Provide universal group membership

information

– If the domain is in Microsoft Windows 2000

native functional level or later, global catalog

information is required in order for users to log

on.

4

UNIVERSAL GROUP

MEMBERSHIP CACHING

• New for Microsoft Windows Server 2003.

• When enabled, non-global catalog domain

controllers can process logons without contacting

a global catalog server.

• Refreshed on an eight-hour interval.

• Eliminates the need to place a global catalog

server in a remote site to facilitate logons.

• Provides better logon performance.

• Can be used to minimize wide area network

(WAN) link usage.

5

LOGON PROCESS AND

THE GLOBAL CATALOG

• Universal group membership is used in creation of

the access control list (ACL) when the user logs on.

• Global catalog is used to verify universal group

membership.

• Users might be denied logon if the global catalog is

not available and universal group membership

caching is not enabled.

• Built-in Administrator account can logon, regardless

of global catalog availability or the universal group

membership caching configuration.

6

ENABLE UNIVERSAL GROUP

MEMBERSHIP CACHING

7

PLANNING GLOBAL CATALOG

SERVER PLACEMENT CONSIDERATIONS

• There is additional global catalog replication traffic when a global catalog is configured.

• Consider placing a global catalog server in each site or configure universal group membership caching for that site.

• Consider placing a global catalog server in each site where applications need to make global catalog queries.

8

ENABLING A GLOBAL

CATALOG SERVER

9

UNDERSTANDING

FLEXIBLE SINGLE MASTER

OPERATIONS ROLES

• Flexible Single Master Operations (FSMO)

roles

– Assigned automatically to the first domain

controller in a domain

– Roles can be transferred to other domain

controllers

• Used to reduce conflict and facilitate

communication concerning replication

between domain controllers

10

FIVE FSMO ROLES

• Domain naming master

• Relative identifier (RID) master

• Infrastructure master

• Primary Domain Controller (PDC)

emulator

• Schema master

11

DOMAIN-SPECIFIC ROLES

• RID master—Assigns RIDs to other domain

controllers

• Infrastructure master—Allows security principals

to be tracked between domains

• PDC emulator

– Backward compatibility with Microsoft Windows NT

Server version 4.0 domains and later client computers

(Microsoft Windows 98 and Windows Me)

– Time synchronization

– User account password change replication

12

DOMAIN-WIDE

OPERATIONS MASTERS

13

RID MASTER

• Used when security principals are created

– RID makes the individual security principal

security identifier (SID) unique within a

domain

– Built-in RIDs are consistent between domains,

for example, Built-in Administrator has a RID

of 500

• RID master gives other domain controllers

RIDs to use when new objects are created

14

WHAT IF THE RID MASTER

ISN’T AVAILABLE?

• Doesn’t affect existing users

• Might cause a problem when creating new

objects, if the existing RID pool on the

domain controller is depleted

• Problems moving objects between

domains

15

INFRASTRUCTURE MASTER

• Manages user and group references for objects between

domains

• Updates ACLs and group memberships as required

• Queries the global catalog to ensure that references are

current

• Role should not be assigned to a global catalog server

– Exception 1: There is only a single domain in the forest

– Exception 2: All domain controllers are also global catalog

servers

16

PDC EMULATOR

• Provides backward compatibility for pre–

Windows 2000 client computers

• Acts as the PDC in Windows 2000 mixed

functional level for any Windows NT Server

version 4.0 backup domain controllers

(BDCs) that are present on the network

• Acts as a central manager for user password

changes, replication, and account lockouts

• Handles time synchronization

17

ALTERNATE TCP/IP ADDRESS

CONFIGURATION

• Domain naming master

• Schema master

• These roles are assigned to only one

domain controller in the entire forest

• Usually these roles are assigned to

domain controllers in the forest root

domain

18

DOMAIN NAMING MASTER

• Allows additions or removals of domains.

• Ensures domain names are unique in the

forest.

• Domains cannot be added or removed if

the domain naming master is not

available.

• Enterprise Admins level access is required

in order to add and remove domains.

19

SCHEMA MASTER

• Controls access to the schema.

• Ensures modifications are replicated to all

domain controllers in the forest.

• The schema cannot be modified if the

schema master is not available.

• Schema Admins level access is required

to modify the schema.

20

PLACING FSMO SERVERS

• In a multi-domain environment, you’ll likely

move some of the FSMO roles.

• Decisions on placing domain controllers

involve.

– Number of domains that are a part of the

forest

– Physical structure, including sites

– Number of domain controllers in each domain

21

DEFAULT FSMO ROLE

ASSIGNMENTS

22

ADJUSTING FSMO ROLES

IN FOREST ROOT

23

MANAGING FSMO ROLES

• What happens when a domain controller

holding a given FSMO role fails?

• Transferring roles.

• Seizing roles.

24

WHAT ARE THE

IMPLICATIONS OF FAILURE?

• Schema master

• Domain naming master

• PDC emulator

• RID master

• Infrastructure master

25

MANAGING ROLES

• Active Directory Users And Computers

– RID master

– Infrastructure master

– PDC emulator

• Active Directory Domains And Trusts—domain naming

master

• Microsoft Management Console (MMC) Schema snap-

in—schema master

• Repadmin

• NTDSUtil—All roles

26

SUMMARY

• Global catalog function

• Global catalog server placement

• Domain-wide operations masters

• Forest-wide operations masters

• Implications of FSMO failure

• Tools to manage FSMO roles

27