Fsmo
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Fsmo as PDF for free.
More details
- Words: 4,952
- Pages: 14
FSMO Roles In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update • the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in • the forest. There can be only one domain naming master in the whole forest. Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in • other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers • in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client • software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.
Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll 1. Click Start, and then click Run. 2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. 3. Click OK when you receive the message that the operation succeeded. Transfer the Schema Master Role 1. 2. 3. 4. 5. 6. 7. 8. 9.
Click Start, click Run, type mmc in the Open box, and then click OK. On the File, menu click Add/Remove Snap-in. Click Add. Click Active Directory Schema, click Add, click Close, and then click OK. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. In the console tree, right-click Active Directory Schema, and then click Operations Master. Click Change. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the Domain Naming Master Role
1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller. 2.
3.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. • -orIn the Or, select an available domain controller list, click the domain controller that will be the new role holder, • and then click OK.
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. 5. Click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller. 2.
3.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. • -orIn the Or, select an available domain controller list, click the domain controller that will be the new role holder, • and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master. 5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close. 4.
4.1: An Introduction to sites and Replication
4.1.1: Sites: A site is a set of Internet Protocol (IP) Subnets connected by highly reliable, fast links and helps to define the physical structure of a network by grouping computers together to optimise network traffic and confine both replication and authentication traffic related to Active Directory.
•
Replication traffic: When a change occurs in Active Directory, sites can be used to control how and when the change is replicated to Domain Controllers in another site.
•
Authentication: When a user logs on, Windows Server 2003 will attempt to find a Domain Controller in the same site as the user's workstation. The first site is set up automatically when Windows Server 2003 is installed on the first domain controller in a forest. The resulting first site is called DEFAULT-FIRST-SITE-NAME this can be reviewed and renamed using the Active Directory Sites and Services snap-in. (DSSITE.MSC)
4.1.2: The Replication Process: Replication is the process of updating information in Active Directory from one Domain Controller to another and synchronising the copied data on each Domain Controller to ensure that ALL information in Active Directory is available to ALL Domain Controllers and client computers across the entire network. When a user or administrator performs an action that initiates an update to Active Directory, an appropriate Domain Controller is automatically chosen to perform the update, which is made transparently to the user. Domain Controllers can be distributed across the network and located in multiple physical sites to provide fault tolerance
•
Replication WITHIN sites: (Known as INTRA-SITE Replication) occurs between Domain Controllers in the SAME Site. NOTE: Because a site assumes fast, highly reliable network links, replication traffic WITHIN a site is uncompressed to help reduce the processing load on the Domain Controllers this however, increases the network bandwidth that is required for replication messages
•
Replication BETWEEN Sites: (Known as INTER-SITE Replication) occurs between the Domain Controllers located on DIFFERENT Sites. NOTE: Replication BETWEEN sites is designed under the assumption that the network links have limited bandwidth and availability. 4.1.3: Replication Topology The actual process of replication occurs between two Domain Controllers at a time and synchronises information in Active Directory for the ENTIRE Forest. The replication topology is created by determining which Domain Controller replicates with other specific Domain Controllers
4.1.4: Directory Partitions The Active Directory database is logically separated on each Domain Controller into directory partitions Active Directory information can be divided into four directory partitions
•
The domain Partition: Which is replicated to ALL domain controllers in the SAME DOMAIN and contains all the objects associated with that domain
•
The schema partition: Contains the Active Directory schema information (objects and attributes) for a forest and is replicated to ALL domain controllers in the FOREST
•
The configuration partition: Defines the logical structure and includes the domain structure and replication topology information for the forest and is replicated to ALL domain controllers in the FOREST
•
The Application Directory partition: This is a partition which is ONLY available with Windows Server 2003 and is replicated to SPECIFIC 2003 domain controllers throughout the forest and stores objects (except security principles) and attributes related to Active Directory applications and services, such as DNS. Each partition is a unit of replication and has its own replication topology. A single Domain Controller may have different replication partners for different partitions SITE LINKS are the logical, transitive connections between two or more sites, mirroring the network links and allowing replication The links connecting replication partners are called CONNECTION OBJECTS these are created on each Domain
Controller and point to another Domain Controller for a source of information. NOTE: Connection objects represent an INBOUND connection to a Domain Controller. Two types of replication partner exist
•
Direct Replication Partners: These are the Domain Controllers that are a direct source for Active Directory replication data.
•
Transitive Replication Partners: These are the Domain Controllers whose data is obtained indirectly through a direct replication partner and can be reviewed by using the Active Directory Replication Monitor utility. 4.1.5: The Knowledge Consistency Checker Sites use the Knowledge Consistency Checker (KCC) to determine the replication paths between sites. The KCC is a built-in process that runs on each Domain Controller and generates the replication topology automatically for the Forest. The KCC runs at specified intervals and designates the replication routes between Domain Controllers on the basis of the best connections available at that time, When a single point of failure is detected the KCC will automatically create and establish a new connection object as necessary to resume Active Directory replication. 4.1.6: Site Links A site link is an object used to manage replication between sites this can be created to allow Domain Controllers from one site to replicate with another site. During the Active Directory installation a default object called DEFAULTIPSITELINK is created in the IP container of the Active Directory Sites and Services snap-in for the first default site NOTE: By default ALL site links are TRANSITIVE, so if Site A links to Site B and Site B links to Site C then Site A transitivity links to Site C. Site link transitivity can be disabled, this may be necessary to avoid a particular replication path involving a firewall. When transitivity is disabled SITE LINK BRIDGES can be manually created to connect two or more site links using the same transport If transitivity is disabled for transport, ALL links will be affected and all will become non-transitive. Site link bridges can be used to provide transitive replication, where transitivity has been disabled, creating a logical link between two sites, these are manually created to handle replication traffic. A Site Link Bridge can be enabled by using the Active Directory Sites and Services snap-in.
4.1.7: Site Link Attributes The site link cost. Replication frequency and availability must be configured to ensure efficient replication
•
Site Link Cost - Active Directory always chooses the connection based on the cost of a link, higher costs are used for slower links, lower costs for faster links. The default cost is 100
•
Site Link Replication Frequency - This tells Active Directory how long it should wait before using a connection to replicate updates this can be set between 15 and 10080 minutes (1 week). The default is 180 minutes
•
Link Replication Availability - This determines when a site link is available for replication
4.1.8: Bridgehead Servers When replication occurs between sites the KCC automatically designates a Domain Controller in each site as BRIDGEHEADS to another site in the topology, this acts as a single point used for replication between sites
After replication between sites is completed by using the bridgehead server, the bridgehead servers communicate ALL updates to ALL Domain Controllers within their sites by using the normal replication process. 4.1.9: Replication Protocols To ensure that computers in a network are able to communicate for sending and receiving updates during replication, they must share a replication protocol. Within a single site there is only one protocol used for replication. In a multiple-site structure, you must select one of the following replication protocols for replication between sites:
•
Directory Service Remote Procedure Call. (RPC).
Active Directory replication uses RPC over IP for replication within a site. RPC is an industry standard protocol for client/server communications that is compatible with most types of networks. For replication within a site, RPC provides uniform, high-speed connectivity. When replication between sites is configured a choice must be made between replication protocols, RPC over IP, or the Simple Mail Transfer Protocol (SMTP). NOTE: The Domain Controllers must be in different domains and in different sites for SMTP to be used. In most cases RPC over IP will be used for replication between sites.
•
Simple Mail Transfer Protocol. (SMTP).
SMTP supports Schema Configuration and Global Catalog replication but CANNOT be used to replicate the Domain partition to Domain Controllers in the SAME domain. This is because some domain operations, for example Group Policy, require the support of the File Replication service (FRS), which does not yet support an asynchronous transport for replication. RPC must be used to replicate the domain partition. A feature of SMTP replication is that a connection does not need to be established directly between the two replicating Domain Controllers. Instead, the information can be stored and forwarded to many mail servers until it reaches the destination Domain Controller at a later time. NOTE: The Active Directory Sites and Services snap-in shows the Inter-Site Transport protocol properties for connections WITHIN a site as RPC and the protocol for connections BETWEEN sites as IP. Both mean that the connection uses RPC over IP. 4.1.10: Replication Triggers Replication between Domain Controllers can be triggered by:
•
Adding an object to Active Directory, such as creating a new user account.
•
Modifying an object's attribute values, such as changing the phone number for an existing user account.
•
Modifying the name or parent of an object, and if necessary, moving the object into the new parent's domain. For example, you move the object from the sales domain to the service domain.
•
Deleting an object from the Directory, such as deleting user accounts for employees that no longer work for the organization. Each update to Active Directory generates a request that can either commit or not commit to the database. A committed request is an ORIGINATING UPDATE where the data MUST be replicated to ALL other replicas throughout the network. An update performed at a Domain Controller that did not originate the update is called a REPLICATED UPDATE. For Example: Assuming 3 Domain Controllers exist as shown in the following diagram
A user changes their password on DC1 which writes the password to the Directory as an originating update, this is then replicated to DC2. DC2 will update its copy of the database this is then replicated to DC3 as a replicated update. 4.1.11: Replication Scheduling Replication between sites happens automatically after configurable values have been defined, such as a schedule and a replication interval. Replication can be scheduled for inexpensive or off-peak hours. By default, changes are replicated between sites according to a manually defined schedule and not according to when changes occur. Configurable values, such as a schedule or an interval, define when and how often replication occurs between sites. The schedule determines at which times replication is allowed to occur, and the interval specifies how often domain controllers check for changes during the time that replication is allowed to occur. The replication schedule can be configured by opening the Properties page of the appropriate connection in the Active Directory Sites and Services console and selecting Change Schedule.
4.1.12: Adjusting Replication Active Directory replication occurs automatically and reliably with no administrative intervention, other than that required to configure sites and site links. An administrator can use Active Directory Sites and Services to modify a replication topology by adding or removing connection objects, and limit the KCC choice of bridgeheads. Connection objects can be manually created but this is normally only considered if the connections that the KCC has created do not connect the Domain Controllers that an administrator wants connected.
The following situations may require additional connections between Domain Controllers within a site or between sites:
•
When the number of hops needs to be reduced from the default of three to one or two hops between Domain Controllers within a site.
•
When failures occur between Domain Controllers in different sites. If failures occur the KCC detects the failures and automatically reroutes connections to bypass the failed server or servers. NOTE: Before creating additional connections, it is important to consider the cost of the additional connections compared with the cost of the default configuration. When connection objects are modified the following rules apply:
• •
The KCC will not automatically delete a connection object that has been manually created.
•
At any time, if a Domain Controller can not get updates from its current replication partners, it will use the KCC to establish as many new connection objects as necessary to other Domain Controllers to resume Active Directory replication. 4.2: Configuring Sites The Active Directory Sites and Services utility can be used to create sites, subnets, site links, and site link bridges. Configuring a site involves the following steps:
•
Creating a Site
•
Creating a Subnet associated with the site
•
Moving or creating a Domain Controller into the site
•
Designating a site license server.
NOTE: Only members of the Enterprise Admins group or Domain Admins group can create sites.
NOTE: Before proceeding further on this course ensure that you have installed two Domain Controllers, Ktec-DC1 and Ktec-DC2 in the SAME domain and forest called KtecTraining.com, these will be used in the next video 4.3: Monitoring Replication The replication topology can be adjusted based on replication traffic patterns. To help adjust replication traffic patterns you must be able to view the replication traffic throughout the network, the Replication Monitor (REPLMON.EXE) and the Replication Diagnostics tool (REPADMIN.EXE) command-line utility can be used for this purpose and are available once the Windows 2003 Server support tools have been installed from the CDROM.
4.3.1: Replication Monitor (REPLMON.EXE) Replication Monitor displays in graphical format the replication topology of connections between Domain Controllers on the same site enabling an administrator to view the replication status and performance. Replication Monitor can be used to:
• •
Determine which computers are replicating information both directly and transitively.
Display the reason and number of failed replication attempts and the flags used for direct replication partners. If the failure meets or exceeds an administrator-defined value, it can write to an event log and send
mail.
•
Poll the server at an administrator-defined interval to get current statistics and replication state and to save a log file history.
•
Allow administrators to show which objects have not yet replicated from a particular computer.
•
Allow administrators to synchronise between two domain controllers.
•
Allow administrators to use the KCC to recalculate the replication topology.
TASK: Using the Replication Monitor To review the replication traffic on the London site From the RUN menu type REPLMON.EXE In the left hand pane of the console window right click on Monitored Servers and select Add Monitored Server Select the check box next to Search the Directory for servers to add, check that the correct domain name is listed KtecTraining.com then click Next Select Ktec-DC1 from the list under the London site then click on Finish The Server will now be listed under monitored servers in the left hand pane, double click on DC=KtecTraining,DC=com to show the two replication partners in the London site, note the icons displayed Replication Monitor Continued Click on London\Ktec-DC2 this will display the log information in the right hand pane as shown in the screen shot below
Right click on Ktec-DC1 and review the options available some of these are outlined below
•
Check the replication topology
•
Generate a status report
•
Show the Domain Controllers in the Domain
•
Show Bridgehead servers
•
Show Trust Relationships
•
Show the replication topologies:
The following screen shot shows the connection objects and intra-site connections
Review the settings then close the replication monitor window 4.3.2: Replication Diagnostics tool (REPADMIN.EXE) This command is used by an administrator to view the replication topology from the perspective of each Domain Controller and can also be used to manually create the replication topology, force replication events between Domain Controllers. The following are some examples of command usage: To display the connection objects (replication partners) for a Domain Controller named Ktec-DC1 on the Ktectraining.com domain, from command line type: REPADMIN /SHOWREPS KTEC-DC1.KTECTRAINING.COM To force replication between Ktec-DC1 and Ktec-DC2, replication partners on the Ktectraining.com domain, from command line type: REPADMIN /REPLICATE KTEC-DC1.KTECTRAINING.COM KTEC-DC2.KTECTRAINING.COM DC=KTECTRAINING,DC=COM 4.4: Troubleshooting Active Directory Replication Ineffective replication can result in Active Directory not functioning properly, such as new user accounts not being recognised, outdated directory information, or unavailable Domain Controllers. Problems may be encountered related to replication in Active Directory. Most problems can be remedied with the Active Directory Sites and Services snap-in. Some of the common problems are:
•
Replication does not finish: The possible cause could be that the sites containing the client computers and Domain Controllers are not connected by site links to Domain Controllers in other sites in the network. This results in a failure to exchange directory information between sites. To overcome this problem, create a site link from the current site to a site that is connected to the rest of the sites in the network.
•
Replication is slow: The possible cause is that the topology and schedule of the site links cause the replication of information to go through many sites serially before all sites are updated. For example, site A can communicate with site B on Monday, site B can communicate with site C on Saturday. A change originating in Site A on Tuesday will not be given to Site C until a week from Saturday.
•
Replication increases network traffic: The possible problem could be that the current network resources are insufficient to handle the amount of replication traffic. This problem can also affect services unrelated to Active Directory, because the exchange of information in Active Directory is consuming an inordinate amount of network resources. To solve this problem sites can be used and the replication scheduled to occur during off-peak hours when there is more network bandwidth available for replication.
•
Replication clients are receiving a slow response for authentication, Directory information, or other services: The possible cause could be that the client computers must request authentication, information, and services from a domain controller through a low-bandwidth connection. If there is a site that serves a client computer's subnet well, associate that subnet with the site. If a client computer that is experiencing slow response for services is isolated from domain controllers, and you plan to create another site that includes the client computer, create a new site with its own Domain Controller, alternatively a connection with more bandwidth can be installed 4.5: The Global Catalog As previously mentioned in an earlier part of this course Global Catalog Servers perform the following functions:
•
It enables users to log on to the network by providing Universal Group Membership information to the Domain Controller
•
It enables Directory information to be found regardless of which domain in the forest actually contains the data If a Global Catalog Server is unavailable when a user logs on to a domain they will only be able to log onto their local computer unless they have logged on previously, then cached credentials are used to allow domain access NOTE: By default the first Domain Controller in a forest is designated as a Global Catalog Server, additional servers can be configured to serve this function To improve network response time and application availability at least one Domain Controller on each site should be designated a Global Catalog server
TASK: Creating Additional Global Catalog Servers On a Domain Controller select Administrative Tools > Active Directory Sites and Services. Open the Sites folder and select the Default-First-Site-Name > Servers, both Domain Controllers will be listed. Double click on Ktec-DC2 and right click on the NTDS Site Settings in the right hand pane and select Properties. On the General tab check the box next to Global Catalog, the server will be configured once the changes are applied as a Global Catalog server as shown in the following screen shot
(c) Copyright Ktec Training Ltd 4.6: Universal Group Caching Universal Group Caching is used to help reduce the number of Global Catalog Servers in a multi-site environment, reducing the number of universal group membership queries across WAN links when a user logs on This feature can be configured on a DC to allow it to query a Global Catalog Server the first time it requires universal group membership information during authentication, this is then cached for any subsequent logon requests and is by default updated at 8 hour intervals Benefits of Universal Group Caching include:
•
Faster user logon times, as there is no need to contact a global catalog server for all logon requests
•
Reduced WAN bandwidth usage as no need to locate a global catalog server in each site, reducing replication traffic
TASK: Enabling Universal Group Membership Caching On the Domain Controller select Administrative Tools > Active Directory Sites and Services. Open the Sites folder and select the Default-First-Site-Name, Right click on the NTDS Site Settings in the right hand pane and select Properties. On the Site Settings tab check the option to 'Enable Universal Group Membership Caching' in the Refresh cache from drop down box select the 'Default-First-Site-Name' as shown in the screen shot below:
Apply changes and close all open Windows 4.7: Application Directory Partitions This is a partition which is ONLY available with Windows Server 2003 and is replicated to SPECIFIC server 2003 domain controllers throughout the forest and stores objects (except security principles) and attributes related to Active Directory applications and services, such as DNS. Benefits include:
•
Redundancy and fault tolerance are provided by replicating data to other specific domain controllers
•
Application and service replication traffic is reduced as sent to specific domain controllers only
•
LDAP (Lightweight Directory Access Protocol) is used by applications to store and retrieve data inside Active Directory Members of the Enterprise Admins group can use the NTDSUTIL.EXE command to manually add or manage all application directory partitions and the DNSCMD command can be used to manage DNS application directory partitions. Both commands are available in the domain management menu An application directory partition can be located in the following areas inside the forest namespace and must follow the same DNS and distinguished name conventions:
•
A child of a domain partition
•
A child of an application directory partition
•
A new tree in the forest
NOTE: Domain partitions cannot be children of application directory partitions The KCC automatically generates and maintains the replication topology for all application directory partitions in a forest. Objects stored in the application directory partition are never replicated to the global catalog. However a Domain Controller can hold the Global Catalog and a replica of the application directory partition As previously stated, application directory partitions cannot contain security principles, permissions must be assigned to objects in the partition from a domain in the forest, this is known as the SECURITY DESCRIPTOR REFERENCE DOMAIN NOTE: When a Domain Controller which contains the last replica of an application directory partition is removed or
demoted, the application partition will be deleted Application Directory Partitions Continued
TASK: Using the NTDSUTIL command to create and delete Application Directory Partitions To create an application directory partition from command line type NTDSUTIL
to open the NTDSUTIL command prompt. Then type
DOMAIN MANAGEMENT
to open the domain management command prompt. Then type
CREATE NC application-directory-name Domain-Controller-Name Where: Application-directory-name is the distinguished name of the application directory partition Domain-Controller-Name is the DNS name of the Domain Controller holding the application directory partition. For example: To create an Application directory partition called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: CREATE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Then type NULL to create the partition To delete the application directory partition from the domain management command type DELETE NC application-directory-name Domain-Controller-Name For example: To delete an Application directory partition called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: DELETE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Application Directory Partitions Continued
TASK: Using the NTDSUTIL command to add or remove Application Directory Partition Replicas To add an application directory partition replica from command line type NTDSUTIL
to open the NTDSUTIL command prompt. Then type
DOMAIN MANAGEMENT
to open the domain management command prompt. Then type
ADD NC application-directory-name Domain-Controller-Name For example: To add an application directory partition replica called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: ADD NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Then type NULL to add the partition replica To remove the application directory partition replica from the domain management command type REMOVE NC application-directory-name Domain-Controller-Name For example: To remove an application directory partition replica called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type:
REMOVE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM http://www.ktectraining.com/demo/Demo5/Plan%20and%20Mantain%20a%20Server%202003%20AD%20Infrastructure,%20Part%204/ page_11.html for video
Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll 1. Click Start, and then click Run. 2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. 3. Click OK when you receive the message that the operation succeeded. Transfer the Schema Master Role 1. 2. 3. 4. 5. 6. 7. 8. 9.
Click Start, click Run, type mmc in the Open box, and then click OK. On the File, menu click Add/Remove Snap-in. Click Add. Click Active Directory Schema, click Add, click Close, and then click OK. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. In the console tree, right-click Active Directory Schema, and then click Operations Master. Click Change. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the Domain Naming Master Role
1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller. 2.
3.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. • -orIn the Or, select an available domain controller list, click the domain controller that will be the new role holder, • and then click OK.
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. 5. Click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller. 2.
3.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. • -orIn the Or, select an available domain controller list, click the domain controller that will be the new role holder, • and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master. 5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close. 4.
4.1: An Introduction to sites and Replication
4.1.1: Sites: A site is a set of Internet Protocol (IP) Subnets connected by highly reliable, fast links and helps to define the physical structure of a network by grouping computers together to optimise network traffic and confine both replication and authentication traffic related to Active Directory.
•
Replication traffic: When a change occurs in Active Directory, sites can be used to control how and when the change is replicated to Domain Controllers in another site.
•
Authentication: When a user logs on, Windows Server 2003 will attempt to find a Domain Controller in the same site as the user's workstation. The first site is set up automatically when Windows Server 2003 is installed on the first domain controller in a forest. The resulting first site is called DEFAULT-FIRST-SITE-NAME this can be reviewed and renamed using the Active Directory Sites and Services snap-in. (DSSITE.MSC)
4.1.2: The Replication Process: Replication is the process of updating information in Active Directory from one Domain Controller to another and synchronising the copied data on each Domain Controller to ensure that ALL information in Active Directory is available to ALL Domain Controllers and client computers across the entire network. When a user or administrator performs an action that initiates an update to Active Directory, an appropriate Domain Controller is automatically chosen to perform the update, which is made transparently to the user. Domain Controllers can be distributed across the network and located in multiple physical sites to provide fault tolerance
•
Replication WITHIN sites: (Known as INTRA-SITE Replication) occurs between Domain Controllers in the SAME Site. NOTE: Because a site assumes fast, highly reliable network links, replication traffic WITHIN a site is uncompressed to help reduce the processing load on the Domain Controllers this however, increases the network bandwidth that is required for replication messages
•
Replication BETWEEN Sites: (Known as INTER-SITE Replication) occurs between the Domain Controllers located on DIFFERENT Sites. NOTE: Replication BETWEEN sites is designed under the assumption that the network links have limited bandwidth and availability. 4.1.3: Replication Topology The actual process of replication occurs between two Domain Controllers at a time and synchronises information in Active Directory for the ENTIRE Forest. The replication topology is created by determining which Domain Controller replicates with other specific Domain Controllers
4.1.4: Directory Partitions The Active Directory database is logically separated on each Domain Controller into directory partitions Active Directory information can be divided into four directory partitions
•
The domain Partition: Which is replicated to ALL domain controllers in the SAME DOMAIN and contains all the objects associated with that domain
•
The schema partition: Contains the Active Directory schema information (objects and attributes) for a forest and is replicated to ALL domain controllers in the FOREST
•
The configuration partition: Defines the logical structure and includes the domain structure and replication topology information for the forest and is replicated to ALL domain controllers in the FOREST
•
The Application Directory partition: This is a partition which is ONLY available with Windows Server 2003 and is replicated to SPECIFIC 2003 domain controllers throughout the forest and stores objects (except security principles) and attributes related to Active Directory applications and services, such as DNS. Each partition is a unit of replication and has its own replication topology. A single Domain Controller may have different replication partners for different partitions SITE LINKS are the logical, transitive connections between two or more sites, mirroring the network links and allowing replication The links connecting replication partners are called CONNECTION OBJECTS these are created on each Domain
Controller and point to another Domain Controller for a source of information. NOTE: Connection objects represent an INBOUND connection to a Domain Controller. Two types of replication partner exist
•
Direct Replication Partners: These are the Domain Controllers that are a direct source for Active Directory replication data.
•
Transitive Replication Partners: These are the Domain Controllers whose data is obtained indirectly through a direct replication partner and can be reviewed by using the Active Directory Replication Monitor utility. 4.1.5: The Knowledge Consistency Checker Sites use the Knowledge Consistency Checker (KCC) to determine the replication paths between sites. The KCC is a built-in process that runs on each Domain Controller and generates the replication topology automatically for the Forest. The KCC runs at specified intervals and designates the replication routes between Domain Controllers on the basis of the best connections available at that time, When a single point of failure is detected the KCC will automatically create and establish a new connection object as necessary to resume Active Directory replication. 4.1.6: Site Links A site link is an object used to manage replication between sites this can be created to allow Domain Controllers from one site to replicate with another site. During the Active Directory installation a default object called DEFAULTIPSITELINK is created in the IP container of the Active Directory Sites and Services snap-in for the first default site NOTE: By default ALL site links are TRANSITIVE, so if Site A links to Site B and Site B links to Site C then Site A transitivity links to Site C. Site link transitivity can be disabled, this may be necessary to avoid a particular replication path involving a firewall. When transitivity is disabled SITE LINK BRIDGES can be manually created to connect two or more site links using the same transport If transitivity is disabled for transport, ALL links will be affected and all will become non-transitive. Site link bridges can be used to provide transitive replication, where transitivity has been disabled, creating a logical link between two sites, these are manually created to handle replication traffic. A Site Link Bridge can be enabled by using the Active Directory Sites and Services snap-in.
4.1.7: Site Link Attributes The site link cost. Replication frequency and availability must be configured to ensure efficient replication
•
Site Link Cost - Active Directory always chooses the connection based on the cost of a link, higher costs are used for slower links, lower costs for faster links. The default cost is 100
•
Site Link Replication Frequency - This tells Active Directory how long it should wait before using a connection to replicate updates this can be set between 15 and 10080 minutes (1 week). The default is 180 minutes
•
Link Replication Availability - This determines when a site link is available for replication
4.1.8: Bridgehead Servers When replication occurs between sites the KCC automatically designates a Domain Controller in each site as BRIDGEHEADS to another site in the topology, this acts as a single point used for replication between sites
After replication between sites is completed by using the bridgehead server, the bridgehead servers communicate ALL updates to ALL Domain Controllers within their sites by using the normal replication process. 4.1.9: Replication Protocols To ensure that computers in a network are able to communicate for sending and receiving updates during replication, they must share a replication protocol. Within a single site there is only one protocol used for replication. In a multiple-site structure, you must select one of the following replication protocols for replication between sites:
•
Directory Service Remote Procedure Call. (RPC).
Active Directory replication uses RPC over IP for replication within a site. RPC is an industry standard protocol for client/server communications that is compatible with most types of networks. For replication within a site, RPC provides uniform, high-speed connectivity. When replication between sites is configured a choice must be made between replication protocols, RPC over IP, or the Simple Mail Transfer Protocol (SMTP). NOTE: The Domain Controllers must be in different domains and in different sites for SMTP to be used. In most cases RPC over IP will be used for replication between sites.
•
Simple Mail Transfer Protocol. (SMTP).
SMTP supports Schema Configuration and Global Catalog replication but CANNOT be used to replicate the Domain partition to Domain Controllers in the SAME domain. This is because some domain operations, for example Group Policy, require the support of the File Replication service (FRS), which does not yet support an asynchronous transport for replication. RPC must be used to replicate the domain partition. A feature of SMTP replication is that a connection does not need to be established directly between the two replicating Domain Controllers. Instead, the information can be stored and forwarded to many mail servers until it reaches the destination Domain Controller at a later time. NOTE: The Active Directory Sites and Services snap-in shows the Inter-Site Transport protocol properties for connections WITHIN a site as RPC and the protocol for connections BETWEEN sites as IP. Both mean that the connection uses RPC over IP. 4.1.10: Replication Triggers Replication between Domain Controllers can be triggered by:
•
Adding an object to Active Directory, such as creating a new user account.
•
Modifying an object's attribute values, such as changing the phone number for an existing user account.
•
Modifying the name or parent of an object, and if necessary, moving the object into the new parent's domain. For example, you move the object from the sales domain to the service domain.
•
Deleting an object from the Directory, such as deleting user accounts for employees that no longer work for the organization. Each update to Active Directory generates a request that can either commit or not commit to the database. A committed request is an ORIGINATING UPDATE where the data MUST be replicated to ALL other replicas throughout the network. An update performed at a Domain Controller that did not originate the update is called a REPLICATED UPDATE. For Example: Assuming 3 Domain Controllers exist as shown in the following diagram
A user changes their password on DC1 which writes the password to the Directory as an originating update, this is then replicated to DC2. DC2 will update its copy of the database this is then replicated to DC3 as a replicated update. 4.1.11: Replication Scheduling Replication between sites happens automatically after configurable values have been defined, such as a schedule and a replication interval. Replication can be scheduled for inexpensive or off-peak hours. By default, changes are replicated between sites according to a manually defined schedule and not according to when changes occur. Configurable values, such as a schedule or an interval, define when and how often replication occurs between sites. The schedule determines at which times replication is allowed to occur, and the interval specifies how often domain controllers check for changes during the time that replication is allowed to occur. The replication schedule can be configured by opening the Properties page of the appropriate connection in the Active Directory Sites and Services console and selecting Change Schedule.
4.1.12: Adjusting Replication Active Directory replication occurs automatically and reliably with no administrative intervention, other than that required to configure sites and site links. An administrator can use Active Directory Sites and Services to modify a replication topology by adding or removing connection objects, and limit the KCC choice of bridgeheads. Connection objects can be manually created but this is normally only considered if the connections that the KCC has created do not connect the Domain Controllers that an administrator wants connected.
The following situations may require additional connections between Domain Controllers within a site or between sites:
•
When the number of hops needs to be reduced from the default of three to one or two hops between Domain Controllers within a site.
•
When failures occur between Domain Controllers in different sites. If failures occur the KCC detects the failures and automatically reroutes connections to bypass the failed server or servers. NOTE: Before creating additional connections, it is important to consider the cost of the additional connections compared with the cost of the default configuration. When connection objects are modified the following rules apply:
• •
The KCC will not automatically delete a connection object that has been manually created.
•
At any time, if a Domain Controller can not get updates from its current replication partners, it will use the KCC to establish as many new connection objects as necessary to other Domain Controllers to resume Active Directory replication. 4.2: Configuring Sites The Active Directory Sites and Services utility can be used to create sites, subnets, site links, and site link bridges. Configuring a site involves the following steps:
•
Creating a Site
•
Creating a Subnet associated with the site
•
Moving or creating a Domain Controller into the site
•
Designating a site license server.
NOTE: Only members of the Enterprise Admins group or Domain Admins group can create sites.
NOTE: Before proceeding further on this course ensure that you have installed two Domain Controllers, Ktec-DC1 and Ktec-DC2 in the SAME domain and forest called KtecTraining.com, these will be used in the next video 4.3: Monitoring Replication The replication topology can be adjusted based on replication traffic patterns. To help adjust replication traffic patterns you must be able to view the replication traffic throughout the network, the Replication Monitor (REPLMON.EXE) and the Replication Diagnostics tool (REPADMIN.EXE) command-line utility can be used for this purpose and are available once the Windows 2003 Server support tools have been installed from the CDROM.
4.3.1: Replication Monitor (REPLMON.EXE) Replication Monitor displays in graphical format the replication topology of connections between Domain Controllers on the same site enabling an administrator to view the replication status and performance. Replication Monitor can be used to:
• •
Determine which computers are replicating information both directly and transitively.
Display the reason and number of failed replication attempts and the flags used for direct replication partners. If the failure meets or exceeds an administrator-defined value, it can write to an event log and send
mail.
•
Poll the server at an administrator-defined interval to get current statistics and replication state and to save a log file history.
•
Allow administrators to show which objects have not yet replicated from a particular computer.
•
Allow administrators to synchronise between two domain controllers.
•
Allow administrators to use the KCC to recalculate the replication topology.
TASK: Using the Replication Monitor To review the replication traffic on the London site From the RUN menu type REPLMON.EXE In the left hand pane of the console window right click on Monitored Servers and select Add Monitored Server Select the check box next to Search the Directory for servers to add, check that the correct domain name is listed KtecTraining.com then click Next Select Ktec-DC1 from the list under the London site then click on Finish The Server will now be listed under monitored servers in the left hand pane, double click on DC=KtecTraining,DC=com to show the two replication partners in the London site, note the icons displayed Replication Monitor Continued Click on London\Ktec-DC2 this will display the log information in the right hand pane as shown in the screen shot below
Right click on Ktec-DC1 and review the options available some of these are outlined below
•
Check the replication topology
•
Generate a status report
•
Show the Domain Controllers in the Domain
•
Show Bridgehead servers
•
Show Trust Relationships
•
Show the replication topologies:
The following screen shot shows the connection objects and intra-site connections
Review the settings then close the replication monitor window 4.3.2: Replication Diagnostics tool (REPADMIN.EXE) This command is used by an administrator to view the replication topology from the perspective of each Domain Controller and can also be used to manually create the replication topology, force replication events between Domain Controllers. The following are some examples of command usage: To display the connection objects (replication partners) for a Domain Controller named Ktec-DC1 on the Ktectraining.com domain, from command line type: REPADMIN /SHOWREPS KTEC-DC1.KTECTRAINING.COM To force replication between Ktec-DC1 and Ktec-DC2, replication partners on the Ktectraining.com domain, from command line type: REPADMIN /REPLICATE KTEC-DC1.KTECTRAINING.COM KTEC-DC2.KTECTRAINING.COM DC=KTECTRAINING,DC=COM 4.4: Troubleshooting Active Directory Replication Ineffective replication can result in Active Directory not functioning properly, such as new user accounts not being recognised, outdated directory information, or unavailable Domain Controllers. Problems may be encountered related to replication in Active Directory. Most problems can be remedied with the Active Directory Sites and Services snap-in. Some of the common problems are:
•
Replication does not finish: The possible cause could be that the sites containing the client computers and Domain Controllers are not connected by site links to Domain Controllers in other sites in the network. This results in a failure to exchange directory information between sites. To overcome this problem, create a site link from the current site to a site that is connected to the rest of the sites in the network.
•
Replication is slow: The possible cause is that the topology and schedule of the site links cause the replication of information to go through many sites serially before all sites are updated. For example, site A can communicate with site B on Monday, site B can communicate with site C on Saturday. A change originating in Site A on Tuesday will not be given to Site C until a week from Saturday.
•
Replication increases network traffic: The possible problem could be that the current network resources are insufficient to handle the amount of replication traffic. This problem can also affect services unrelated to Active Directory, because the exchange of information in Active Directory is consuming an inordinate amount of network resources. To solve this problem sites can be used and the replication scheduled to occur during off-peak hours when there is more network bandwidth available for replication.
•
Replication clients are receiving a slow response for authentication, Directory information, or other services: The possible cause could be that the client computers must request authentication, information, and services from a domain controller through a low-bandwidth connection. If there is a site that serves a client computer's subnet well, associate that subnet with the site. If a client computer that is experiencing slow response for services is isolated from domain controllers, and you plan to create another site that includes the client computer, create a new site with its own Domain Controller, alternatively a connection with more bandwidth can be installed 4.5: The Global Catalog As previously mentioned in an earlier part of this course Global Catalog Servers perform the following functions:
•
It enables users to log on to the network by providing Universal Group Membership information to the Domain Controller
•
It enables Directory information to be found regardless of which domain in the forest actually contains the data If a Global Catalog Server is unavailable when a user logs on to a domain they will only be able to log onto their local computer unless they have logged on previously, then cached credentials are used to allow domain access NOTE: By default the first Domain Controller in a forest is designated as a Global Catalog Server, additional servers can be configured to serve this function To improve network response time and application availability at least one Domain Controller on each site should be designated a Global Catalog server
TASK: Creating Additional Global Catalog Servers On a Domain Controller select Administrative Tools > Active Directory Sites and Services. Open the Sites folder and select the Default-First-Site-Name > Servers, both Domain Controllers will be listed. Double click on Ktec-DC2 and right click on the NTDS Site Settings in the right hand pane and select Properties. On the General tab check the box next to Global Catalog, the server will be configured once the changes are applied as a Global Catalog server as shown in the following screen shot
(c) Copyright Ktec Training Ltd 4.6: Universal Group Caching Universal Group Caching is used to help reduce the number of Global Catalog Servers in a multi-site environment, reducing the number of universal group membership queries across WAN links when a user logs on This feature can be configured on a DC to allow it to query a Global Catalog Server the first time it requires universal group membership information during authentication, this is then cached for any subsequent logon requests and is by default updated at 8 hour intervals Benefits of Universal Group Caching include:
•
Faster user logon times, as there is no need to contact a global catalog server for all logon requests
•
Reduced WAN bandwidth usage as no need to locate a global catalog server in each site, reducing replication traffic
TASK: Enabling Universal Group Membership Caching On the Domain Controller select Administrative Tools > Active Directory Sites and Services. Open the Sites folder and select the Default-First-Site-Name, Right click on the NTDS Site Settings in the right hand pane and select Properties. On the Site Settings tab check the option to 'Enable Universal Group Membership Caching' in the Refresh cache from drop down box select the 'Default-First-Site-Name' as shown in the screen shot below:
Apply changes and close all open Windows 4.7: Application Directory Partitions This is a partition which is ONLY available with Windows Server 2003 and is replicated to SPECIFIC server 2003 domain controllers throughout the forest and stores objects (except security principles) and attributes related to Active Directory applications and services, such as DNS. Benefits include:
•
Redundancy and fault tolerance are provided by replicating data to other specific domain controllers
•
Application and service replication traffic is reduced as sent to specific domain controllers only
•
LDAP (Lightweight Directory Access Protocol) is used by applications to store and retrieve data inside Active Directory Members of the Enterprise Admins group can use the NTDSUTIL.EXE command to manually add or manage all application directory partitions and the DNSCMD command can be used to manage DNS application directory partitions. Both commands are available in the domain management menu An application directory partition can be located in the following areas inside the forest namespace and must follow the same DNS and distinguished name conventions:
•
A child of a domain partition
•
A child of an application directory partition
•
A new tree in the forest
NOTE: Domain partitions cannot be children of application directory partitions The KCC automatically generates and maintains the replication topology for all application directory partitions in a forest. Objects stored in the application directory partition are never replicated to the global catalog. However a Domain Controller can hold the Global Catalog and a replica of the application directory partition As previously stated, application directory partitions cannot contain security principles, permissions must be assigned to objects in the partition from a domain in the forest, this is known as the SECURITY DESCRIPTOR REFERENCE DOMAIN NOTE: When a Domain Controller which contains the last replica of an application directory partition is removed or
demoted, the application partition will be deleted Application Directory Partitions Continued
TASK: Using the NTDSUTIL command to create and delete Application Directory Partitions To create an application directory partition from command line type NTDSUTIL
to open the NTDSUTIL command prompt. Then type
DOMAIN MANAGEMENT
to open the domain management command prompt. Then type
CREATE NC application-directory-name Domain-Controller-Name Where: Application-directory-name is the distinguished name of the application directory partition Domain-Controller-Name is the DNS name of the Domain Controller holding the application directory partition. For example: To create an Application directory partition called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: CREATE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Then type NULL to create the partition To delete the application directory partition from the domain management command type DELETE NC application-directory-name Domain-Controller-Name For example: To delete an Application directory partition called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: DELETE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Application Directory Partitions Continued
TASK: Using the NTDSUTIL command to add or remove Application Directory Partition Replicas To add an application directory partition replica from command line type NTDSUTIL
to open the NTDSUTIL command prompt. Then type
DOMAIN MANAGEMENT
to open the domain management command prompt. Then type
ADD NC application-directory-name Domain-Controller-Name For example: To add an application directory partition replica called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type: ADD NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM Then type NULL to add the partition replica To remove the application directory partition replica from the domain management command type REMOVE NC application-directory-name Domain-Controller-Name For example: To remove an application directory partition replica called DOMAINDNS on Ktec-DC1 in the KtecTraining.com domain type:
REMOVE NC DOMAINDNS KTEC-DC1.KTECTRAINING.COM http://www.ktectraining.com/demo/Demo5/Plan%20and%20Mantain%20a%20Server%202003%20AD%20Infrastructure,%20Part%204/ page_11.html for video
Related Documents
Fsmo
November 2019 2
Fsmo
November 2019 1
Fsmo
November 2019 3
Fsmo Roles
June 2020 1
Interview Based Question Ad Dns Fsmo Gpo
October 2019 2