Active Directory

Operations Masters

Overview
Active Directory updates generally multimaster Changes can be made on any DC
Some exceptions single master Sometimes better to prevent conflict than to resolve later E.g. schema updates Exceptions managed by Operations Masters

Operations Master Roles

Five roles in total
Two roles where there is one per forest

Schema master Domain naming master Relative Identifier (RID) master Primary Domain Controller (PDC) Emulator Infrastructure master

Three roles where there is one per domain

Schema Master
Responsible for schema updates
Only DC that can process schema

updates

After update, replicates changes to other DCs

If this Operations master is unavailable,

no schema changes can be made

Domain Naming Master

Responsible for changes to configuration

naming context

Adding and removing domains Adding and removing cross references to domains in external directories After update, replicates to other DCs

If unavailable, cannot add or remove domains Domain Naming Master must also be a global

catalog server

May be unnecessary in single-domain forest?

RID Master
Objects e.g. users and groups, each have a

unique security identifier (SID)

Consists of domain SID and unique relative identifier (RID)

RID master allocates each DC a pool of RIDs When a DCs RID pool falls too low, it requests

additional RIDs from RID master RID master also controls moving objects between domains With no RID master, when a DC runs out of RIDs, new security principals (i.e. users, groups etc.) cannot be created on that DC

Infrastructure Master
Object in domain referencing object in another

domain uses GUID, SID and DN

E.g. group in one domain referencing user or group in another domain

Infrastructure master updates SID and DN in

cross-domain references

E.g. if referenced object moves

Multiple-domain, infrastructure master role must

not be held by GC server

Not a problem in single-domain forests (because no external references)

PDC Emulator
Mixed Mode

Acts as NT PDC to NT BDCs Supports Netlogon replication

Native and Mixed Modes

Password changes replicated preferentially to PDC emulator Authentication failures due to bad password at another DC forwarded to PDC emulator before failing completely Manages password changes from 95, 98, NT clients

PDC Emulator cont.

Native and Mixed Modes

By default, Group Policy snap-in runs on PDC emulator

Reduces

potential for Group Policy replication

conflicts Can be changed

PDC Emulator cont.

Miscellaneous

All DCs synchronize their clock to that of the PDC emulator

PDC

emulator of forest root domain should be synchronized to external time source In multi-domain forest, PDC emulator for domain synchronizes with PDC emulator of forest root domain

Acts as Domain Master Browser

Default Placement of Roles

First DC in a forest holds all roles
First DC in a new domain within existing

forest holds all domain roles

RID master Infrastructure master PDC emulator

Guidelines for the Placement of Roles

Keep schema master and domain naming

master roles on same DC

DC should also be a global catalog server

Put RID master and PDC emulator roles on the

same DC In multi-domain forest, the infrastructure master must not be a global catalog server

Should have good connection to global catalog server

Guidelines for the Placement of Roles cont.

Single-domain forest

Keep all five roles on same DC which should also be a global catalog server Move infrastructure master role to a DC that is not a global catalog server

Multiple-domain forest

Determining Role Placement

Replication Monitor

Easiest Support Tools (2000 CD) PDC Emulator, Infrastructure master, RID master

Active Directory Users and Computers Active Directory Domains and Trusts

Domain Naming master

Schema master NB Schmmgmt.dll must be registered before first use

Active Directory Schema Snap-In

Dumpfsmos

Resource kit
Command line tool included with 2000 server

NTDSUTIL

User Rights to Change Roles

By default, certain groups only have rights to

change role holders Schema Administrators

Schema master Domain naming master All domain role holders

Enterprise Administrators

Domain Administrators

NB By default, Administrator of forest root

domain is a member of all these groups

Modifying Permissions to Change Roles

Adsiedit (support tools) tool allows all

permissions to be changed

Transferring Roles
Transfer only when source and

destination DCs are up and running Domain-specific roles

Active Directory Users and Computers

Schema Manager Snap-In Active Directory Domains and Trusts

Schema Master

Domain Naming Master

When to Transfer Roles

Initial setup of domain E.g. in a multi-domain forest, move Infrastructure master off global catalog server Permanently demoting a DC Roles held by the DC transferred automatically but manual transfer gives control over location Temporarily taking down a DC Probably unnecessary to transfer schema and domain naming masters (little used); also infrastructure master in single-domain forest Always transfer the PDC emulator; may be wise to transfer RID master, but probably unnecessary for short downtime

Seizing Roles
Generally only seize when originally role

holder has failed irrecoverably and will not be restored from backup

Exception can fairly safely seize PDC emulator role Strangely, this is also the role that you can least do without

References Overview
Managing Flexible Single-Master Operations http://www.microsoft.com/WINDOWS2000/techinfo/ reskit/en/default.asp?PP=/windows2000/techinfo/re skit/en/toc/w2rkbook-0-2-16.xml&tocPath=w2rkbook-0-2-16&URL=/windows2000/techinfo/reskit/en/distrib/dsb l_fsm_djnw.htm
Windows 2000 Active Directory FSMO Roles

http://support.microsoft.com/support/kb/article s/Q197/1/32.ASP

References Placement
Windows 2000 Active Directory FSMO

Roles

http://support.microsoft.com/support/kb /articles/Q197/1/32.ASP

FSMO Placement and Optimization on

Windows 2000 Domain Controllers

http://support.microsoft.com/support/kb/arti cles/Q223/3/46.ASP

References User Rights

Setting User Rights for Designating

FSMO Roles in an Enterprise

http://support.microsoft.com/support/kb/arti cles/Q228/7/76.ASP

References Determining Operations Masters

How to Use the Replication Monitor to

Determine the Operations Master and Global Catalog Roles

http://support.microsoft.com/support/kb/arti cles/Q297/2/30.ASP

How to Find FSMO Role Holders

(Servers)

http://support.microsoft.com/support/kb/arti cles/Q234/7/90.ASP

References Transferring and Seizing Roles

How to View and Transfer FSMO

Roles in the Graphical User Interface

http://support.microsoft.com/support/kb/arti cles/Q255/6/90.ASP

Using Ntdsutil.exe to Seize or

Transfer FSMO Roles to a Domain Controller

http://support.microsoft.com/support/kb/arti cles/Q255/5/04.ASP

References Transferring and Seizing Roles

How to Change the Role Owner of the

Operations Master After a Successful Seizure

http://support.microsoft.com/support/kb/arti cles/Q283/5/95.ASP