70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced
Download
1 / 35

Objectives - PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 8: Active Directory Operations Masters. Objectives. Describe the forest-wide operations master roles and where they should be placed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Objectives' - noreen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 8: Active Directory Operations Masters


Objectives
Objectives Directory, Enhanced

  • Describe the forest-wide operations master roles and where they should be placed

  • Describe the domain-wide operations master roles and where they should be placed

  • Describe the process of transferring and seizing roles from operations masters

Guide to MCSE 70-294, Enhanced


Forest wide roles
Forest-wide Roles Directory, Enhanced

  • Certain operations can only be performed by single domain controller in entire forest

  • Forest-wide FSMO roles:

    • Schema master

    • Domain naming master

  • Can be located on different domain controllers

  • Most often located on same domain controller

    • Easier management

Guide to MCSE 70-294, Enhanced


Schema master
Schema Master Directory, Enhanced

  • Allowed to make modifications to Active Directory schema

  • Has writable copy of schema naming context for entire forest

  • Changes replicated to other domain controllers

    • Using standard, non-urgent replication

Guide to MCSE 70-294, Enhanced


Schema master placement
Schema Master - Placement Directory, Enhanced

  • Assigned to first domain controller in forest

  • Additional load is negligible

    • Often left on first domain controller in forest without any issues

    • May be necessary to move

      • If server frequently unavailable

Guide to MCSE 70-294, Enhanced


Schema master impact if unavailable
Schema Master - Impact if Unavailable Directory, Enhanced

  • Users do not notice impact

  • Network administrators most likely do not notice loss

    • Unless they are attempting to modify schema

Guide to MCSE 70-294, Enhanced


Activity 8 1 identifying the schema master of a forest
Activity 8-1: Identifying the Schema Master of a Forest Directory, Enhanced

  • Objective: Learn how to use the Active Directory Schema snap-in to identify the schema master of a forest

  • Follow instructions to identify schema master

Guide to MCSE 70-294, Enhanced


Identifying the schema master of the forest
Identifying the Schema Master of the Forest Directory, Enhanced

Guide to MCSE 70-294, Enhanced


Domain naming master
Domain Naming Master Directory, Enhanced

  • Every domain must have unique name

  • Adds domains to forest

    • Ensure name is unique

  • Removing domains from forest

Guide to MCSE 70-294, Enhanced


Domain naming master placement
Domain Naming Master - Placement Directory, Enhanced

  • Assigned to first domain controller in forest

  • Additional load negligible

  • Forest functional level of Windows 2000:

    • Only place on global catalog server

  • Forest functional level Windows Server 2003:

    • Not necessary to place on global catalog server

Guide to MCSE 70-294, Enhanced


Domain naming master impact if unavailable
Domain Naming Master - Impact if Unavailable Directory, Enhanced

  • Users do not notice any impact

  • Network administrators most likely do not notice loss

    • Unless they are attempting to add or remove domain from forest

Guide to MCSE 70-294, Enhanced


Domain wide roles
Domain-wide Roles Directory, Enhanced

  • Some operations can only be performed by single domain controller in domain

  • Domain-wide FSMO roles:

    • PDC emulator

    • RID master

    • Infrastructure master

Guide to MCSE 70-294, Enhanced


Domain wide roles placement options
Domain-wide Roles – Placement Options Directory, Enhanced

  • All three reside on one domain controller

  • All three reside on different domain controllers

  • Any combination of:

    • Two of the roles are on one domain controller

    • Third role on its own domain controller

  • Domain controller may even hold domain-wide roles and forest-wide roles

Guide to MCSE 70-294, Enhanced


Pdc emulator
PDC Emulator Directory, Enhanced

  • Acts as Windows NT 4.0 PDC for domain

    • Replicate appropriate change(s) to Windows NT 4.0 BDCs in domain

  • Responsible for performing operations for client workstations running:

    • Windows NT 4.0 Workstation

    • Windows 98

Guide to MCSE 70-294, Enhanced


Pdc emulator continued
PDC Emulator (continued) Directory, Enhanced

  • Used for synchronizing system clock

  • Password updates preferentially replicated to PDC emulator

Guide to MCSE 70-294, Enhanced


Pdc emulator placement
PDC Emulator - Placement Directory, Enhanced

  • Assigned to first domain controller in every new domain

  • Should be highly available

  • Need additional processing power for PDC emulator in a large domain

    • Or do not place on global catalog server

  • Centrally located on network

Guide to MCSE 70-294, Enhanced


Pdc emulator impact if unavailable
PDC Emulator - Impact if Unavailable Directory, Enhanced

  • Users may notice impact

    • Validation of user passwords may randomly pass or fail

    • Replication of updates to Windows NT 4.0 BDCs will not occur

Guide to MCSE 70-294, Enhanced


Rid master
RID Master Directory, Enhanced

  • Security principle has own unique security identifier (SID)

    • Made up of

      • SID of domain

      • Relative identifier (RID)

  • RID is unique for every security principle in domain

  • RID master

    • Allocates blocks of RIDs to domain controllers

Guide to MCSE 70-294, Enhanced


Rid master continued
RID Master (continued) Directory, Enhanced

  • Responsible for moving objects between domains to prevent object duplication

    • Move object to new domain

    • Then delete it from old domain

Guide to MCSE 70-294, Enhanced


Rid master placement
RID Master - Placement Directory, Enhanced

  • Assigned to first domain controller in every new domain

  • Additional load negligible

  • Highly available

  • Locate in site where most new security principles are created

Guide to MCSE 70-294, Enhanced


Rid master impact if unavailable
RID Master - Impact if Unavailable Directory, Enhanced

  • Users do not notice any impact

  • Network administrators most likely do not notice loss

    • Unless they are attempting to create many security principles

    • Domain controller runs out of RIDs

Guide to MCSE 70-294, Enhanced


Infrastructure master
Infrastructure Master Directory, Enhanced

  • Update object references in its domain that point to objects located in another domain

  • Updates distinguished name and SID if object moves within or between domains

  • Object references contain:

    • GUID of object

    • Distinguished name of object

    • Possibly SID of object if it is security principle

Guide to MCSE 70-294, Enhanced


Infrastructure master placement
Infrastructure Master - Placement Directory, Enhanced

  • Forest with multiple domains:

    • Do not place on global catalog server

    • Do locate in site that contains global catalog server

  • Assigned to first domain controller in every new domain

  • Does not place much additional load

Guide to MCSE 70-294, Enhanced


Infrastructure master impact if unavailable
Infrastructure Master - Impact if Unavailable Directory, Enhanced

  • Users typically do not notice any impact

  • Network administrators may notice that group membership does not appear to be updated

  • User accounts may appear with incorrect names in group’s membership list

Guide to MCSE 70-294, Enhanced


Activity 8 3 identifying the domain wide fsmo role holders
Activity 8-3: Identifying the Domain-wide FSMO Role Holders Directory, Enhanced

  • Objective: Learn how to use the Active Directory Users and Computers console to identify the PDC emulator, RID master, and infrastructure master of a domain

  • Follow instructions to view masters

Guide to MCSE 70-294, Enhanced


Transferring and seizing roles
Transferring and Seizing Roles Directory, Enhanced

  • May be necessary to transfer FSMO roles

  • Usually orderly process

  • May be situations where original role holder is permanently unavailable

    • Role will be seized by another domain controller

Guide to MCSE 70-294, Enhanced


Transfer roles
Transfer Roles Directory, Enhanced

  • Preferred method:

    • Perform transfer operation

  • Both domain controllers must be available

    • Ensures no data loss occurs

  • Administrator needs to be member of certain group

    • Depends on role being moved

Guide to MCSE 70-294, Enhanced


Groups authorized to move fsmo roles between domain controllers
Groups Authorized to Move FSMO Roles Between Domain Controllers

Guide to MCSE 70-294, Enhanced


Activity 8 4 transferring domain wide fsmo roles
Activity 8-4: Transferring Domain-wide FSMO Roles Controllers

  • Objective: Learn how to transfer the infrastructure master role to another domain controller

  • Use Active Directory Users and Computers to transfer role

Guide to MCSE 70-294, Enhanced


Seizing roles
Seizing Roles Controllers

  • Transfer when original role holder is unavailable

  • Should only be done as last step

  • Any recent changes cannot be replicated

    • May be lost

  • Original role holder cannot be informed that it no longer holds the role

  • Never place server back on network unless it is formatted and Windows is reinstalled

Guide to MCSE 70-294, Enhanced


Consequences of bringing a domain controller back online after fsmo role seizure
Consequences of Bringing a Domain Controller Back Online After FSMO Role Seizure

Guide to MCSE 70-294, Enhanced


Seizing roles1
Seizing Roles After FSMO Role Seizure

  • Methods:

    • Active Directory Users and Computers

      • Use only for PDC emulator or infrastructure master

    • NTDSUTIL

Guide to MCSE 70-294, Enhanced


Activity 8 5 using ntdsutil to seize a fsmo role
Activity 8-5: Using NTDSUTIL to Seize a FSMO Role After FSMO Role Seizure

  • Objective: Learn how to seize the infrastructure master role using NTDSUTIL

  • Use NTDSUTIL to seize role

Guide to MCSE 70-294, Enhanced


Seizing a fsmo role using ntdsutil
Seizing a FSMO Role Using NTDSUTIL After FSMO Role Seizure

Guide to MCSE 70-294, Enhanced


Summary
Summary After FSMO Role Seizure

  • Forest-wide operations master roles:

    • Schema master

    • Domain naming master

  • Domain-wide operations master roles:

    • PDC emulator

    • RID master

    • Infrastructure master

  • Roles can be transferred/seized and given to another domain controller

Guide to MCSE 70-294, Enhanced


ad