70-640_Lesson04_PPT_041009.ppt

8/10/2019 70-640_Lesson04_PPT_041009.ppt

1/30

Global Catalog and Flexible SingleMaster Operations

(FSMO) RolesLesson 4

8/10/2019 70-640_Lesson04_PPT_041009.ppt

2/30

Skills Matrix

Technology Skill Objective Domain Objective #

Configuring AdditionalGlobal Catalog Servers

Configure the globalcatalog

2.5

Placing FSMO Role Holders Configure operationsmasters

2.6

8/10/2019 70-640_Lesson04_PPT_041009.ppt

3/30

Global Catalog

Critical component of Active Directory. Acts as a central repository by holding:

A complete copy of all objects from thehost servers local domain.

A partial copy of all objects from otherdomains within the same forest

Used for logon, object searches, anduniversal group memberships.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

4/30

Global Catalog

Global catalog placement considerationsinclude: The speed and reliability of the WAN link.

The amount of traffic that will be generated byreplication. The size of the global catalog database.

When a user initiates a search for an object in Active Directory, the request is automaticallysent to TCP port 3268.

Global catalogs are identified with DNS through

the SRV records (global catalog, or _ gc ,service .

8/10/2019 70-640_Lesson04_PPT_041009.ppt

5/30

Universal Group Membership Caching Available with Windows Server 2003 and Windows

Server 2008. Used for sites that do not have a global catalog server

available.

Stores universal group memberships on a localdomain controller that can be used for logon to thedomain, eliminating the need for frequent access to aglobal catalog server.

Allows domain controllers to process a logon orresource request without the presence of a globalcatalog server. Assuming a user has successfully logged on when

a global catalog server was available and universalgroup membership caching was enabled.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

6/30

Universal Group Membership Caching

Enabled on a per-site basis. By default, cache is refreshed every eight

hours.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

7/30

Universal Group Membership Caching

It eliminates the need to place a global catalog in aremote location where the link speed is slow orunreliable.

It provides better logon performance for users with

cached information. If the global catalog is located across a WAN link,cached credentials can replace the need to have logontraffic sent across a slow or unreliable link.

It minimizes WAN usage for replication traffic becausethe domain controller does not have to hold informationabout forest-wide objects.

In addition, these remote domain controllers are notlisted in DNS as providers of global catalog services forthe forest, further reducing bandwidth constraints.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

8/30

Global Catalog and Universal Group Caching

If universal group caching is not availableto record the users information into cache

and the global catalog server goes offline,

the logon attempt will fail.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

9/30

Global Catalog

By default, the first domain controllerinstalled in the forest root domain isdesignated as a global catalog server.

Any or all domain controllers in a domaincan be designated as global catalogserver.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

10/30

Configuring an Additional Global CatalogServer

Use ActiveDirectory Sitesand Services

from the AdministrativeTools folder.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

11/30

Enabling Universal Group MembershipCaching

Use ActiveDirectory Sitesand Services.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

12/30

Flexible Single Master Operations (FSMO)Roles

To keep a tight control on certain sensitiveor special operations, Active Directoryuses Flexible Single Master Operations

(FSMO) roles. Relative Identifier Master. Infrastructure Master.

Primary Domain Controller (PDC)Emulator.

Domain Naming Master.

Schema Master.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

13/30

Relative Identifier (RID) Master

Domain specific (one per domain). Responsible for assigning relative

identifiers to domain controllers in thedomain.

Relative identifiers are variable-lengthnumbers assigned by a domain controllerwhen a new object is created.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

14/30

Infrastructure Master

Domain specific (one per domain). Responsible for reference updates from its

domain objects to other domains. Assists in tracking which domains own

which objects.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

15/30

Primary Domain Controller (PDC) Emulator

Domain specific (one per domain). Provides backward compatibility with Microsoft

Windows NT 4.0 domains and other down-levelclients.

Manages account lockouts. Manages time synchronization for the domain. Managers password changes.

When a password is changed, it providesimmediate replication to other domain controllersin the domain.

Managing edits to Group Policy Objects (GPOs)

8/10/2019 70-640_Lesson04_PPT_041009.ppt

16/30

Domain Naming Master

Forest specific (one per forest). Has the authority to manage the creation

and deletion of domains, domain trees,and application data partitions in theforest. When any of these is created, the Domain

Naming Master ensures that the nameassigned is unique to the forest.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

17/30

Schema Master

Forest specific (one per forest). Responsible for managing changes to the

Active Directory schema.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

18/30

Flexible Single Master Operations (FSMO)Roles

When you install the first domain controllerin a new forest, that domain controllerholds both of the forest-wide FSMOs as

well as the three domain-wide FSMOs forthe forest root domain.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

19/30

Managing FSMO Roles

Role transfer - Used to move a FSMOrole gracefully from one domain controllerto another.

Role seizure - Used only when you haveexperienced a failure of a domaincontroller that holds a FSMO role and you

forced an ungraceful transfer.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

20/30

Viewing or transferring Domain-Wide FSMORole Holders

Open the ActiveDirectory Usersand ComputersMMC snap-in.

Right-click the Active DirectoryUsers andComputers node,click All Tasks,and selectOperationsMasters.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

21/30

Viewing or Transferring the Domain Naming MasterFSMO Role Holder

In ActiveDirectoryDomains and

Trusts, right-clickthe ActiveDirectory

Domains andTrusts node andselect ChangeOperationsMaster.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

22/30

Viewing or Transferring the Schema MasterFSMO Role Holder

Open the Active Directory Schema snap-in.

Right-click Active Directory Schema fromthe console tree and select ChangeOperations Master.

Remember that before you can access the

Active Directory Schema snap-in, youneed to register the schmmgmt.dll DLL fileusing the following syntax:

regsvr32 schmmgmt.dll

8/10/2019 70-640_Lesson04_PPT_041009.ppt

23/30

Seizing a FSMO Role

Use the ntdsutil command to access thefmso maintenance prompt and use theseize command.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

24/30

Summary

The global catalog server acts as a centralrepository for Active Directory by holding acomplete copy of all objects within its localdomain and a partial copy of all objectsfrom other domains within the same forest.

The global catalog has three mainfunctions: the facilitation of searches forobjects in the forest, resolution of UPNnames, and provision of universal groupmembership information.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

25/30

8/10/2019 70-640_Lesson04_PPT_041009.ppt

26/30

Summary

Global catalog placement considerationsinclude the speed and reliability of theWAN link, the amount of traffic that will begenerated by replication, the size of theglobal catalog database, and theapplications that might require use of port3268 for resolution.

Operations master roles are assigned todomain controllers to perform single-master operations.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

27/30

Summary

The Schema Master and Domain NamingMaster roles are forest-wide. Every forest must have one and only one

of each of these roles. The RID Master, PDC Emulator, and

Infrastructure Master roles are domain-

wide. Every domain must have only one of each

of these roles.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

28/30

8/10/2019 70-640_Lesson04_PPT_041009.ppt

29/30

Summary

FSMO roles can be managed in two ways: Role transfer - Transfer a FSMO role to other

domain controllers in the domain or forest tobalance the load among domain controllers or toaccommodate domain controller maintenanceand hardware upgrades.

Role seizure - Seize a FSMO role assignmentwhen a server holding the role fails and you donot intend to restore it.

Seizing a FSMO role is a drastic step that shouldbe considered only if the current FSMO role holderwill never be available again.

8/10/2019 70-640_Lesson04_PPT_041009.ppt

30/30

Summary

Use repadmin to check the status of theupdate sequence numbers (USNs) whenseizing the FSMO role from the current

role holder. Use ntdsutil to actually perform a seizure

of the FSMO role.