a course on global catalog and flexible single master...
TRANSCRIPT
![Page 1: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/1.jpg)
1
Company Confidential
1
A Course on
Global Catalog And Flexible Single
Master Operations (Fsmo) RolesPrepared for: *Stars*
New Horizons Certified Professional
Course
![Page 2: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/2.jpg)
2
UNDERSTANDING THE
GLOBAL CATALOG
• Central repository for forest-wide data.
• Subset of attributes from objects forest-
wide.
• First domain controller in the forest is
automatically configured as a global
catalog server.
• Other domain controllers can become
global catalog servers.
![Page 3: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/3.jpg)
3
FUNCTIONS OF THE
GLOBAL CATALOG
• Facilitate searches for objects in the forest
• Resolve User Principal Names (UPNs)
• Provide universal group membership
information
– If the domain is in Microsoft Windows 2000
native functional level or later, global catalog
information is required in order for users to log
on.
![Page 4: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/4.jpg)
4
UNIVERSAL GROUP
MEMBERSHIP CACHING
• New for Microsoft Windows Server 2003.
• When enabled, non-global catalog domain
controllers can process logons without contacting
a global catalog server.
• Refreshed on an eight-hour interval.
• Eliminates the need to place a global catalog
server in a remote site to facilitate logons.
• Provides better logon performance.
• Can be used to minimize wide area network
(WAN) link usage.
![Page 5: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/5.jpg)
5
LOGON PROCESS AND
THE GLOBAL CATALOG
• Universal group membership is used in creation of
the access control list (ACL) when the user logs on.
• Global catalog is used to verify universal group
membership.
• Users might be denied logon if the global catalog is
not available and universal group membership
caching is not enabled.
• Built-in Administrator account can logon, regardless
of global catalog availability or the universal group
membership caching configuration.
![Page 6: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/6.jpg)
6
ENABLE UNIVERSAL GROUP
MEMBERSHIP CACHING
![Page 7: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/7.jpg)
7
PLANNING GLOBAL CATALOG
SERVER PLACEMENT CONSIDERATIONS
• There is additional global catalog replication traffic when a global catalog is configured.
• Consider placing a global catalog server in each site or configure universal group membership caching for that site.
• Consider placing a global catalog server in each site where applications need to make global catalog queries.
![Page 8: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/8.jpg)
8
ENABLING A GLOBAL
CATALOG SERVER
![Page 9: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/9.jpg)
9
UNDERSTANDING
FLEXIBLE SINGLE MASTER
OPERATIONS ROLES
• Flexible Single Master Operations (FSMO)
roles
– Assigned automatically to the first domain
controller in a domain
– Roles can be transferred to other domain
controllers
• Used to reduce conflict and facilitate
communication concerning replication
between domain controllers
![Page 10: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/10.jpg)
10
FIVE FSMO ROLES
• Domain naming master
• Relative identifier (RID) master
• Infrastructure master
• Primary Domain Controller (PDC)
emulator
• Schema master
![Page 11: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/11.jpg)
11
DOMAIN-SPECIFIC ROLES
• RID master—Assigns RIDs to other domain
controllers
• Infrastructure master—Allows security principals
to be tracked between domains
• PDC emulator
– Backward compatibility with Microsoft Windows NT
Server version 4.0 domains and later client computers
(Microsoft Windows 98 and Windows Me)
– Time synchronization
– User account password change replication
![Page 12: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/12.jpg)
12
DOMAIN-WIDE
OPERATIONS MASTERS
![Page 13: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/13.jpg)
13
RID MASTER
• Used when security principals are created
– RID makes the individual security principal
security identifier (SID) unique within a
domain
– Built-in RIDs are consistent between domains,
for example, Built-in Administrator has a RID
of 500
• RID master gives other domain controllers
RIDs to use when new objects are created
![Page 14: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/14.jpg)
14
WHAT IF THE RID MASTER
ISN’T AVAILABLE?
• Doesn’t affect existing users
• Might cause a problem when creating new
objects, if the existing RID pool on the
domain controller is depleted
• Problems moving objects between
domains
![Page 15: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/15.jpg)
15
INFRASTRUCTURE MASTER
• Manages user and group references for objects between
domains
• Updates ACLs and group memberships as required
• Queries the global catalog to ensure that references are
current
• Role should not be assigned to a global catalog server
– Exception 1: There is only a single domain in the forest
– Exception 2: All domain controllers are also global catalog
servers
![Page 16: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/16.jpg)
16
PDC EMULATOR
• Provides backward compatibility for pre–
Windows 2000 client computers
• Acts as the PDC in Windows 2000 mixed
functional level for any Windows NT Server
version 4.0 backup domain controllers
(BDCs) that are present on the network
• Acts as a central manager for user password
changes, replication, and account lockouts
• Handles time synchronization
![Page 17: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/17.jpg)
17
ALTERNATE TCP/IP ADDRESS
CONFIGURATION
• Domain naming master
• Schema master
• These roles are assigned to only one
domain controller in the entire forest
• Usually these roles are assigned to
domain controllers in the forest root
domain
![Page 18: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/18.jpg)
18
DOMAIN NAMING MASTER
• Allows additions or removals of domains.
• Ensures domain names are unique in the
forest.
• Domains cannot be added or removed if
the domain naming master is not
available.
• Enterprise Admins level access is required
in order to add and remove domains.
![Page 19: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/19.jpg)
19
SCHEMA MASTER
• Controls access to the schema.
• Ensures modifications are replicated to all
domain controllers in the forest.
• The schema cannot be modified if the
schema master is not available.
• Schema Admins level access is required
to modify the schema.
![Page 20: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/20.jpg)
20
PLACING FSMO SERVERS
• In a multi-domain environment, you’ll likely
move some of the FSMO roles.
• Decisions on placing domain controllers
involve.
– Number of domains that are a part of the
forest
– Physical structure, including sites
– Number of domain controllers in each domain
![Page 21: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/21.jpg)
21
DEFAULT FSMO ROLE
ASSIGNMENTS
![Page 22: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/22.jpg)
22
ADJUSTING FSMO ROLES
IN FOREST ROOT
![Page 23: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/23.jpg)
23
MANAGING FSMO ROLES
• What happens when a domain controller
holding a given FSMO role fails?
• Transferring roles.
• Seizing roles.
![Page 24: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/24.jpg)
24
WHAT ARE THE
IMPLICATIONS OF FAILURE?
• Schema master
• Domain naming master
• PDC emulator
• RID master
• Infrastructure master
![Page 25: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/25.jpg)
25
MANAGING ROLES
• Active Directory Users And Computers
– RID master
– Infrastructure master
– PDC emulator
• Active Directory Domains And Trusts—domain naming
master
• Microsoft Management Console (MMC) Schema snap-
in—schema master
• Repadmin
• NTDSUtil—All roles
![Page 26: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/26.jpg)
26
SUMMARY
• Global catalog function
• Global catalog server placement
• Domain-wide operations masters
• Forest-wide operations masters
• Implications of FSMO failure
• Tools to manage FSMO roles
![Page 27: A Course on Global Catalog And Flexible Single Master ...mahis.yolasite.com/resources/adm/fsmo.pdf · 1 Company Confidential 1 A Course on Global Catalog And Flexible Single Master](https://reader031.vdocuments.mx/reader031/viewer/2022022510/5ae08dca7f8b9afd1a8e1ed0/html5/thumbnails/27.jpg)
27