Active Directory
6
Netmetric Solutions ( Meer Shahanawaz ) ( Abdullah Topics for FSMO PDC Emulator Infrastructure Master Rid Master Schema Master Domain Naming Master Troubleshooting FSMO (Transfer FSMO Roles - Another page) PDC Emulator Of the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC's complain, but also there will be no time synchronization. Another problem is that you probably will not be able to change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group policy master. Implications for Duplicates If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles. Quickly seize PDC role from another machine. RID Master One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique numbers so that no two new objects have the same GUID (Globally Unique Identifier). If you lose the RID master the chances are good that the existing Domain Controllers will have enough unused RIDs to last a week or so do not be in a hurry to seize. Implications for Duplicates You must not allow two RID masters, as the possibility of two objects with the same RID would be disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest. Infrastructure Master
-
Upload
proser-tech -
Category
Technology
-
view
985 -
download
0
description
Active Directory
Transcript of Active Directory
Netmetric Solutions
( Meer Shahanawaz ) ( Abdullah
Topics for FSMO
PDC Emulator Infrastructure Master Rid Master Schema Master Domain Naming Master Troubleshooting FSMO (Transfer FSMO Roles - Another page)
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC's complain, but also there will be no time synchronization. Another problem is that you probably will not be able to change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group policy master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles. Quickly seize PDC role from another machine.
RID Master
One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique numbers so that no two new objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing Domain Controllers will have enough unused RIDs to last a week or so do not be in a hurry to seize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects with the same RID would be disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group memberships may be incomplete. If you only have one domain, then there will be no impact as the Infrastructure Master is responsible for updating your user's membership in other domains in the forest.
Implications for Duplicates
No damage occurs if the old Infrastructure master returns, just check out the Roles and decide which machine should hold the role.
Forest Wide Roles
Schema Master
If you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or extend the schema. However, short term no-one will notice a missing Schema Master, so try and repair the old one rather than seize the role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or repaired, it must be completely rebuilt rather than allowed into the forest.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and new trees. Unless you are going to run DCPROMO, then you will not miss this FSMO role, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild before you let the machine back in the forest.
Windows Server 2003 - Global Catalog Server
Windows Server 2003 - Global Catalog
Mastering Global Catalog will not only give your users a better network experience, but also teach you about Windows Server 2003's Active Directory. Global Catalogs are deceptive. The bigger your Active Directory forest the more important it is to configure Global Catalogs. If you have Exchange 2003, then there are extra reasons to position Global Catalogs close to the users.
Topics for Windows Server 2003 Global Catalog
Global Catalog - From a Users Perspective Global Catalog - Key Concepts Configuring Global Catalog No worries if you only have only one Domain Global Catalog Servers Summary
Global Catalog - From a Users Perspective
Your average user want answers to questions such as, 'Where are you Domain Controller?' or 'Find this email address in the GAL'. Naturally people don't normally vocalise these requests, however they logon to the domain, and they attempt to send email with outlook. The role of the Global Catalog Server is to answer requests for network resources, for example, LDAP queries to find a Domain Controller, or an Exchange 2003 Server.
Global Catalog - Key Concepts
Now we come to the key Global Catalog concepts. Surprisingly, not every domain controller is a global catalog server. The reason is that by default there is only global catalog server. Microsoft's thinking is that you may not want the extra overhead of being a global catalog server, and the more global catalog servers the more replication traffic on your network.
Every Domain Controller knows about its own domain, after all, managing directory services is what a Domain Controller does. However, Domain Controllers that are also Global Catalog Servers know about other domains (key point). Microsoft's paranoia is that there may be restrictions on a Universal Group in another domain, therefore, before a user logs on the Domain Controller must be able to enumerate Universal Group membership, just in case a Universal Group and hence a user, has been denied access.
Incidentally, you may have seen Universal Group Caching which neatly solves this latency. Universal Group Caching is one of the new features of Windows Server 2003.
Configuring Global Catalog
Configuring a Domain Controller as a Global Catalogs is a knack. Once you have drilled down, and checked the Global Catalog box you always remember that tortuous path.
Let us begin at the Active Directory Sites and Services snap-in. Expand Sites, Default-First-Site-Name, Servers. Select your server and seek the NTDS Settings, right click and choose Properties. All that remains is to tick the Global Catalog box. (See Diagrams Opposite)
With a Windows Server 2000 Server you have to reboot, eccentrically the interface does not tell you to reboot. All this nonsense is cured in Windows Server 2003, you do not have to reboot when you enable or disable Global Catalog.
The only variation on these instructions is that your servers may be in different sites and not in the strangely named, Default-First-Site-Name.
If you have firewall restrictions, LDAP uses port 389 for read and write operations and port 3268 for global catalog search operations.
No worries if you only have only one Domain.
To be honest, if you have only one domain then nothing bad will happen if you don't have a local Global Catalog server. However, if you have a forest then delays can be a problem - unless you place Global Catalog servers judiciously. The root of the problem is enumerating Universal Group membership. In a single domain it's pointless using Universal Groups, and even if you did, they will only be users in your domain. There are no other domains to check.
Global Catalog Servers Summary
The key point with Active Directory is that Domain Controllers, which are not also Global Catalog Servers, cannot deduce Universal Groups in other domains. For security, until they contact a Global Catalog server Domain Controller cannot proceed with the logon request. As a result of this knowledge you can plan extra Global
Catalog servers. However, if you only have one domain, there is no need for any more Global Catalog servers.
Windows Server 2003 - Schema
Introduction to Windows 2003's Schema
The Windows Server 2003 Schema Snap-in is not available by default. There lies a clue that ordinary administrators are not meant to change the Schema. However, to complete your understanding of Active Directory take time to appreciate the object model that underpins Windows Server 2003.
Topics for Windows Server 2003 Schema
What you need to know about the Schema. Major changes compared with Windows 2000 Getting Started Recommendations
What you need to know about the Schema.
Object based Nature
It us useful to understand the nature of the Schema. Active Directory is an object based system. The schema keeps a list of the definitions for each object such as Computer or User. The list is divided into Classes and Attributes and the Schema recycles attributes like location and applies an instance to the site, printer or computer object.
Flexible Master
The Schema is one of the five single master operations, this means that only one domain controller has a read / write copy of the schema. Take the time to find out which machine hold the Schema Master role. Right Click the Schema Snap-in, select Operations Master from the short cut menu.
Modification by Exchange 2003 and Schema Admins
Exchange 2003 relies on Active Directory for definitions of the users mailboxes. When you install Exchange 2003, firstly you have to be a member of the Schema Admin Global group; secondly Exchange extends the schema to include these extra attributes like mailbox server. While it is possible to add attributes and classes yourself - resist. Modifying the schema affects the entire forest and in my opinion should only be done by a developer when there is a clear business need.
Role of the Global Catalog
The Global Catalog server keeps track of a subset of the most important attributes, and the Global Catalog replicates this information to other Global Catalog servers. Be aware that you can add extra attributes to the list, for example, information on department could be replicated. The benefit is you could search on department or any other attribute that you added.
Major changes compared with Windows 2000
Deactivating attributes
Active Directory will not allow you to delete classes or attributes but you can deactivate them if you are sure they will not be needed.
Improved replication
In Windows Server 2003, only changes in attributes are replicated, the benefit is less replication traffic and less change of a conflict.
WINS Servers in Windows 2003 - The Basics
WINS - The Basics of Name Resolution
It goes without saying that you have to implement DNS, but that's another story. In this section I want to concentrate on WINS for those few occasions where NetBIOS name resolution is vital. While both WINS and DNS deal with mapping ComputerName to IP addresses, there are two important differences; DNS is hierarchical and can support up to 254 characters, WINS, on the other hand, is a flat-field database limited to 15 letters. One of the few advantages that WINS formerly had over DNS was that WINS is dynamic. Well, starting with Windows 2000, DNS is also dynamic, so the only point of WINS in the 21st century is specifically for NetBIOS name resolution.
Keep in mind, especially when troubleshooting, the reason why we need databases such as WINS or DNS. The answer is name resolution. We humans prefer to remember friendly names like BigServer, whereas computers prefer IP addresses in dot decimal notation for example, 192.168.0.23.
Name resolution started with two files called 'hosts' and LMHosts files. The hosts file evolved into DNS and WINS took over the name resolution provided by LMHosts. Every Microsoft machine is born with these files in the folder: %systemroot%\system32\drivers\etc\. Here is a typical entry for LMHosts.
10.54.94.13 bigserver
![[MS-FRS1]: File Replication Service Protocol€¦ · Active Directory Active Directory. ,](https://static.fdocuments.in/doc/165x107/5e9a50be94d9c610711a8630/ms-frs1-file-replication-service-protocol-active-directory-active-directory.jpg)
