Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
AD

AD

Ratings: (0)|Views: 1|Likes:
Published by kktamang09

More info:

Published by: kktamang09 on Apr 30, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

04/26/2015

pdf

text

original

A Primary Domain Controller (PDC) is a server computer in a pre-Windows 2000 NT server Domain. A domain is a concept used in NT server operating systems whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

NT4: actual PDCs
Such domains have at least a Primary Domain Controller, and will often have one or more Backup
Domain Controllers (BDCs). The PDC has the master copy of the user accounts database which it can

access and modify. The BDC computers have a copy of this database, but these copies are read-only.
The PDC will replicate its account database to the BDCs on a regular basis. The BDCs exist in order to
provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a
PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the
first domain controller that was created unless it was replaced by a promoted BDC.

Windows 2000: PDC emulation
In later releases of Windows, such as Windows 2000, NT 4 type domains have been superseded by
Active Directory. In Active Directory domains, the concept of Primary and Backup Domain Controllers
doesn't exist. Instead, the domain controllers in these domains are all considered to be equal in that all
controllers have full access to the accounts databases stored on their machines.
However, in these later releases of Windows, an Active Directory FSMO role named PDC emulator
master does exist in each domain.[1] This PDC emulator master does not have the same special role in
replication as the Primary Domain Controller in pre-Windows 2000 systems, but does have certain
additional responsibilities:
\u2022
The PDC emulator master acts in place of the Primary Domain Controller if there are Windows NT 4.0
domain controllers (BDCs) remaining within the domain, acting as a source for them to replicate from.
\u2022

The PDC emulator master receives preferential replication of password changes within the domain. As
password changes take time to replicate across all the domain controllers in an Active Directory domain,
the PDC emulator master receives notification of password changes immediately, and if a logon attempt
fails at another domain controller, that domain controller will forward the logon request to the PDC
emulator master before rejecting it.

\u2022
The PDC emulator master also serves as the machine to which all domain controllers in the domain will
synchronise their clocks. It, in turn, should be configured to synchronise to an external NTP time source.
Samba
PDC has been faithfully recreated on the Samba emulation of Microsoft's SMB client/server system.
Samba has the capability to emulate an NT 4.0 domain, running on a Linux machine.

In Windows NT 4 server domains, the Backup Domain Controller (BDC) is a computer that has a
copy of the user accounts database. Unlike the accounts database on the Primary Domain Controller
(PDC), the BDC database is a read only copy. When changes are made to the master accounts database
on the PDC, the PDC pushes the updates down to the BDCs.

Most domains will have at least one BDC, often there are several BDCs in a domain. These domains
exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such
circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user
logon requests - and take some of the authentication load from the PDC.

When Windows 2000 was released, the NT domain as found in NT 4 and prior versions was replaced by
Active Directory. In Active Directory domains running in native mode the concept of the primary and
backup domain controllers do not exist. In these domains, all domain controllers are considered to be
equal. A side-effect of this change is the loss of ability to create a "read-only" domain controller.
Windows Server 2008 reintroduces this capability.
Flexible Single Master of Operation (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just
single master operation or operations master, is a feature of Microsoft's Active Directory (AD).[1] As of
2005, the term FSMO has been deprecated in favor of operations masters.

FSMOs are specialized domain controller (DC) tasks, used where standard data transfer and update
methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database,
being synchronized by multi-master replication. The tasks which are not suited to multi-master

replication, and are viable only with a single-master database, are the FSMOs
Description of FSMO Roles
[edit] Once per domain
\u2022
The Relative ID Master allocates security RIDs to DCs to assign to new AD security principals (users,
groups or computer objects). It also manages objects moving between domains.
\u2022

The Infrastructure Master maintains security identifiers, GUIDs, and DN for objects referenced across
domains. Most commonly it updates user and group links.This is another domain-specific role and its
purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a
user from one domain to a security group from a different domain, the Infrastructure Master makes sure
this is done properly. As you can guess however, if your Active Directory deployment has only a single
domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it
is rarely used except when complex user administration tasks are performed. Because of this, the
hardware requirements for machines holding this role are relatively small.

\u2022

The PDC Emulator operations master role processes all password changes in the domain. Failed
authentication attempts due to a bad password at other domain controllers are forwarded to the PDC
Emulator before rejection. This ensures that a user can immediately login following a password change
from any domain controller, without having to wait several minutes for the change to be replicated. The
PDC Emulator Operations Master role must be carefully sited in a location to best handle all password

reset and failed-authentication forwarding traffic for the domain. The PDC emulator role holder retains the
following functions:
1.

Password changes performed by other DCs in the domain are replicated preferentially to
the PDC emulator.
2.

Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is reported
to the user.
3.

Account lockout is processed on the PDC emulator.
4.

backward compatibility,The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

[edit] Once per forest
\u2022
The Schema Master maintains all modifications to the schema of the forest. The schema determines the
types of objects permitted in the forest and the attributes of those objects.
\u2022

The Domain Naming Master tracks the names of all domains in the forest and is required to add new
domains to the forest or delete existing domains from the forest. It is also responsible for group
membership.

Moving FSMO Roles Between Domain Controllers

By default AD assigns all operations master roles to the first DC created in a forest. If new domains are
created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not
a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs
ready to take over each role. When a FSMO role is transferred to a different DC, the original FSMO
holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the
original FSMO holder experienced an unrecoverable failure, you can force another DC to seize the lost
roles; however, there is a risk of data loss because of the lack of communications. If you seize an
FSMO role instead of transferring the role, that domain controller can never be allowed to host that
FSMO role again,except for the PDC emulator Master operation and the Infrastructure Master
Operation. Corruption can occur within Active Directory. FSMO roles can be easily moved between
DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool.[3]

Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. For example, the
Infrastructure Master role must not be housed on a domain controller which also houses a copy of the
global catalog in a multi-domain forest (unless all domain controllers in the domain are also global
catalog servers), while the Domain Name Master role should be housed on a DC which is also a GC.
When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The
Global Catalog provides several functions. The GC stores object data information, manages queries of
these data objects and their attributes as well as provides data to allow network logon.

The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and
Domain Name Master should also be on the same DC. To provide fault tolerance, there should be at
least 2 domain controllers available within each domain of the Forest. Furthermore, the Infrastructure
Master role holder should not also be a Global Catalog Server, as the combination of these two roles on
the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain
environment. [4]

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->