A Course on Global Catalog And Flexible Single

A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional Course Chapter 4: GLOBAL CATALOG Company Confidential AND FLEXIBLE SINGLE

UNDERSTANDING THE GLOBAL CATALOG • Central repository forest-wide data. • Subset of attributes from objects forestwide. • First domain controller in the forest is automatically configured as a global catalog server. • Other domain controllers can become global catalog servers.

FUNCTIONS OF THE GLOBAL CATALOG • Facilitate searches for objects in the forest • Resolve User Principal Names (UPNs) • Provide universal group membership information – If the domain is in Microsoft Windows 2000 native functional level or later, global catalog information is required in order for users to log on.

UNIVERSAL GROUP MEMBERSHIP CACHING • New for Microsoft Windows Server 2003. • When enabled, non-global catalog domain controllers can process logons without contacting a global catalog server. • Refreshed on an eight-hour interval. • Eliminates the need to place a global catalog server in a remote site to facilitate logons. • Provides better logon performance. • Can be used to minimize wide area network (WAN) link usage.

LOGON PROCESS AND THE GLOBAL CATALOG • Universal group membership is used in creation of the access control list (ACL) when the user logs on. • Global catalog is used to verify universal group membership. • Users might be denied logon if the global catalog is not available and universal group membership caching is not enabled. • Built-in Administrator account can logon, regardless of global catalog availability or the universal group membership caching configuration.

ENABLE UNIVERSAL GROUP MEMBERSHIP CACHING

PLANNING GLOBAL CATALOG SERVER PLACEMENT CONSIDERATIONS • There is additional global catalog replication traffic when a global catalog is configured. • Consider placing a global catalog server in each site or configure universal group membership caching for that site. • Consider placing a global catalog server in each site where applications need to make global catalog queries.

ENABLING A GLOBAL CATALOG SERVER

UNDERSTANDING FLEXIBLE SINGLE MASTER OPERATIONS ROLES • Flexible Single Master Operations (FSMO) roles – Assigned automatically to the first domain controller in a domain – Roles can be transferred to other domain controllers • Used to reduce conflict and facilitate communication concerning replication between domain controllers

FIVE FSMO ROLES • • • Domain naming master Relative identifier (RID) master Infrastructure master Primary Domain Controller (PDC) emulator Schema master

DOMAIN-SPECIFIC ROLES • RID master—Assigns RIDs to other domain controllers • Infrastructure master—Allows security principals to be tracked between domains • PDC emulator – Backward compatibility with Microsoft Windows NT Server version 4. 0 domains and later client computers (Microsoft Windows 98 and Windows Me) – Time synchronization – User account password change replication

DOMAIN-WIDE OPERATIONS MASTERS

RID MASTER • Used when security principals are created – RID makes the individual security principal security identifier (SID) unique within a domain – Built-in RIDs are consistent between domains, for example, Built-in Administrator has a RID of 500 • RID master gives other domain controllers RIDs to use when new objects are created

WHAT IF THE RID MASTER ISN’T AVAILABLE? • Doesn’t affect existing users • Might cause a problem when creating new objects, if the existing RID pool on the domain controller is depleted • Problems moving objects between domains

INFRASTRUCTURE MASTER • Manages user and group references for objects between domains • Updates ACLs and group memberships as required • Queries the global catalog to ensure that references are current • Role should not be assigned to a global catalog server – Exception 1: There is only a single domain in the forest – Exception 2: All domain controllers are also global catalog servers

PDC EMULATOR • Provides backward compatibility for pre– Windows 2000 client computers • Acts as the PDC in Windows 2000 mixed functional level for any Windows NT Server version 4. 0 backup domain controllers (BDCs) that are present on the network • Acts as a central manager for user password changes, replication, and account lockouts • Handles time synchronization

ALTERNATE TCP/IP ADDRESS CONFIGURATION • Domain naming master • Schema master • These roles are assigned to only one domain controller in the entire forest • Usually these roles are assigned to domain controllers in the forest root domain

DOMAIN NAMING MASTER • Allows additions or removals of domains. • Ensures domain names are unique in the forest. • Domains cannot be added or removed if the domain naming master is not available. • Enterprise Admins level access is required in order to add and remove domains.

SCHEMA MASTER • Controls access to the schema. • Ensures modifications are replicated to all domain controllers in the forest. • The schema cannot be modified if the schema master is not available. • Schema Admins level access is required to modify the schema.

PLACING FSMO SERVERS • In a multi-domain environment, you’ll likely move some of the FSMO roles. • Decisions on placing domain controllers involve. – Number of domains that are a part of the forest – Physical structure, including sites – Number of domain controllers in each domain

DEFAULT FSMO ROLE ASSIGNMENTS

ADJUSTING FSMO ROLES IN FOREST ROOT

MANAGING FSMO ROLES • What happens when a domain controller holding a given FSMO role fails? • Transferring roles. • Seizing roles.

WHAT ARE THE IMPLICATIONS OF FAILURE? • • • Schema master Domain naming master PDC emulator RID master Infrastructure master

MANAGING ROLES • Active Directory Users And Computers – RID master – Infrastructure master – PDC emulator • Active Directory Domains And Trusts—domain naming master • Microsoft Management Console (MMC) Schema snap-in —schema master • Repadmin • NTDSUtil—All roles

SUMMARY • • • Global catalog function Global catalog server placement Domain-wide operations masters Forest-wide operations masters Implications of FSMO failure Tools to manage FSMO roles