GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES - PowerPoint PPT Presentation

andrew
chapter 4 n.
Skip this Video
Loading SlideShow in 5 Seconds..
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PowerPoint Presentation
Download Presentation
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

play fullscreen
1 / 26
Download Presentation
GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES
297 Views
Download Presentation

GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter 4 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

  2. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNDERSTANDING THE GLOBAL CATALOG • Central repository for forest-wide data. • Subset of attributes from objects forest-wide. • First domain controller in the forest is automatically configured as a global catalog server. • Other domain controllers can become global catalog servers.

  3. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FUNCTIONS OF THE GLOBAL CATALOG • Facilitate searches for objects in the forest • Resolve User Principal Names (UPNs) • Provide universal group membership information • If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.

  4. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNIVERSAL GROUP MEMBERSHIP CACHING • New for Microsoft Windows Server 2003. • When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server. • Refreshed on an eight-hour interval. • Eliminates the need to place a global catalog server in a remote site to facilitate logons. • Provides better logon performance. • Can be used to minimize wide area network (WAN) link usage.

  5. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES LOGON PROCESS AND THE GLOBAL CATALOG • Universal group membership is used in creation of the access control list (ACL) when the user logs on. • Global catalog is used to verify universal group membership. • Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled. • Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.

  6. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

  7. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS • There is additional global catalog replication traffic when a global catalog is configured. • Additional hard disk space is required. • Consider placing a global catalog server in each site or configure universal group membership caching for that site. • Consider placing a global catalog server in each site where applications need to make global catalog queries.

  8. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ENABLING A GLOBAL CATALOG SERVER

  9. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES • Flexible Single Master Operations (FSMO) roles • Assigned automatically to the first domain controller in a domain • Roles can be transferred to other domain controllers • Used to reduce conflict and facilitate communication concerning replication between domain controllers

  10. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES FIVE FSMO ROLES • Domain naming master • Relative identifier (RID) master • Infrastructure master • Primary Domain Controller (PDC) emulator • Schema master

  11. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN-SPECIFIC ROLES • RID master—Assigns RIDs to other domain controllers • Infrastructure master—Allows security principals to be tracked between domains • PDC emulator • Backward compatibility with Microsoft Windows NT Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me) • Time synchronization • User account password change replication

  12. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN-WIDE OPERATIONS MASTERS

  13. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES RID MASTER • Used when security principals are created • RID makes the individual security principal security identifier (SID) unique within a domain • Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 • RID master gives other domain controllers RIDs to use when new objects are created

  14. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES WHAT IF THE RID MASTER ISN’T AVAILABLE? • Doesn’t affect existing users • Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted • Problems moving objects between domains • Movetree.exe must be run on the RID master of the source domain. • RID master of the target domain must also be available.

  15. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES INFRASTRUCTURE MASTER • Manages user and group references for objects between domains • Updates ACLs and group memberships as required • Queries the global catalog to ensure that references are current • Role should not be assigned to a global catalog server • Exception 1: There is only a single domain in the forest • Exception 2: All domain controllers are also global catalog servers

  16. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PDC EMULATOR • Provides backward compatibility for pre–Windows 2000 client computers • Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network • Acts as a central manager for user password changes, replication, and account lockouts • Handles time synchronization

  17. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ALTERNATE TCP/IP ADDRESS CONFIGURATION • Domain naming master • Schema master • These roles are assigned to only one domain controller in the entire forest • Usually these roles are assigned to domain controllers in the forest root domain

  18. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DOMAIN NAMING MASTER • Allows additions or removals of domains. • Ensures domain names are unique in the forest. • Domains cannot be added or removed if the domain naming master is not available. • Enterprise Admins level access is required in order to add and remove domains.

  19. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES SCHEMA MASTER • Controls access to the schema. • Ensures modifications are replicated to all domain controllers in the forest. • The schema cannot be modified if the schema master is not available. • Schema Admins level access is required to modify the schema.

  20. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES PLACING FSMO SERVERS • In a multi-domain environment, you’ll likely move some of the FSMO roles. • Decisions on placing domain controllers involve. • Number of domains that are a part of the forest • Physical structure, including sites • Number of domain controllers in each domain

  21. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES DEFAULT FSMO ROLE ASSIGNMENTS

  22. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES ADJUSTING FSMO ROLES IN FOREST ROOT

  23. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES MANAGING FSMO ROLES • What happens when a domain controller holding a given FSMO role fails? • Transferring roles. • Seizing roles.

  24. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES WHAT ARE THE IMPLICATIONS OF FAILURE? • Schema master • Domain naming master • PDC emulator • RID master • Infrastructure master

  25. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES MANAGING ROLES • Active Directory Users And Computers • RID master • Infrastructure master • PDC emulator • Active Directory Domains And Trusts—domain naming master • Microsoft Management Console (MMC) Schema snap-in—schema master • Repadmin • NTDSUtil—All roles

  26. Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES SUMMARY • Global catalog function • Global catalog server placement • Domain-wide operations masters • Forest-wide operations masters • Implications of FSMO failure • Tools to manage FSMO roles