8/10/2019 70-640_Lesson04_PPT_041009.ppt
1/30
Global Catalog and Flexible SingleMaster Operations
(FSMO) RolesLesson 4
8/10/2019 70-640_Lesson04_PPT_041009.ppt
2/30
Skills Matrix
Technology Skill Objective Domain Objective #
Configuring AdditionalGlobal Catalog Servers
Configure the globalcatalog
2.5
Placing FSMO Role Holders Configure operationsmasters
2.6
8/10/2019 70-640_Lesson04_PPT_041009.ppt
3/30
Global Catalog
Critical component of Active Directory. Acts as a central repository by holding:
A complete copy of all objects from thehost servers local domain.
A partial copy of all objects from otherdomains within the same forest
Used for logon, object searches, anduniversal group memberships.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
4/30
Global Catalog
Global catalog placement considerationsinclude: The speed and reliability of the WAN link.
The amount of traffic that will be generated byreplication. The size of the global catalog database.
When a user initiates a search for an object in Active Directory, the request is automaticallysent to TCP port 3268.
Global catalogs are identified with DNS through
the SRV records (global catalog, or _ gc ,service .
8/10/2019 70-640_Lesson04_PPT_041009.ppt
5/30
Universal Group Membership Caching Available with Windows Server 2003 and Windows
Server 2008. Used for sites that do not have a global catalog server
available.
Stores universal group memberships on a localdomain controller that can be used for logon to thedomain, eliminating the need for frequent access to aglobal catalog server.
Allows domain controllers to process a logon orresource request without the presence of a globalcatalog server. Assuming a user has successfully logged on when
a global catalog server was available and universalgroup membership caching was enabled.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
6/30
Universal Group Membership Caching
Enabled on a per-site basis. By default, cache is refreshed every eight
hours.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
7/30
Universal Group Membership Caching
It eliminates the need to place a global catalog in aremote location where the link speed is slow orunreliable.
It provides better logon performance for users with
cached information. If the global catalog is located across a WAN link,cached credentials can replace the need to have logontraffic sent across a slow or unreliable link.
It minimizes WAN usage for replication traffic becausethe domain controller does not have to hold informationabout forest-wide objects.
In addition, these remote domain controllers are notlisted in DNS as providers of global catalog services forthe forest, further reducing bandwidth constraints.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
8/30
Global Catalog and Universal Group Caching
If universal group caching is not availableto record the users information into cache
and the global catalog server goes offline,
the logon attempt will fail.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
9/30
Global Catalog
By default, the first domain controllerinstalled in the forest root domain isdesignated as a global catalog server.
Any or all domain controllers in a domaincan be designated as global catalogserver.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
10/30
Configuring an Additional Global CatalogServer
Use ActiveDirectory Sitesand Services
from the AdministrativeTools folder.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
11/30
Enabling Universal Group MembershipCaching
Use ActiveDirectory Sitesand Services.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
12/30
Flexible Single Master Operations (FSMO)Roles
To keep a tight control on certain sensitiveor special operations, Active Directoryuses Flexible Single Master Operations
(FSMO) roles. Relative Identifier Master. Infrastructure Master.
Primary Domain Controller (PDC)Emulator.
Domain Naming Master.
Schema Master.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
13/30
Relative Identifier (RID) Master
Domain specific (one per domain). Responsible for assigning relative
identifiers to domain controllers in thedomain.
Relative identifiers are variable-lengthnumbers assigned by a domain controllerwhen a new object is created.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
14/30
Infrastructure Master
Domain specific (one per domain). Responsible for reference updates from its
domain objects to other domains. Assists in tracking which domains own
which objects.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
15/30
Primary Domain Controller (PDC) Emulator
Domain specific (one per domain). Provides backward compatibility with Microsoft
Windows NT 4.0 domains and other down-levelclients.
Manages account lockouts. Manages time synchronization for the domain. Managers password changes.
When a password is changed, it providesimmediate replication to other domain controllersin the domain.
Managing edits to Group Policy Objects (GPOs)
8/10/2019 70-640_Lesson04_PPT_041009.ppt
16/30
Domain Naming Master
Forest specific (one per forest). Has the authority to manage the creation
and deletion of domains, domain trees,and application data partitions in theforest. When any of these is created, the Domain
Naming Master ensures that the nameassigned is unique to the forest.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
17/30
Schema Master
Forest specific (one per forest). Responsible for managing changes to the
Active Directory schema.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
18/30
Flexible Single Master Operations (FSMO)Roles
When you install the first domain controllerin a new forest, that domain controllerholds both of the forest-wide FSMOs as
well as the three domain-wide FSMOs forthe forest root domain.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
19/30
Managing FSMO Roles
Role transfer - Used to move a FSMOrole gracefully from one domain controllerto another.
Role seizure - Used only when you haveexperienced a failure of a domaincontroller that holds a FSMO role and you
forced an ungraceful transfer.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
20/30
Viewing or transferring Domain-Wide FSMORole Holders
Open the ActiveDirectory Usersand ComputersMMC snap-in.
Right-click the Active DirectoryUsers andComputers node,click All Tasks,and selectOperationsMasters.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
21/30
Viewing or Transferring the Domain Naming MasterFSMO Role Holder
In ActiveDirectoryDomains and
Trusts, right-clickthe ActiveDirectory
Domains andTrusts node andselect ChangeOperationsMaster.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
22/30
Viewing or Transferring the Schema MasterFSMO Role Holder
Open the Active Directory Schema snap-in.
Right-click Active Directory Schema fromthe console tree and select ChangeOperations Master.
Remember that before you can access the
Active Directory Schema snap-in, youneed to register the schmmgmt.dll DLL fileusing the following syntax:
regsvr32 schmmgmt.dll
8/10/2019 70-640_Lesson04_PPT_041009.ppt
23/30
Seizing a FSMO Role
Use the ntdsutil command to access thefmso maintenance prompt and use theseize command.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
24/30
Summary
The global catalog server acts as a centralrepository for Active Directory by holding acomplete copy of all objects within its localdomain and a partial copy of all objectsfrom other domains within the same forest.
The global catalog has three mainfunctions: the facilitation of searches forobjects in the forest, resolution of UPNnames, and provision of universal groupmembership information.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
25/30
8/10/2019 70-640_Lesson04_PPT_041009.ppt
26/30
Summary
Global catalog placement considerationsinclude the speed and reliability of theWAN link, the amount of traffic that will begenerated by replication, the size of theglobal catalog database, and theapplications that might require use of port3268 for resolution.
Operations master roles are assigned todomain controllers to perform single-master operations.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
27/30
Summary
The Schema Master and Domain NamingMaster roles are forest-wide. Every forest must have one and only one
of each of these roles. The RID Master, PDC Emulator, and
Infrastructure Master roles are domain-
wide. Every domain must have only one of each
of these roles.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
28/30
8/10/2019 70-640_Lesson04_PPT_041009.ppt
29/30
Summary
FSMO roles can be managed in two ways: Role transfer - Transfer a FSMO role to other
domain controllers in the domain or forest tobalance the load among domain controllers or toaccommodate domain controller maintenanceand hardware upgrades.
Role seizure - Seize a FSMO role assignmentwhen a server holding the role fails and you donot intend to restore it.
Seizing a FSMO role is a drastic step that shouldbe considered only if the current FSMO role holderwill never be available again.
8/10/2019 70-640_Lesson04_PPT_041009.ppt
30/30
Summary
Use repadmin to check the status of theupdate sequence numbers (USNs) whenseizing the FSMO role from the current
role holder. Use ntdsutil to actually perform a seizure
of the FSMO role.