Flexible Single Master Operation (FSMO)
These are the few tasks that are always delegated exclusively to only one single DC of an AD-domain.
Usually in an AD forest with several DCs, there is the rule that all DC tasks can be done by any of the DCs. If there is more than one DC, then any DC that does nothing else but DC can simply be replaced by another DC, and if such a DC fails, this happens automatically, without anything getting lost.
The FSMO roles are the exceptions to this rule. They are the remainder of the older scheme from NT4, where the DCs were not all equal: There had to be one Primary Domain Controller, and all others were Backup Domain Controllers.
In AD there are still a few special tasks that cannot be arbitrarily shared, and that are therefore delegated to one single DC. One example is the allocation of RIDs, because they must be unique. If several DCs would create them, they would have to take special care to never create identical ones. This is much simpler when it is done by only one DC.
Usually all FSMO roles are delegated to the same DC. In a new AD domain the first DC takes all FSMO roles. If that DC is ever replaced, the FSMO roles must be manually transfered to other DCs. For this reason it is important that the admin knows which of the DCs have which of the FSMO roles.
There are five different roles:
- Schema Master (one for the forest)
- Domain Naming Master (one for the forest)
- PDC Emulator (one for each domain)
- RID Master (one for each domain)
- Infrastructure Master (one for each domain)
Partitions. The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest.
Active Directory
Components
Domains, Organisational units (OUs), domain trees and forests
are considered logical structures. Sites and domain controllers are considered physical structures
.
- · Domains are the main logical structure in Active Directory because they contain Active Directory objects. Network objects such as users, printers, shared resources, and more are all stored in domains. Domains are also security boundaries. Access Control Lists (ACLs) control access to objects in the domain. The domain functional level enables additional Active Directory features. A user can do this by raising the domain controllers’ domain functional level within the domain. In Windows 2000, the domain mode concept was used and not the domain functional level. The domain functional levels that can be specified are Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim, and Windows Server 2003.
- · Organizational Unit (OU): An OU is a container that enables users to organize objects such as users, computers, and even other OUs in a domain to form a logical administrative group. An OU is the smallest Active Directory component to which users can delegate administrative authority. A domain can have its own unique OU hierarchy.
- · Domain Trees: When multiple domains are grouped into a hierarchical structure by adding child domains to a parent domain, a domain tree is being created. Domains are regarded as being part of the same domain tree when they have a contiguous naming structure. A two-way transitive trust relationship is automatically created between the parent domain and child domains when the child domain is created.
- · Forests: A forest is the grouping of multiple domain trees into a hierarchical structure. Domain trees in a forest have a common schema, configuration, and global catalog. Domains within the forest are linked by two-way transitive trust. Through the forest functional level, users can enable additional forest wide Active Directory features. The forest functional levels that can be set are Windows 2000, Windows Server 2003 Interim, and Windows Server 2003.
- · Sites: In Active Directory, sites are formed through the grouping of multiple subnets. Sites are typically defined as locations in which network access is highly reliable, fast, and not very expensive.
·
Domain Controllers (DCs): A domain controller is a server that
stores a write copy of Active Directory. They maintain the Active Directory
data store. Certain master roles can
be assigned to domain controllers within a domain and forest. Domain
controllers that are assigned special master roles are called Operations Masters. These domain controllers host
a master copy of particular data in Active Directory. They also copy data to
the remainder of the domain controllers. There are five different types of master roles that can be
defined for domain controllers. Two types of master roles, forest-wide master roles, are assigned to one
domain controller in a forest. The other three master roles, domain-wide master roles, are applied to a domain
controller in every domain.
·
The Schema Master is
a forest-wide master role applied to a domain controller that manages all
changes in the Active Directory schema.
·
The Domain Naming Master is
a forest-wide master role applied to a domain controller that manages changes
to the forest, such as adding and removing a domain. The domain controller
serving this role also manages changes to the domain namespace.
·
The Relative ID (RID) Master is
a domain-wide master role applied to a domain controller that creates unique ID
numbers for domain controllers and manages the allocation of these numbers.
·
The PDC Emulator is
a domain-wide master role applied to a domain controller that operates like a
Windows NT primary domain controller. This role is typically necessary when
there are computers in one’s environment running pre-Windows 2000 and XP operating
systems.
·
The Infrastructure Master is
a domain-wide master role applied to a domain controller that manages changes
made to group memberships.
Active Directory
Schema
The Active Directory schema defines what types of objects can be
stored in Active Directory. It also defines what the attributes of these
objects are. The following two types of schema objects or metadata
define the schema:
·
Schema class objects (schema classes): Define the
objects that can be created and stored in Active Directory. The schema
attributes store information on the schema class object when a new class is
created. A schema class is therefore merely a set of schema attribute objects.
·
Schema attribute objects (schema attributes): Schema
attributes provide information on object classes. An object’s attributes are
also called the object’ properties.
Although Active Directory includes a large number of object
classes, additional object classes can be created if necessary. These additions
are known as extensions to the schema. Extensions can only be performed on the domain controller acting
the Schema Master role.
The object classes that can be used on access control lists
(ACLs) to protect security objects are User, Computer, and Group. These object
classes are called security principals. A security principal has a Security Identifier (SID), which is a
unique number. A security Principal’s SID consists of the security Principal’s
domain and a Relative ID (RID). The RID is a unique suffix.
A few other concepts
associated with the Active Directory schema are:
·
Class Derivations: Set a way for forming new object
classes with existing object classes.
·
Schema Rules: The Active Directory directory service implements a
set of rules into the Active Directory schema that control the manner in which
classes and attributes are utilized and what values, classes, and attributes
can include. Schema rules are organized into Structure Rules, Syntax Rules, and
Content Rules.
·
Structure Rules: The structure rule in Active
Directory is that an object class can have only specific classes directly on
top of it. These specific classes are called Possible Superiors. Structure
rules prevent users from placing an object class in an inappropriate container.
·
Syntax Rules: These rules define the types of values and ranges
allowed for attributes.
·
Content Rules dictate what attributes can be
associated with a particular class.
Global Catalog
The global catalog is
a central information store on the objects in a forest and domain that improves
performance when searching for objects in Active Directory. The first domain
controller installed in a domain is designated as the global catalog server by
default. The global catalog server stores a full replica of all objects in its host domain and a
partial replica of objects for the remainder of the domains in the forest. The
partial replica contains those objects that are frequently searched for. It is
generally recommended to configure a global catalog server for each site in a
domain. Active Directory Sites and Services console can be used to set up
additional global catalog servers.
Group Policies and
Active Directory
Active Directory enables users to perform policy based administration through Group Policy.
Through group policies,
users can deploy applications and configure scripts to execute at startup,
shutdown, logon, or logoff. Users can also implement password security, control
certain desktop settings, and redirect folders. When users create new group
policies in Active Directory, the policy is stored as Group Policy Objects (GPOs). In Active directory, users can apply a
GPO to a domain, site, or Organizational Unit.
Active Directory
Object Naming Schemes
Each object in the
Active Directory data store must have a unique name. Active Directory supports
a number of object naming schemes for naming objects:
·
Distinguished name (DN): Each object has a DN. The DN uniquely
identifies a particular object and where the object is stored. The components
that make up an object’s DN are:
·
CN – common name
·
OU – organizational unit
·
DC – domain component
·
A canonical name is merely a
different manner of depicting the object’s DN in a method that is simpler to
interpret.
·
Relative distinguished name (RDN): The RDN
identifies a particular object within a parent container or OU.
·
Globally unique identifier (GUID): A GUID is a unique
hexadecimal number that is assigned to an object at the time that the object is
created. The GUID of an object never changes.
·
User principal name (UPN): The UPN is made up of the user
account name of the user and a domain name that identifies the domain that
contains the user account.
Active Directory
Replication
In Active Directory, replication ensures that any changes made
to a domain controller within a domain are replicated to all the other domain
controllers in the domain. Active Directory utilizes multi-master replication to replicate changes in the Active Directory
data store to the domain controllers. With multi-master replication, domains
are considered peers to one another.
With Windows Server 2003, the Knowledge Consistency Checker
(KCC)creates a replication
topology of the forest to ensure that the changes are replicated efficiently to
the domain controllers. A replication topology reflects the physical connections that domain
controllers use to replicate the Active Directory directory to domain
controllers in a site or in different sites. Intra-site replication occurs when the Active Directory directory is
replicated within a site. When replication occurs between sites, it is known as inter-site replication.Since the bandwidth between sites is typically
slow, information on site link objects identifies the most favorable link that should move replication
data between sites in Active Directory.
Active Directory Trust
Relationships
In Active Directory,
when two domains trust each other or a trust relationship exists between the
domains, the users and computers in one domain can access resources in the
other domain. The trust relationships supported in Windows Server 2003 are
summarized below:
·
Parent/Child trust: A parent/child trust relationship
exists between two domains in Active Directory that have a common contiguous DNS
namespace and belong to the identical forest. This trust relationship is
established when a child domain is created in a domain tree.
·
Tree Root trust: A tree root trust relationship can be
configured between root domains in the same forest. The root domains do not
have a common DNS namespace. This trust relationship is established when a new
tree root domain is added to a forest.
·
Shortcut trust: This trust relationship can be
configured between two domains in different domain trees but within the same forest.
Shortcut trust is typically utilized to improve user logon times.
·
External trust: External trust relationships are
created between an Active Directory domain and a Windows NT4 domain.
·
Realm trust: A realm trust relationship exists
between an Active Directory domain and a non-Windows Kerberos realm.
·
Forest trust: A forest trust can be created between
two Active Directory forests.
No comments:
Post a Comment