Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles...
-
Upload
bathsheba-barrett -
Category
Documents
-
view
215 -
download
0
Transcript of Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles...
![Page 1: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/1.jpg)
Company Confidential
1
A Course on Global Catalog And Flexible Single
Master Operations (Fsmo) RolesPrepared for: *Stars*
New Horizons Certified Professional Course
![Page 2: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/2.jpg)
UNDERSTANDING THE GLOBAL CATALOG
• Central repository for forest-wide data.
• Subset of attributes from objects forest-wide.
• First domain controller in the forest is automatically configured as a global catalog server.
• Other domain controllers can become global catalog servers.
![Page 3: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/3.jpg)
FUNCTIONS OF THE GLOBAL CATALOG
• Facilitate searches for objects in the forest
• Resolve User Principal Names (UPNs)
• Provide universal group membership information– If the domain is in Microsoft Windows 2000
native functional level or later, global catalog information is required in order for users to log on.
![Page 4: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/4.jpg)
UNIVERSAL GROUP MEMBERSHIP CACHING
• New for Microsoft Windows Server 2003.• When enabled, non-global catalog domain
controllers can process logons without contacting a global catalog server.
• Refreshed on an eight-hour interval.• Eliminates the need to place a global catalog
server in a remote site to facilitate logons.• Provides better logon performance.• Can be used to minimize wide area network (WAN)
link usage.
![Page 5: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/5.jpg)
LOGON PROCESS AND THE GLOBAL CATALOG
• Universal group membership is used in creation of the access control list (ACL) when the user logs on.
• Global catalog is used to verify universal group membership.
• Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled.
• Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.
![Page 6: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/6.jpg)
ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING
![Page 7: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/7.jpg)
PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS
• There is additional global catalog replication traffic when a global catalog is configured.
• Consider placing a global catalog server in each site or configure universal group membership caching for that site.
• Consider placing a global catalog server in each site where applications need to make global catalog queries.
![Page 8: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/8.jpg)
ENABLING A GLOBAL CATALOG SERVER
![Page 9: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/9.jpg)
UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES
• Flexible Single Master Operations (FSMO) roles– Assigned automatically to the first domain
controller in a domain– Roles can be transferred to other domain
controllers
• Used to reduce conflict and facilitate communication concerning replication between domain controllers
![Page 10: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/10.jpg)
FIVE FSMO ROLES
• Domain naming master
• Relative identifier (RID) master
• Infrastructure master
• Primary Domain Controller (PDC) emulator
• Schema master
![Page 11: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/11.jpg)
DOMAIN-SPECIFIC ROLES
• RID master—Assigns RIDs to other domain controllers
• Infrastructure master—Allows security principals to be tracked between domains
• PDC emulator– Backward compatibility with Microsoft Windows NT
Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me)
– Time synchronization– User account password change replication
![Page 12: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/12.jpg)
DOMAIN-WIDE OPERATIONS MASTERS
![Page 13: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/13.jpg)
RID MASTER
• Used when security principals are created– RID makes the individual security principal
security identifier (SID) unique within a domain
– Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500
• RID master gives other domain controllers RIDs to use when new objects are created
![Page 14: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/14.jpg)
WHAT IF THE RID MASTER ISN’T AVAILABLE?
• Doesn’t affect existing users
• Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted
• Problems moving objects between domains
![Page 15: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/15.jpg)
INFRASTRUCTURE MASTER
• Manages user and group references for objects between domains
• Updates ACLs and group memberships as required
• Queries the global catalog to ensure that references are current
• Role should not be assigned to a global catalog server
– Exception 1: There is only a single domain in the forest
– Exception 2: All domain controllers are also global catalog servers
![Page 16: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/16.jpg)
PDC EMULATOR
• Provides backward compatibility for pre–Windows 2000 client computers
• Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network
• Acts as a central manager for user password changes, replication, and account lockouts
• Handles time synchronization
![Page 17: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/17.jpg)
ALTERNATE TCP/IP ADDRESS CONFIGURATION
• Domain naming master
• Schema master
• These roles are assigned to only one domain controller in the entire forest
• Usually these roles are assigned to domain controllers in the forest root domain
![Page 18: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/18.jpg)
DOMAIN NAMING MASTER
• Allows additions or removals of domains.
• Ensures domain names are unique in the forest.
• Domains cannot be added or removed if the domain naming master is not available.
• Enterprise Admins level access is required in order to add and remove domains.
![Page 19: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/19.jpg)
SCHEMA MASTER
• Controls access to the schema.
• Ensures modifications are replicated to all domain controllers in the forest.
• The schema cannot be modified if the schema master is not available.
• Schema Admins level access is required to modify the schema.
![Page 20: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/20.jpg)
PLACING FSMO SERVERS
• In a multi-domain environment, you’ll likely move some of the FSMO roles.
• Decisions on placing domain controllers involve.– Number of domains that are a part of the
forest– Physical structure, including sites– Number of domain controllers in each domain
![Page 21: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/21.jpg)
DEFAULT FSMO ROLE ASSIGNMENTS
![Page 22: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/22.jpg)
ADJUSTING FSMO ROLES IN FOREST ROOT
![Page 23: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/23.jpg)
MANAGING FSMO ROLES
• What happens when a domain controller holding a given FSMO role fails?
• Transferring roles.
• Seizing roles.
![Page 24: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/24.jpg)
WHAT ARE THE IMPLICATIONS OF FAILURE?
• Schema master
• Domain naming master
• PDC emulator
• RID master
• Infrastructure master
![Page 25: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/25.jpg)
MANAGING ROLES
• Active Directory Users And Computers
– RID master
– Infrastructure master
– PDC emulator
• Active Directory Domains And Trusts—domain naming master
• Microsoft Management Console (MMC) Schema snap-in—schema master
• Repadmin
• NTDSUtil—All roles
![Page 26: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/26.jpg)
SUMMARY
• Global catalog function
• Global catalog server placement
• Domain-wide operations masters
• Forest-wide operations masters
• Implications of FSMO failure
• Tools to manage FSMO roles
![Page 27: Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.](https://reader036.fdocuments.in/reader036/viewer/2022062408/56649ee15503460f94bf25a9/html5/thumbnails/27.jpg)