IT tutorials
 
Technology
 

Active Directory 2008 : Managing Operations Masters (part 1) - Domain-Wide Operations Master Roles

9/19/2013 1:11:58 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Understanding Single Master Operations

In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion. Active Directory is no exception. A limited number of operations are not permitted to occur at different places at the same time and must be the responsibility of only one domain controller in a domain or forest. These operations, and the domain controllers that perform them, are referred to by a variety of terms:

  • Operations masters

  • Operations master roles

  • Single master roles

  • Operations tokens

  • Flexible Single Master Operations (FSMOs)

Regardless of the term used, the idea is the same. One domain controller performs a function, and while it does, no other domain controller performs that function.

Not Dejà Vu

If you were an administrator in the days of Microsoft Windows NT 4.0, the concept of operations masters might sound similar to Windows NT primary domain controllers (PDCs). However, single master operations are characteristic of any replicated database, and Active Directory single master operations are strikingly different from Windows NT 4.0 PDCs in several ways:

  • All Active Directory domain controllers are capable of performing single master operations. The domain controller that actually does perform an operation is the domain controller that currently holds the operation’s token.

  • An operation token, and thus the role, can be transferred easily to another domain controller without a reboot.

  • To reduce the risk of single points of failure, the operations tokens can be distributed among multiple DCs.

AD DS contains five operations master roles. Two roles are performed for the entire forest:

  • Domain naming

  • Schema

Three roles are performed in each domain:

  • Relative identifier (RID)

  • Infrastructure

  • PDC Emulator

Each of these roles is detailed in the following sections. In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.

Tip

EXAM TIP

Commit to memory the list of forest-wide and domain single master operations. You are likely to encounter questions that test your knowledge of which roles apply to the entire forest and which are domain specific. Exam questions are cast in scenarios and, often, the scenarios provide so much detail that you can lose sight of what is really being asked. When you read items on the certification exam, always ask yourself, “What is really being tested?” Sometimes what is being tested is different from, and simpler than, what the scenario in the question would lead you to believe.

2. Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest. Each role is performed by only one domain controller in the entire forest.

Domain Naming Master Role

The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must be accessible or the operation will fail.

Schema Master Role

The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

3. Domain-Wide Operations Master Roles

Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator. Each role is performed by only one domain controller in the domain.

RID Master Role

The RID master plays an integral part in the generation of security identifiers (SIDs) for security principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts and, therefore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a DC are unique. Active Directory domain controllers generate SIDs by assigning a unique RID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domain controller in the domain. Thus, each domain controller can be confident that the SIDs it generates are unique.

Note

THE RID MASTER ROLE IS LIKE DHCP FOR SIDS

If you are familiar with the concept that you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs.

Infrastructure Master Role

In a multidomain environment, it is common for an object to reference objects in other domains. For example, a group can include members from another domain. Its multivalued member attribute contains the distinguished names of each member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.

Note

THE INFRASTRUCTURE MASTER

You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.

Phantoms of the Directory

Although you are not expected to understand the internals of the infrastructure master role for the certification exam, such understanding can be helpful in the production environment. When you add a member from another domain into a group in your domain, the group’s member attribute is appended with the distinguished name of the new member. However, your domain might not always have access to a domain controller from the member’s domain, so Active Directory creates a phantom object to represent the member. The phantom object includes only the member’s SID, distinguished name (DN), and globally unique identifier (GUID). If the member is moved or renamed in its domain, its GUID does not change, but its DN changes. If the object is moved between domains, its SID also changes. The infrastructure master periodically—every two days by default—contacts a GC or a DC in the member domain. At that time, the infrastructure master looks for each phantom object, using the GUID of the phantom object. It updates the DN of the phantom objects with the current DN of the object. Any change is then propagated to the member attribute of groups.

After a member is moved or renamed in another domain, and until the infrastructure master has updated DNs, you might look at the membership of a group using the Active Directory Users And Computers snap-in, for example, and the group might appear not to include that member. However, the member continues to belong to the group. The member’s memberOf attribute still refers to the group, so the memberOf attribute and the tokenGroups constructed attribute are unchanged. There is no compromise to security; only an administrator looking at that particular group membership would notice the temporary inconsistency.

PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:

  • Emulates a PDC for backward compatibility In the days of Windows NT 4.0 domains, only the PDC could make changes to the directory. Earlier tools, utilities, and clients written to support Windows NT 4.0 are unaware that all Active Directory domain controllers can write to the directory, so such tools request a connection to the PDC. The domain controller with the PDC Emulator role registers itself as a PDC so that down-level applications can locate a writable domain controller. Such applications are less common now that Active Directory is nearly 10 years old, and if your enterprise includes such applications, work to upgrade them for full Active Directory compatibility.

  • Participates in special password update handling for the domain When a user’s password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC emulator. This special replication ensures that the domain controllers know about the new password as quickly as possible. If a user attempts to log on immediately after changing passwords, the domain controller responding to the user’s logon request might not know about the new password. Before it rejects the logon attempt, that domain controller forwards the authentication request to a PDC emulator, which verifies that the new password is correct and instructs the domain controller to accept the logon request. This function means that anytime a user enters an incorrect password, the authentication is forwarded to the PDC emulator for a second opinion. The PDC emulator, therefore, should be highly accessible to all clients in the domain. It should be a well-connected, high-performance DC.

  • Manages Group Policy updates within a domain If a Group Policy object (GPO) is modified on two DCs at approximately the same time, there could be conflicts between the two versions that cannot be reconciled as the GPO replicates. To prevent this situation, the PDC emulator acts as the focal point for all Group Policy changes. When you open a GPO in Group Policy Management Editor (GPME), GPME binds to the domain controller performing the PDC emulator role. Therefore, all changes to GPOs are made on the PDC emulator by default.

  • Provides a master time source for the domain Active Directory, Kerberos, File Replication Service (FRS), and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the time across all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDC emulator. All other domain members synchronize their time with their preferred domain controller. This hierarchical structure of time synchronization, all implemented through the Win32Time service, ensures consistency of time. Coordinated Universal Time (UTC) is synchronized, and the time displayed to users is adjusted based on the time zone setting of the computer.

    Note

    MORE INFO CHANGE THE TIME SERVICE ONLY ONE WAY

    It is highly recommended to allow Windows to maintain its native, default time synchronization mechanisms. The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source. If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do so.

  • Acts as the domain master browser When you open Network in Windows, you see a list of workgroups and domains, and when you open a workgroup or domain, you see a list of computers. These two lists, called browse lists, are created by the Browser service. In each network segment, a master browser creates the browse list: the lists of workgroups, domains, and servers in that segment. The domain master browser serves to merge the lists of each master browser so that browse clients can retrieve a comprehensive browse list.
 
Others
 
- SQL Server 2012 : Physical and Virtual Memory (part 2) - NUMA
- SQL Server 2012 : Physical and Virtual Memory (part 1) - Virtual Memory - Virtual Memory Manager
- SQL Server 2012 : Demystifying Hardware - Choosing and Configuring Hardware for Redundancy, Hardware Comparison Tools
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - Unified Messaging Installation
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - Unified Messaging Protocols
- Microsoft Lync Server 2010 : Exchange 2010 and SharePoint 2010 Integration - UM Web Services
- Microsoft Exchange Server 2010 : Creating Special-Purpose Mailboxes (part 3)
- Microsoft Exchange Server 2010 : Creating Special-Purpose Mailboxes (part 2) - Creating Room and Equipment Mailboxes, Creating Linked Mailboxes
- Microsoft Exchange Server 2010 : Creating Special-Purpose Mailboxes (part 1) - Using Room and Equipment Mailboxes
- Windows Home Server 2011 : Implementing Wireless Network Security
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us