Presentation is loading. Please wait.

Presentation is loading. Please wait.

Global Catalog and Flexible Single Master Operations (FSMO) Roles

Published bySilas Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Global Catalog and Flexible Single Master Operations (FSMO) Roles"— Presentation transcript:

1 Global Catalog and Flexible Single Master Operations (FSMO) Roles
Lesson 4

2 Understanding the Functions of the Global Catalog
Facilitating searches for objects in the forest. When a user initiates a search for an object in Active Directory, the request is automatically sent to TCP port 3268. Resolving User Principal Names. Allow user to login using UPN. ITMT 1371 – Window 7 Configuration

3 Understanding the Functions of the Global Catalog
Maintaining universal group membership information. Contains users, groups and computers from any domain in the forest. Maintaining a copy of all objects in the domain A complete copy of all objects from the host server’s local domain. A partial copy of all objects (partial attribute set) from other domains within the same forest.

4 Global Catalog By default, the first domain controller installed in the forest root domain is designated as a global catalog server. Any or all domain controllers in a domain can be designated as global catalog server. The disadvantage of having all domain controllers as global catalogs is the increased traffic since forest information is replicated to all global catalogs.

5 Global Catalog Global catalog placement considerations include:
The speed and reliability of the WAN link. The amount of traffic that will be generated by replication. The size of the global catalog database. Global catalogs are identified with DNS through the SRV records (global catalog, or _gc, service).

6 Universal Group Membership Caching
Used for sites that do not have a global catalog server available. Available with Windows Server 2003 and Windows Server 2008. Stores universal group memberships on a local domain controller that can be used for logon to the domain, eliminating the need for frequent access to a global catalog server.

7 Universal Group Membership Caching
Allows domain controllers to process a logon or resource request without the presence of a global catalog server. Assuming a user has successfully logged on when a global catalog server was available and universal group membership caching was enabled. Enabled on a per-site basis. By default, cache is refreshed every eight hours.

8 Universal Group Membership Caching
It eliminates the need to place a global catalog in a remote location where the link speed is slow or unreliable. It provides better logon performance for users with cached information. It minimizes WAN usage for replication traffic because the domain controller does not have to hold information about forest-wide objects. In addition, these remote domain controllers are not listed in DNS as providers of global catalog services for the forest, further reducing bandwidth constraints.

9 Global Catalog and Universal Group Caching
If universal group caching is not available to record the user’s information into cache and the global catalog server goes offline, the logon attempt will fail. Administrators will be the only ones able to log on.

10 Configuring an Additional Global Catalog Server
Use Active Directory Sites and Services from the Administrative Tools folder. Demonstrate this.

11 Enabling Universal Group Membership Caching
Use Active Directory Sites and Services. Demonstrate this also.

12 Flexible Single Master Operations (FSMO) Roles
To keep a tight control on certain sensitive or special operations, Active Directory uses Flexible Single Master Operations (FSMO) roles. Relative Identifier Master. Infrastructure Master. Primary Domain Controller (PDC) Emulator. Domain Naming Master. Schema Master.

13 Relative Identifier (RID) Master
Domain specific (one per domain). Responsible for assigning relative identifiers (RID) to domain controllers in the domain. Relative identifiers are variable-length numbers assigned by a domain controller when a new object is created.

14 Infrastructure Master
Domain specific (one per domain). Responsible for replicating changes to an object’s security identifier (SID) or distinguished name (DN). Infrastructure Master and Global Catalog works closely together. For best practice, you should place Infrastructure Master and Global Catalog in separate domain controllers.

15 Primary Domain Controller (PDC) Emulator
Domain specific (one per domain). Manages account lockouts. Manages time synchronization for the domain. Manages password changes. When a password is changed, it provides immediate replication to other domain controllers in the domain. Managing edits to Group Policy Objects (GPOs)

16 Domain Naming Master Forest specific (one per forest).
Has the authority to manage the creation and deletion of domains, domain trees, and application data partitions in the forest. When any of these is created, the Domain Naming Master ensures that the name assigned is unique to the forest.

17 Schema Master Forest specific (one per forest).
Responsible for managing changes to the Active Directory schema.

18 Flexible Single Master Operations (FSMO) Roles
When you install the first domain controller in a new forest, that domain controller holds both of the forest-wide FSMOs as well as the three domain-wide FSMOs for the forest root domain. Review all 5 again and emphasize which ones are one per domain and one per forest. The two that are forest have a function that direct for the entire forest. Domain naming and schema.

19 Managing FSMO Roles Role transfer - Used to move a FSMO role gracefully from one domain controller to another. Role seizure - Used only when you have experienced a failure of a domain controller that holds a FSMO role and you forced an ungraceful transfer.

20 Viewing or transferring Domain-Wide FSMO Role Holders
Open the Active Directory Users and Computers MMC snap-in. Right-click the Active Directory Users and Computers node, click All Tasks, and select Operations Masters. Demonstrate this.

21 Viewing or Transferring the Domain Naming Master FSMO Role Holder
In Active Directory Domains and Trusts, right-click the Active Directory Domains and Trusts node and select Change Operations Master. Demonstrate this.

22 Viewing or Transferring the Schema Master FSMO Role Holder
Open the Active Directory Schema snap-in. Right-click Active Directory Schema from the console tree and select Change Operations Master. Remember that before you can access the Active Directory Schema snap-in, you need to register the schmmgmt.dll DLL file using the following syntax: regsvr32 schmmgmt.dll Reemphasize this. This will be on the exam.

23 Seizing a FSMO Role Use the ntdsutil command to access the fmso maintenance prompt and use the seize command. Demonstrate ntdsutil command.

24 Summary The global catalog server acts as a central repository for Active Directory by holding a complete copy of all objects within its local domain and a partial copy of all objects from other domains within the same forest. The global catalog has three main functions: the facilitation of searches for objects in the forest, resolution of UPN names, and provision of universal group membership information.

25 Summary A global catalog should be placed in each site when possible. As an alternate solution when a site is across an unreliable WAN link, universal group membership caching can be enabled for the site to facilitate logon requests.

26 Summary Global catalog placement considerations include the speed and reliability of the WAN link, the amount of traffic that will be generated by replication, the size of the global catalog database, and the applications that might require use of port 3268 for resolution. Operations master roles are assigned to domain controllers to perform single-master operations.

27 Summary The Schema Master and Domain Naming Master roles are forest-wide. Every forest must have one and only one of each of these roles. The RID Master, PDC Emulator, and Infrastructure Master roles are domain-wide. Every domain must have only one of each of these roles.

28 Summary The default placement of FSMO roles is sufficient for a single-site environment. However, as your network expands, these roles should be divided to increase performance and reliability.

29 Summary FSMO roles can be managed in two ways:
Role transfer - Transfer a FSMO role to other domain controllers in the domain or forest to balance the load among domain controllers or to accommodate domain controller maintenance and hardware upgrades. Role seizure - Seize a FSMO role assignment when a server holding the role fails and you do not intend to restore it. Seizing a FSMO role is a drastic step that should be considered only if the current FSMO role holder will never be available again.

Download ppt "Global Catalog and Flexible Single Master Operations (FSMO) Roles"

Similar presentations

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Module 7: Implementing Sites to Manage Active Directory Replication.

Module 7: Implementing Sites to Manage Active Directory Replication.
Understand Active Directory Infrastructure

Understand Active Directory Infrastructure

Similar presentations

Ads by Google