다음을 통해 공유

Active Directory: Concepts Part 3

  • 아티클

Active Directory Operations Masters

Let us start discussing of Active directory operations masters this afternoon.

Coming to Active directory operations masters,

Active Directory Domain Services defines five operations master roles: the schema master, domain naming master, relative identifier (RID) master, primary domain controller (PDC) emulator, and infrastructure master. The operations master roles are also called as flexible single master operations (FSMO) roles.

This FSMO roles are divided into two categories "Forestwide Operations Master Roles" and "Domainwide Operations Master Roles", the Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.

http://2.bp.blogspot.com/-CQ6cba_Dxi8/T4_uzD3IE-I/AAAAAAAACJc/_lkLkUC3Ff4/s320/figure_01.gif

Forest wide Operations Master Roles

The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest.

Schema Master

The schema master is responsible for performing updates to the AD DS schema. The schema master is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest. Having only one schema master for each forest prevents any conflicts that would result if two or more domain controllers attempt to concurrently update the schema.

Domain Naming Master

The domain naming master manages the addition and removal of all domains and directory partitions, regardless of domain, in the forest hierarchy. The domain controller that has the domain naming master role must be available in order to perform the following actions:-

a. Add new domains or application directory partitions to the forest.

b. Remove existing domains or application directory partitions from the forest.

c. Add replicas of existing application directory partitions to additional domain controllers.

d. Add or remove cross-reference objects to or from external directories.

e. Prepare the forest for a domain rename operation.

Domain wide Operations Master Roles

The other operations master roles are domain wide roles, meaning that each domain in a forest has its own RID master, PDC emulator, and infrastructure master.

RID Master

The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain.

PDC Emulator

The primary domain controller (PDC) emulator operations master. The PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain, and it is the source for the latest password information whenever a logon attempt fails as a result of a bad password. It is a preferred point of administration for services (examples are Group Policy and Distributed File System, DFS). For this reason, of all operations master roles, the PDC emulator operations master role has the highest impact on the performance of the domain controller that hosts that role. The PDC emulator in the forest root domain is also the default Windows Time service (W32time) time source for the forest.

The PDC emulator operations master also processes all replication requests from Windows NT Server 4.0 backup domain controllers (BDCs). It processes all password updates for clients not running Active Directory–enabled client software, plus any other directory write operations.

Infrastructure Master

The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the object’s globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.

Operations Master Dependencies

Because operations masters are critical to the long-term performance of the directory, they must be available to all domain controllers and desktop clients that require their services. Careful placement of your operations masters becomes more important as you add more domains and sites to build your forest.

By improperly placing operations master role holders, you might prevent clients running Windows NT Workstation 4.0, Windows 95, or Windows 98 without the Active Directory client installed from changing their passwords, or be unable to add domains and new objects, such as users and groups. You might also be unable to make changes to the schema. In addition, name changes might not properly appear within group memberships that are displayed in the user interface.

As your environment changes, you must avoid the problems associated with improperly placed operations master role holders. Eventually, you might need to reassign the roles to other domain controllers.

Although you can assign the operations master roles to any domain controller, follow these guidelines to minimize administrative overhead and ensure the performance of Active Directory:

   - Leave the two forest wide roles on a domain controller in the forest root domain.

   -Place the two forest wide roles on a global catalog server.

   - Place the three domain wide roles on the same domain controller.

   - In a forest that contains multiple domains, do not place the domain wide roles on a   global catalog  server unless all domain controllers in the domain are also global catalog servers.

   -  Place the domain wide roles on a higher performance domain controller.

Global Catalog

The global catalog is a central information store on the objects in a forest and domain that improves performance when searching for objects in Active Directory. The first domain controller installed in a domain is designated as the global catalog server by default. The global catalog server stores a full replica of all objects in its host domain and a partial replica of objects for the remainder of the domains in the forest. The partial replica contains those objects that are frequently searched for. It is generally recommended to configure a global catalog server for each site in a domain. Active Directory Sites and Services console can be used to set up additional global catalog servers.