Scribd
Upload
66 views

Global Catalog and Flexible Single Master Operations (Fsmo) Roles

The document discusses the global catalog and flexible single master operations (FSMO) roles in Active Directory. The global catalog stores forest-wide data and facilitates searches across domains. FSMO roles like schema master and domain naming master are assigned to manage operations across domains. The roles can be transferred between domain controllers using tools like NTDSUtil and repadmin.

Uploaded by

Alok Sharma
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
66 views

Global Catalog and Flexible Single Master Operations (Fsmo) Roles

The document discusses the global catalog and flexible single master operations (FSMO) roles in Active Directory. The global catalog stores forest-wide data and facilitates searches across domains. FSMO roles like schema master and domain naming master are assigned to manage operations across domains. The roles can be transferred between domain controllers using tools like NTDSUtil and repadmin.

Uploaded by

Alok Sharma
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

1

Chapter 4

GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

UNDERSTANDING THE GLOBAL CATALOG


Central repository for forest-wide data.
Subset of attributes from objects forest-wide. First domain controller in the forest is automatically

configured as a global catalog server.


servers.

Other domain controllers can become global catalog

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

FUNCTIONS OF THE GLOBAL CATALOG


Facilitate searches for objects in the forest
Resolve User Principal Names (UPNs) Provide universal group membership information
If the domain is in Microsoft Windows 2000 native

functional level or later, global catalog information is required in order for users to log on.

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

UNIVERSAL GROUP MEMBERSHIP CACHING


New for Microsoft Windows Server 2003.
When enabled, non-global catalog domain

controllers can process logons without contacting a global catalog server.

Refreshed on an eight-hour interval. Eliminates the need to place a global catalog server

in a remote site to facilitate logons.

Provides better logon performance. Can be used to minimize wide area network (WAN)

link usage.

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

LOGON PROCESS AND THE GLOBAL CATALOG


Universal group membership is used in creation of
Global catalog is used to verify universal group

the access control list (ACL) when the user logs on. membership.

Users might be denied logon if the global catalog is

not available and universal group membership caching is not enabled.

Built-in Administrator account can logon, regardless

of global catalog availability or the universal group membership caching configuration.

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS


There is additional global catalog replication traffic

when a global catalog is configured.

Additional hard disk space is required.

Consider placing a global catalog server in each site

or configure universal group membership caching for that site. where applications need to make global catalog queries.

Consider placing a global catalog server in each site

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

ENABLING A GLOBAL CATALOG SERVER

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES


Flexible Single Master Operations (FSMO) roles
Assigned automatically to the first domain controller

in a domain

Roles can be transferred to other domain controllers

Used to reduce conflict and facilitate

communication concerning replication between domain controllers

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

10

FIVE FSMO ROLES


Domain naming master
Relative identifier (RID) master Infrastructure master Primary Domain Controller (PDC) emulator Schema master

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

11

DOMAIN-SPECIFIC ROLES
RID masterAssigns RIDs to other domain

controllers

Infrastructure masterAllows security principals to

be tracked between domains

PDC emulator
Backward compatibility with Microsoft Windows NT

Server version 4.0 domains and later client computers (Microsoft Windows 98 and Windows Me)

Time synchronization User account password change replication

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

12

DOMAIN-WIDE OPERATIONS MASTERS

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

13

RID MASTER
Used when security principals are created
RID makes the individual security principal security

identifier (SID) unique within a domain

Built-in RIDs are consistent between domains, for

example, Built-in Administrator has a RID of 500

RID master gives other domain controllers RIDs to

use when new objects are created

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

14

WHAT IF THE RID MASTER ISNT AVAILABLE?


Doesnt affect existing users
Might cause a problem when creating new objects,

if the existing RID pool on the domain controller is depleted


Movetree.exe must be run on the RID master of the

Problems moving objects between domains

source domain.
available.

RID master of the target domain must also be

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

15

INFRASTRUCTURE MASTER
Manages user and group references for objects

between domains

Updates ACLs and group memberships as required Queries the global catalog to ensure that references

are current server

Role should not be assigned to a global catalog


Exception 1: There is only a single domain in the

forest

Exception 2: All domain controllers are also global

catalog servers

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

16

PDC EMULATOR
Provides backward compatibility for preWindows

2000 client computers

Acts as the PDC in Windows 2000 mixed functional

level for any Windows NT Server version 4.0 backup domain controllers (BDCs) that are present on the network

Acts as a central manager for user password

changes, replication, and account lockouts

Handles time synchronization

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

17

ALTERNATE TCP/IP ADDRESS CONFIGURATION


Domain naming master
Schema master These roles are assigned to only one domain

controller in the entire forest

Usually these roles are assigned to domain

controllers in the forest root domain

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

18

DOMAIN NAMING MASTER


Allows additions or removals of domains.
Ensures domain names are unique in the forest. Domains cannot be added or removed if the domain

naming master is not available.


to add and remove domains.

Enterprise Admins level access is required in order

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

19

SCHEMA MASTER
Controls access to the schema.
Ensures modifications are replicated to all domain

controllers in the forest. master is not available.

The schema cannot be modified if the schema


Schema Admins level access is required to modify

the schema.

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

20

PLACING FSMO SERVERS


In a multi-domain environment, youll likely move

some of the FSMO roles.

Decisions on placing domain controllers involve.


Number of domains that are a part of the forest
Physical structure, including sites Number of domain controllers in each domain

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

21

DEFAULT FSMO ROLE ASSIGNMENTS

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

22

ADJUSTING FSMO ROLES IN FOREST ROOT

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

23

MANAGING FSMO ROLES


What happens when a domain controller holding a

given FSMO role fails?

Transferring roles.

Seizing roles.

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

24

WHAT ARE THE IMPLICATIONS OF FAILURE?


Schema master
Domain naming master PDC emulator RID master Infrastructure master

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

25

MANAGING ROLES
Active Directory Users And Computers
RID master

Infrastructure master
PDC emulator

Active Directory Domains And Trustsdomain

naming master

Microsoft Management Console (MMC) Schema

snap-inschema master

Repadmin
NTDSUtilAll roles

Chapter 4: GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES

26

SUMMARY
Global catalog function
Global catalog server placement Domain-wide operations masters Forest-wide operations masters Implications of FSMO failure

Tools to manage FSMO roles

You might also like