Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
ch21

ch21

Ratings:

4.0

(1)
|Views: 106|Likes:
Published by api-27605687

More info:

Published by: api-27605687 on Oct 16, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

21
CHAPTER

Managing and Maintaining
an Active Directory
Infrastructure

In this chapter, you will learn how to

\ue000Implement server roles
\u2022Restore Active Directory
\u2022Manage an Active Directory forest and domain structure
\u2022Manage Active Directory database replication
\u2022 Troubleshoot Active Directory using Microsoft utilities

Throughout this book, you\u2019ve learned about the components of the Active Directory in- frastructure. We\u2019ve examinedthe objects Active Directory stores and manages, andwe\u2019ve built our enterprise using the various physical and logical Active Directory components.

In this chapter, we\u2019ll expand on some of these concepts as we manage, monitor, and optimize Active Directory performance. For example, in Chapter 18, we defined the Ac- tive Directory schema and its role in the forest. Now we\u2019ll look at the instances where that schema might be extended beyond its default settings and learn about the proce- dures involved.

We\u2019ll also cover howto back up and restore your Active Directory database, one of the most critical tasks you will ever face. Hopefully, you won\u2019t needto perform a restore op- eration very often. But if Active Directory information is lost, it can cost your business lots of money, and it could cost you your job. You can be certain that Microsoft expects you to know howto get Active Directory up and running again in the event of a failure.

Implementing Server Roles

As mentioned earlier, all Active Directory domain controllers are peers, and each of those peers send Active Directory updates using themulti-master replication model. With multi-master replication, changes can be made to any domain controller, and1

eventually those changes\u2014using the replication topology discussed in Chapter 19\u2014are
known by all other domain controllers in the domain.

But certain changes to Active Directory information are impractical to replicate using the multi-master replication model. Therefore, some domain controllers in the network performsingle-master roles, where certain types of changes are made at only one server using the Windows NT 4.0\u2013style single-master model of replication. That is, a change of information is made in only one location, and these changes are then pushed to other servers participating in replication. All domain controllers are made aware of the changes made at these single master servers, but only one server manages the changes. These vital domain controllers are known as the Flexible Single Masters Operations (FSMO; pronounced \u201cfizz-mo\u201d) servers.

You can think of the single-master operations roles as the workers in most small com- panies (and several big ones as well). At times, employees at small companies have to wear different hats, one minute working in sales, the next in marketing, the next in cus- tomer service or repair. Similarly, a Windows Server 2003 machine can wear several of these Active Directory hats at once when providing these single-master roles in the Ac- tive Directory enterprise. It\u2019s like a server being both a DNS and a DHCP server at the same time.

Planning Flexible Operations Master Role Placement

In every forest, five FSMO roles are assigned to one or more domain controllers. Two of these operations masters are forest-wide: there is only one such server in the forest. Three are domain-wide roles: in every forest, certain single-master roles will be held on only one server per domain. Let\u2019s take a look at these roles.

Forest-Wide Operations Master Roles
Every Active Directory forest must have the following single operations master roles in
place: the schema master and the domain naming master.

These two roles must be unique throughout the forest. For every forest, there will be only one domain controller that\u2019s the schema master and one that\u2019s the domain naming master, even though both of these roles can be located at the same machine.

TIPThese two roles are created on the first domain controller installed at
the forest root domain. In other words, the first computer in the forest holds
these two forest-wide roles by default.
The responsibilities of each role are as follows:

\u2022Schema masterThe schema master controls all updates and alterations to the schema. Whenever you are extending the schema or are installing an application that does so, such as Exchange Server, the schema master must be available.

\u2022Domain naming masterThe domain controller acting as domain naming master is contacted when you are adding or removing domains in the Active Directory enterprise.

MCSE Windows Server 2003 All-in-One Exam Guide
2
Chapter 21: Managing and Maintaining an Active Directory Infrastructure
3
PARTIV
TIPA domain naming master in a forest set to the Windows 2000 functional
level must also be enabled as a Global Catalog server. This is not the case
when the domain is set to the Windows Server 2003 functionality level.
Domain-Wide Operations Master Roles
For a domain to function as it should, every domain must have servers providing these
single-master roles:

\u2022Relative ID (RID) master
\u2022Primary Domain Controller (PDC) emulator master
\u2022Infrastructure master

Like the forest-wide operations masters are to the forest, these roles must be unique
for each domain. Let\u2019s take a look at the importance of each of these roles now.
RID MasterThe RID master distributes relative IDs (RIDs) to each of the domain

controllers installed for a particular domain. Whenever a domain controller creates an Active Directory user, group, or computer, it assigns a security identifier (SID). This user SID is made up of a domain SID number, which will be the same for all objects within a domain, and a RID, which is unique within that domain. The domain controllers get their RID numbers from the RID master. This ensures that the objects created in a do- main all have unique SIDs throughout the forest.

Further, when you want to move Active Directory objects from one domain to an- other, you do so at the computer currently acting as the source domain\u2019s RID master. The object then gets a new SID assigned to reflect the membership in the new domain. There is only one RID master per domain.

PDC Emulator MasterIn the Windows NT 4.0 domain model, directory infor-

mation was replicated using a single-master model. All changes to the directory data- base\u2014such as a change of password\u2014were made at the PDC and then replicated to Backup Domain Controllers (BDCs). In a Windows Server 2003domain, it\u2019s still possible to have Windows NT4.0 domain controllers, but they must be BDCs. (A PDC would indi- cate the presence of an Windows NT 4.0 domain, not a Windows Server 2003 domain.)

The PDC emulator exists to \u201cfool\u201d Windows NT 4.0 backup domain controllers into thinking they\u2019re communicating with a PDC. The PDC emulator is also the first domain controller notifiedwhenever password changes are performed by other domain control- lers in the domain. If a password is recently changed, it can take some time for all do- main controllers to be notified of the change. If a user submits a logon to a domain controller that does not have the updated password, the logon request is forwarded to the PDC emulator before rejecting the logon attempt.

The PDC emulator also provides other services not readily apparent from its name. By default, this FSMO server is responsible for synchronizing the time on all domain controllers throughout the domain. It\u2019s often advisable for the server with the PDC emulator role to be configured to synchronize with an external time server. You can

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->