Compiled by David Brewster Networking Diploma Orange Group S Class Presentation: Operations Master Roles Lesson: Operations Master Roles2 In Active Directory, all domain controllers are equivalent All DCs perform tasks such as: Multimaster replication system Lesson: Operations Master Roles3 Operations Master Roles however, some tasks must be performed individually Are individual roles performed by specific Domain Controllers Also known as: Flexible Single Master Operations (FSMOs) Operations Masters Single Master Roles Lesson: Operations Master Roles4 Five roles in total Domain Roles Forest Roles PDC Emulator Schema Master Domain Naming RID Master Infrastructure Lesson: Operations Master Roles5 Forest-wide Roles Domain Naming Role : Used when requests are made for adding or removing domains in the forest it updates the namespaces. Must be placed on a Global Catalog server Lesson: Operations Master Roles6 Steps for changing/viewing Domain Naming Role : Lesson: Operations Master Roles7 Steps continued Lesson: Operations Master Roles8 Steps continued Lesson: Operations Master Roles9 Schema Master Role The Domain Controller performing this role also holds the forests schema. All other DCs only have a read-only copy of the Schema The Schema is very advanced, and rarely are changes made to it Special steps are required to view this role (demonstration) Lesson: Operations Master Roles10 Domain-wide Roles Steps for changing/viewing all three Domain-wide roles : Lesson: Operations Master Roles11 Steps continued Successful transfer: Failed transfer: Lesson: Operations Master Roles12 Relative Identifier (RID) Role This role is crucial for the creation of Security Identifiers (SIDs) for users, computers and groups RIDs are like stamps for SIDs to make sure that all SIDs are unique The server holding the RID role distributes unique RIDs across the entire domain. Lesson: Operations Master Roles13 Infrastructure Master Role In multi-domain environments, there are often users that are members of groups in other domains Each group has an attribute which contains each users distinguished name. Queries the closest Global Catalog server to make sure references are correct Lesson: Operations Master Roles14 PDC Emulator Role Emulates a Windows NT Primary Domain Controller for backwards compatibility Performs special password updates for the domain Manages Group Policy updates for the domain Provides a time source for the domain Acts as the domain master browser This role performs many important tasks: Lesson: Operations Master Roles15 Good Role Placement Practices Co-locate the Schema and Domain Naming roles Place the Infrastructure master on a DC that is not a GC Keep the RID Master and PDC Emulator roles close By default all roles are performed on the first DC created, which is undesirable for anything other than very small networks. Good practices include: Lesson: Operations Master Roles16 Worse case scenario Seizing Roles When disaster strikes and DCs holding one or more of the five roles go offline and are unable to be recovered, the only option is to seize the role from another domain controller. Seizing a role is a forceful action and should only be done when there is no other choice. Lesson: Operations Master Roles17 The End