Managing and Maintaining
an Active Directory
\ue000Implement server roles
\u2022Restore Active Directory
\u2022Manage an Active Directory forest and domain structure
\u2022Manage Active Directory database replication
\u2022 Troubleshoot Active Directory using Microsoft utilities
Throughout this book, you\u2019ve learned about the components of the Active Directory in- frastructure. We\u2019ve examinedthe objects Active Directory stores and manages, andwe\u2019ve built our enterprise using the various physical and logical Active Directory components.
In this chapter, we\u2019ll expand on some of these concepts as we manage, monitor, and optimize Active Directory performance. For example, in Chapter 18, we defined the Ac- tive Directory schema and its role in the forest. Now we\u2019ll look at the instances where that schema might be extended beyond its default settings and learn about the proce- dures involved.
We\u2019ll also cover howto back up and restore your Active Directory database, one of the most critical tasks you will ever face. Hopefully, you won\u2019t needto perform a restore op- eration very often. But if Active Directory information is lost, it can cost your business lots of money, and it could cost you your job. You can be certain that Microsoft expects you to know howto get Active Directory up and running again in the event of a failure.
As mentioned earlier, all Active Directory domain controllers are peers, and each of those peers send Active Directory updates using themulti-master replication model. With multi-master replication, changes can be made to any domain controller, and1
But certain changes to Active Directory information are impractical to replicate using the multi-master replication model. Therefore, some domain controllers in the network performsingle-master roles, where certain types of changes are made at only one server using the Windows NT 4.0\u2013style single-master model of replication. That is, a change of information is made in only one location, and these changes are then pushed to other servers participating in replication. All domain controllers are made aware of the changes made at these single master servers, but only one server manages the changes. These vital domain controllers are known as the Flexible Single Masters Operations (FSMO; pronounced \u201cfizz-mo\u201d) servers.
You can think of the single-master operations roles as the workers in most small com- panies (and several big ones as well). At times, employees at small companies have to wear different hats, one minute working in sales, the next in marketing, the next in cus- tomer service or repair. Similarly, a Windows Server 2003 machine can wear several of these Active Directory hats at once when providing these single-master roles in the Ac- tive Directory enterprise. It\u2019s like a server being both a DNS and a DHCP server at the same time.
In every forest, five FSMO roles are assigned to one or more domain controllers. Two of these operations masters are forest-wide: there is only one such server in the forest. Three are domain-wide roles: in every forest, certain single-master roles will be held on only one server per domain. Let\u2019s take a look at these roles.
These two roles must be unique throughout the forest. For every forest, there will be only one domain controller that\u2019s the schema master and one that\u2019s the domain naming master, even though both of these roles can be located at the same machine.
\u2022Schema masterThe schema master controls all updates and alterations to the schema. Whenever you are extending the schema or are installing an application that does so, such as Exchange Server, the schema master must be available.
\u2022Domain naming masterThe domain controller acting as domain naming master is contacted when you are adding or removing domains in the Active Directory enterprise.
\u2022Relative ID (RID) master
\u2022Primary Domain Controller (PDC) emulator master
controllers installed for a particular domain. Whenever a domain controller creates an Active Directory user, group, or computer, it assigns a security identifier (SID). This user SID is made up of a domain SID number, which will be the same for all objects within a domain, and a RID, which is unique within that domain. The domain controllers get their RID numbers from the RID master. This ensures that the objects created in a do- main all have unique SIDs throughout the forest.
Further, when you want to move Active Directory objects from one domain to an- other, you do so at the computer currently acting as the source domain\u2019s RID master. The object then gets a new SID assigned to reflect the membership in the new domain. There is only one RID master per domain.
mation was replicated using a single-master model. All changes to the directory data- base\u2014such as a change of password\u2014were made at the PDC and then replicated to Backup Domain Controllers (BDCs). In a Windows Server 2003domain, it\u2019s still possible to have Windows NT4.0 domain controllers, but they must be BDCs. (A PDC would indi- cate the presence of an Windows NT 4.0 domain, not a Windows Server 2003 domain.)
The PDC emulator exists to \u201cfool\u201d Windows NT 4.0 backup domain controllers into thinking they\u2019re communicating with a PDC. The PDC emulator is also the first domain controller notifiedwhenever password changes are performed by other domain control- lers in the domain. If a password is recently changed, it can take some time for all do- main controllers to be notified of the change. If a user submits a logon to a domain controller that does not have the updated password, the logon request is forwarded to the PDC emulator before rejecting the logon attempt.
The PDC emulator also provides other services not readily apparent from its name. By default, this FSMO server is responsible for synchronizing the time on all domain controllers throughout the domain. It\u2019s often advisable for the server with the PDC emulator role to be configured to synchronize with an external time server. You can
This action might not be possible to undo. Are you sure you want to continue?