![Page 1: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/1.jpg)
Global Catalog and Flexible Global Catalog and Flexible Single Master OperationsSingle Master Operations
(FSMO) Roles (FSMO) RolesBAI516
![Page 2: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/2.jpg)
Global CatalogGlobal Catalog• Critical component of Active Directory.• Acts as a central repository by
holding:– A complete copy of all objects from the
host server’s local domain.– A partial copy of all objects from other
domains within the same forest• Used for logon, object searches, and
universal group memberships.
![Page 3: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/3.jpg)
Global CatalogGlobal Catalog• Global catalog placement considerations
include:– The speed and reliability of the WAN link.– The amount of traffic that will be generated
by replication.– The size of the global catalog database.
• Global catalogs are identified with DNS through the SRV records (global catalog, or _gc, service).
![Page 4: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/4.jpg)
Global CatalogGlobal Catalog• By default, the first domain controller
installed in the forest root domain is designated as a global catalog server.
• Any or all domain controllers in a domain can be designated as global catalog server.
![Page 5: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/5.jpg)
Configuring an Additional Global Configuring an Additional Global Catalog ServerCatalog Server• Use Active
Directory Sites and Services from the Administrative Tools folder.
![Page 6: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/6.jpg)
Enabling Universal Group Membership Enabling Universal Group Membership CachingCaching• Use Active
Directory Sites and Services.
![Page 7: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/7.jpg)
Flexible Single Master Operations Flexible Single Master Operations (FSMO) Roles(FSMO) Roles• To keep a tight control on certain
sensitive or special operations, Active Directory uses Flexible Single Master Operations (FSMO) roles.– Relative Identifier Master.– Infrastructure Master.– Primary Domain Controller (PDC)
Emulator.– Domain Naming Master.– Schema Master.
![Page 8: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/8.jpg)
Relative Identifier (RID) MasterRelative Identifier (RID) Master• Domain specific (one per domain).• Responsible for assigning relative
identifiers to domain controllers in the domain.
• Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created.
![Page 9: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/9.jpg)
Infrastructure MasterInfrastructure Master• Domain specific (one per domain).• Responsible for reference updates
from its domain objects to other domains. – Assists in tracking which domains
own which objects.
![Page 10: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/10.jpg)
Primary Domain Controller (PDC) Primary Domain Controller (PDC) EmulatorEmulator• Domain specific (one per domain).• Provides backward compatibility with
Microsoft Windows NT 4.0 domains and other down-level clients.
• Manages account lockouts.• Manages time synchronization for the domain.• Manages password changes.
– When a password is changed, it provides immediate replication to other domain controllers in the domain.
• Managing edits to Group Policy Objects (GPOs)
![Page 11: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/11.jpg)
Domain Naming MasterDomain Naming Master• Forest specific (one per forest).• Has the authority to manage the
creation and deletion of domains, domain trees, and application data partitions in the forest. – When any of these is created, the
Domain Naming Master ensures that the name assigned is unique to the forest.
![Page 12: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/12.jpg)
Schema MasterSchema Master• Forest specific (one per forest).• Responsible for managing changes to
the Active Directory schema.
![Page 13: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/13.jpg)
Flexible Single Master Operations Flexible Single Master Operations (FSMO) Roles(FSMO) Roles• When you install the first domain
controller in a new forest, that domain controller holds both of the forest-wide FSMOs as well as the three domain-wide FSMOs for the forest root domain.
![Page 14: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/14.jpg)
Managing FSMO RolesManaging FSMO Roles• Role transfer - Used to move a
FSMO role gracefully from one domain controller to another.
• Role seizure - Used only when you have experienced a failure of a domain controller that holds a FSMO role and you forced an ungraceful transfer.
![Page 15: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/15.jpg)
Viewing or transferring Domain-Wide Viewing or transferring Domain-Wide FSMO Role HoldersFSMO Role Holders• Open the Active
Directory Users and Computers MMC snap-in.
• Right-click the Active Directory Users and Computers node, click All Tasks, and select Operations Masters.
![Page 16: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/16.jpg)
Viewing or Transferring the Domain Naming Viewing or Transferring the Domain Naming Master FSMO Role HolderMaster FSMO Role Holder• In Active
Directory Domains and Trusts, right-click the Active Directory Domains and Trusts node and select Change Operations Master.
![Page 17: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/17.jpg)
Viewing or Transferring the Schema Viewing or Transferring the Schema Master FSMO Role HolderMaster FSMO Role Holder• Open the Active Directory Schema snap-
in.• Right-click Active Directory Schema from
the console tree and select Change Operations Master.
• Remember that before you can access the Active Directory Schema snap-in, you need to register the schmmgmt.dll DLL file using the following syntax:regsvr32 schmmgmt.dll
![Page 18: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/18.jpg)
Seizing a FSMO RoleSeizing a FSMO Role• Use the ntdsutil command to access
the fmso maintenance prompt and use the seize command.
![Page 19: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/19.jpg)
SummarySummary• The global catalog server acts as a
central repository for Active Directory by holding a complete copy of all objects within its local domain and a partial copy of all objects from other domains within the same forest.
• The global catalog has three main functions: the facilitation of searches for objects in the forest, resolution of UPN names, and provision of universal group membership information.
![Page 20: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/20.jpg)
SummarySummary• A global catalog should be placed in
each site when possible. As an alternate solution when a site is across an unreliable WAN link, universal group membership caching can be enabled for the site to facilitate logon requests.
![Page 21: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/21.jpg)
SummarySummary• The Schema Master and Domain
Naming Master roles are forest-wide. – Every forest must have one and only
one of each of these roles.• The RID Master, PDC Emulator, and
Infrastructure Master roles are domain-wide. – Every domain must have only one of
each of these roles.
![Page 22: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/22.jpg)
SummarySummary• The default placement of FSMO roles
is sufficient for a single-site environment.– However, as your network expands,
these roles should be divided to increase performance and reliability.
![Page 23: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/23.jpg)
SummarySummary• FSMO roles can be managed in two ways:
– Role transfer - Transfer a FSMO role to other domain controllers in the domain or forest to balance the load among domain controllers or to accommodate domain controller maintenance and hardware upgrades.
– Role seizure - Seize a FSMO role assignment when a server holding the role fails and you do not intend to restore it. • Seizing a FSMO role is a drastic step that
should be considered only if the current FSMO role holder will never be available again.
![Page 24: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/24.jpg)
SummarySummary• Use repadmin to check the status of
the update sequence numbers (USNs) when seizing the FSMO role from the current role holder.
• Use ntdsutil to actually perform a seizure of the FSMO role.
![Page 25: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/25.jpg)
Questions?Questions?
![Page 26: Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516](https://reader033.vdocuments.mx/reader033/viewer/2022052318/5a4d1b647f8b9ab0599af6c2/html5/thumbnails/26.jpg)
Hands – OnHands – On• Lab 7