Understand Active Directory Infrastructure LESSON 3.2 98-365 Windows Server Administration Fundamentals Understand Active Directory Infrastructure

Lesson Overview In this lesson, you will learn about: Domains Active Directory® Forests The 5 operations masters To determine the Operations Masters Trust relationships The points of what the student will learn must reflect the lesson objective.

Anticipatory Set List the five operations master roles. Schema master Domain naming master RID master PDC Emulator Infrastructure master

What Is a Domain? Domains determine replication boundaries and use hierarchical names. All of the domain controllers within a domain can receive changes and replicate them to other domain controllers in the domain. Domains provide several benefits: Organizing objects Publishing resources and information about domain objects Applying a Group Policy object to the domain consolidates management. Delegating authority reduces the need for a number of administrators. Security policies and settings do not cross domains. Each domain stores only the information about the objects located in that domain.

Active Directory Forests When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest. The top-level Active Directory container is called a forest. A forest consists of one or more domains that share a common schema and global catalog. A forest is the security and administrative boundary for all objects that reside within the forest. An organization can have multiple forests, but that will increase the administrative overhead. In contrast, a domain is the administrative boundary for managing objects, such as users, groups, and computers. Each domain can have individual security policies and trust relationships with other domains. When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest. The top-level Active Directory container is called a forest. A forest consists of one or more domains that share a common schema and global catalog. An organization can have multiple forests. A forest is the security and administrative boundary for all objects that reside within the forest. In contrast, a domain is the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain can have individual security policies and trust relationships with other domains. Multiple domain trees within a single forest do not form a contiguous namespace; that is, they have noncontiguous DNS domain names. Although trees in a forest do not share a namespace, a forest does have a single root domain, called the forest root domain. The forest root domain is, by definition, the first domain created in the forest. The Enterprise Admins and Schema Admins groups are located in this domain. By default, members of these two groups have forest-wide administrative credentials.

Operations Masters The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest . Three domain-level roles are assigned to the first domain controller created in a domain. Forest Wide Roles: Schema master Domain naming master Domain Level Roles: RID master PDC Emulator Infrastructure master

Five Operation Masters Schema Master—Responsible for performing updates to the schema. Domain Naming Master—Manages the addition and removal of all domains and directory partitions, regardless of the domain, in the forest hierarchy. RID Master—The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. PDC Emulator—Receives preferential replication of password changes performed by other domain controllers in the domain. Infrastructure Master—Responsible for updating object references in its domain that point to the object in another domain. Schema Master—The schema master is responsible for performing updates to the AD DS schema. The schema master is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest. Having only one schema master for each forest prevents any conflicts that would result if two or more domain controllers attempt to concurrently update the schema. Domain Naming Master—The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest hierarchy. The domain controller that has the domain naming master role must be available in order to perform the following actions: Add new domains or application directory partitions to the forest. Remove existing domains or application directory partitions from the forest. Add replicas of existing application directory partitions to additional domain controllers. Add or remove cross-reference objects to or from external directories. Prepare the forest for a domain rename operation. RID Master—The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain. PDC Emulator—PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. Infrastructure Master—The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.

Operation Master Placement Follow these guidelines to minimize administrative overhead and ensure the performance of Active Directory: Leave the two forest-wide roles on a domain controller in the forest root domain Place the two forest-wide roles on a global catalog server Place the three domain-wide roles on the same domain controller In a forest that contains multiple domains, do not place the domain-wide roles on a global catalog server unless all domain controllers in the domain are also global catalog servers Place the domain-wide roles on a higher performance domain controller Adjust the workload of the operations master role holder, if necessary

How to Determine Operation Roles RID, PDC and Infrastructure Click Start  All Programs  Administrative Tools  Active Directory Users and Computers. Right click on your domain and select Operations Masters. This method will display the owner of the RID, PDC, and Infrastructure roles.

How to Determine Operation Roles Domain Naming Master Click Start  All Programs  Administrative Tools  Active Directory Domains and Trusts. Right click on your domain and select Operations Masters. This method will display the Domain Naming Master.

How to Determine Operation Roles Schema Master Click Start  Run. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. A message states the registration was successful. Click Start  MMC.exe in search programs and files. Click File  Add/Remove Snap-in … and add the Active Directory Schema snap-in and click OK. Right click on your domain and select Operations Masters … The DLL has to be registered in order to be able to add the AD schema snap in.

Trust relationships When there are trust relationships between domains, the authentication mechanism for each domain trusts the authentication mechanism for all other trusted domains. Users in a trusted domain have access to resources in the trusting domain, subject to the access controls that are applied in the trusting domain. Remind students about trust relation direction and transitiveness.

Lesson Review What domain controller maintains all 5 operation roles by default? What operation role is responsible for password management? What are the two forest-wide roles? What Domain Controller maintains all 5 operation roles by default? The first domain controller in the forest maintains all 5. What operation role is responsible for password management? PDC emulator. What are the two forest-wide roles? Domain Naming and Schema