Académique Documents
Professionnel Documents
Culture Documents
FSMO Roles
In a forest, there are at least five FSMO roles that are
assigned to one or more domain controllers. The five FSMO
roles are:
• Schema Master: The schema master domain controller
controls all updates and modifications to the schema. To
update the schema of a forest, you must have access to
the schema master. There can be only one schema master
in the whole forest.
• Domain naming master: The domain controller holding the
domain naming master role controls the addition or
removal of domains in the forest. There can be only one
domain naming master in the entire forest.
Note
• Any domain controller running Windows Server 2003 can hold the
role of the domain naming master. A domain controller running
Windows 2000 Server that holds the role of domain naming master
must also be enabled as a global catalog server.
• Infrastructure Master: At any time, there can be only one
domain controller acting as the infrastructure master in
each domain. The infrastructure master is responsible for
updating references from objects in its domain to objects
in other domains. The infrastructure master compares its
data with that of a global catalog. Global catalogs receive
regular updates for objects in all domains through
replication, so the global catalog data will always be up to
date. If the infrastructure master finds data that is out of
date, it requests the updated data from a global catalog.
The infrastructure master then replicates that updated
data to the other domain controllers in the domain.
Important
• Unless there is only one domain controller in the domain, the
infrastructure master role should not be assigned to the domain
controller that is hosting the global catalog. If the infrastructure
master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will
never find data that is out of date, so it will never replicate any
changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also
hosting the global catalog, all of the domain controllers will have the
current data and it does not matter which domain controller holds the
infrastructure master role.
The infrastructure master is also responsible for updating
the group-to-user references whenever the members of
groups are renamed or changed. When you rename or
move a member of a group (and that member resides in a
different domain from the group), the group may
temporarily appear not to contain that member. The
infrastructure master of the group's domain is responsible
for updating the group so it knows the new name or
location of the member. This prevents the loss of group
memberships associated with a user account when the
user account is renamed or moved. The infrastructure
master distributes the update via multimaster replication.
There is no compromise to security during the time
between the member rename and the group update. Only
an administrator looking at that particular group
membership would notice the temporary inconsistency.
For information about transferring operations master roles,
see Transferring operations master roles . For
information about what to do when an operations master
fails, see Responding to operations master failures .
Register Schmmgmt.dll
1. Click Start, and then click Run.
2. Type regsvr32 schmmgmt.dll in the Open box, and
then click OK.
3. Click OK when you receive the message that the
operation succeeded.
Transfer the Schema Master Role
1. Click Start, click Run, type mmc in the Open box, and
then click OK.
2. On the File, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close,
and then click OK.
5. In the console tree, right-click Active Directory
Schema, and then click Change Domain Controller.
6. Click Specify Name, type the name of the domain
controller that will be the new role holder, and then click
OK.
7. In the console tree, right-click Active Directory
Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role,
and then click Close.
Back to the top
NOTE: You must perform this step if you are not on the
domain controller to which you want to transfer the role.
You do not have to perform this step if you are already
connected to the domain controller whose role you want
to transfer.
3. Do one of the following:
• In the Enter the name of another domain
controller box, type the name of the domain
controller that will be the new role holder, and then
click OK.
-or-
• In the Or, select an available domain controller
list, click the domain controller that will be the new
role holder, and then click OK.
4. In the console tree, right-click Active Directory
Domains and Trusts, and then click Operations
Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role,
and then click Close.
Back to the top
Transfer the RID Master, PDC Emulator, and
Infrastructure Master Roles
1. Click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers,
and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the
domain controller to which you want to transfer the role.
You do not have to perform this step if you are already
connected to the domain controller whose role you want
to transfer.
3. Do one of the following:
• In the Enter the name of another domain
controller box, type the name of the domain
controller that will be the new role holder, and then
click OK.
-or-
• In the Or, select an available domain controller
list, click the domain controller that will be the new
role holder, and then click OK.
4. In the console tree, right-click Active Directory Users
and Computers, point to All Tasks, and then click
Operations Master.
5. Click the appropriate tab for the role that you want to
transfer (RID, PDC, or Infrastructure), and then click
Change.
6. Click OK to confirm that you want to transfer the role,
and then click Close.
Ntdsutil.exe is the only tool that shows you all the FSMO role
owners. You can view the PDC emulator, RID master, and
infrastructure master role owners in Active Directory Users
and Computers. You can view the schema master role owner
in the Active Directory Schema snap-in. You can view the
domain naming master role owner in Active Directory
Domains and Trusts.
1. Click Start, click Run, type cmd in the Open box, and
then press ENTER.
2. Type ntdsutil, and then press ENTER.
3. Type domain management, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server ServerName, where
ServerName is the Name of the Domain Controller you
would like to view, and then press ENTER.
6. Type quit, and then press ENTER.
7. Type select operation target, and then press ENTER.
8. Type list roles for connected server, and then press
ENTER.
A list is displayed similar to what is listed below. Results may
very depending on the roles the particular Domain Controller
may hold. If you receive an error message, check the
spelling of the commands as the syntax of the commands
must be exact. If you need the syntax of a command, type ?
at each prompt:
USING DCDIAG
On a Windows 2000 Domain Controller, run the following
command:
DCdiag /test:Knowsofroleholders /v
You must use the /v switch. This lists the owners of all FSMO
roles in the enterprise.
Command Description
Abandon all Instructs the domain controller to which you
roles are connected to give away all operations
master roles it owns. This command is not
guaranteed to succeed because eligible role
recipients might be currently unreachable or
because the domain controller to which you
are connected is the last domain controller
for the domain.
Connections Invokes the Connections submenu.
Seize domain Forces the domain controller to which you
naming master are connected to claim ownership of the
domain-naming operations master role
without regard to the data associated with
the role. Use only for recovery purposes.
Seize Forces the domain controller to which you
infrastructure are connected to claim ownership of the
master infrastructure operations master role without
regard to the data associated with the role.
Use only for recovery purposes.
Seize PDC Forces the domain controller to which you
are connected to claim ownership of the PDC
operations master role without regard to the
data associated with the role. Use only for
recovery purposes.
Command Description
Seize RID Forces the domain controller to which you
master are connected to claim ownership of the
relative ID master role without regard to the
data associated with the role. Use only for
recovery purposes.
Seize schema Forces the domain controller to which you
master are connected to claim ownership of the
schema operations master role without
regard to the data associated with the role.
Use only for recovery purposes.
Select operation Invokes the Select operation target
target submenu.
Transfer domain Instructs the domain controller to which you
naming master are connected to obtain the domain-naming
role by means of controlled transfer.
Transfer Instructs the domain controller to which you
infrastructure are connected to obtain the infrastructure
master operations master role by means of
controlled transfer.
Transfer PDC Instructs the domain controller to which you
are connected to obtain the PDC operations
master by means of controlled transfer.
Transfer RID Instructs the domain controller to which you
master are connected to obtain the relative ID
master role by means of controlled transfer.
Command Description
Transfer schema Instructs the domain controller to which you
master are connected to obtain the schema
operations master role by means of
controlled transfer.
After you enable schema modifications, you can add attributes. For
example, suppose you want to add a Gender attribute. In the AD
Schema Console, right-click the Attributes folder, then select Create
Attribute. A warning about the implications of your actions, which
Figure 2 shows, immediately appears. Click Continue to access the
Create New Attribute dialog box, which Figure 3 shows. In the
Common Name and LDAP Display Name text boxes, enter Gender.
You now need to populate the Unique X500 Object ID text box.
Object IDs (OIDs) are unique identifiers for AD objects.
You must group all the OIDs for your organization under common
roots. AD maintains an internal table of OIDs. To optimize
performance, OIDs are maintained in a separated state as a prefix
and a suffix. The prefix is the entire OID minus the rightmost (low-
order) value. AD stores the prefixes in a table so that it can reference
them by an index value. AD then uses the remaining (low-order) part
of the OID and the index value for its prefix to identify the classes and
attributes. Grouping all your OIDs under common roots keeps the
prefix table small. Excessive growth in the prefix table can degrade
the performance of the Win2K server hosting AD.
When you've populated the Unique X500 Object ID text box with a
valid OID, you can give the Gender attribute a minimum length of four
characters (Male) and a maximum length of six characters (Female).
Click OK to add the attribute. The new attribute appears in the AD
Schema's Attributes folder, as Figure 5 shows.
When you view the new attribute in the AD Schema Console, you'll
notice that the Description field is empty. To fill in this field, right-click
the Gender attribute to access the Gender Properties dialog box that
Figure 6 shows. In this dialog box, you can fill in the Description field
and other properties. For example, you can replicate the new attribute
to the GC. Click OK to return to the AD Schema Console.
From the Schema Console, click the Class folder. Scroll down to the
User class, right-click it, and select Properties. On the user
Properties dialog box, click the Attributes tab, which Figure 7 shows.
Click Add, then choose the Gender attribute. Click OK twice, and
you've successfully added the Gender attribute to the User class.
Active Directory Schema
• Classes
• Class attributes
• Class relationships such as subclasses (Child
classes that inherit attributes from the super
class) and super classes (Parent classes).
• Object relationships such as what objects are
contained by other objects or what objects
contain other objects.
Partitions
Schema Container
/CN=schema/CN=configuration/DC=forest root
<domain_name>
Classes and attributes are stored in classSchema objects and
attributeSchema objects respectively.
System Attributes
• badPasswordCount
• badPasswordTime
• creationTime
• domainReplica
• isCriticalSystemObject
• lastLogoff
• lastLogon
• LockoutTime
• modifiedCount
• ntPwdHistory
• PrimaryGroupName
• revision
• SAMAccountName
• SAMAccountType
Schema Modifications
computername.domain.com
Top level domains are .com, .edu, .net, .org, and more. Second
level domains may contain other domains and hosts.
DNS Files
For the system to use WINS if DNS resolution cannot supply the
IP address for a name, all DNS servers must be configured to
use WINS. It cannot be done with just the primary DNS server.
DNS Queries
WINS TTL
The "WINS Lookup" property page (in DNS?) is used to set the WINS
TTL(Time to Live) for returned queries.
DNS resolvers first attempt to use UDP for transport, then use TCP if
UDP fails.
Troubleshooting
• Clients are unable to obtain an IP address
If a DHCP client does not have a configured IP address, it
generally means that the client has not been able to
contact a DHCP server. This is either because of a
network problem or because the DHCP server is
unavailable. If the DHCP server has started and other
clients have been able to obtain a valid address, verify
that the client has a valid network connection and that all
related client hardware devices (including cables and
network adapters) are working properly.
• The DHCP server is unavailable
When a DHCP server does not provide leased addresses
to clients, it is often because the DHCP service has failed
to start. If this is the case, the server may not have been
authorized to operate on the network. If you were
previously able to start the DHCP service, but it has since
stopped, use Event Viewer to check the system log for
any entries that may explain the cause.
DHCP terminology
Term Description
DHCP Scopes
Adding a Scope
To add a new scope:
General Properties:
The Description is a unique name for this scope. This will be displayed in
the DHCP options window. The Scope enabled option enables/disables
allocation from this scope.
• Allocate IP addresses in the range Properties:
The default lease time is 3 days. This is a suitable time for most
LANs. If you have a LAN with more computers than the size of your
scope, you may wish to have the lease period short. This will enable
the available IP's to be shared around.
These are IP's within the scope range that you do not wish to allocate
to client computers. In the example above, the IP address
192.168.0.100 and all the IP addresses from 220* 240 will not be
allocated.
To add an exclusion:
Removing a Scope
When a subnet is no longer in use, or if you want to remove an existing
scope, you can remove it from the DHCP service. It is recommended that
you deactivate a scope until you know that no leases are current before
deleting it.
To Remove a Scope:
The scope should be deactivated until you are sure the scope is not in use.
Only configure options if you know what effect if will have on DHCP. Some
Options are inter-related (see the DHCP Configurable Options List ).
To Assign DHCP Configuration Options:
Example:
To specify the DNS name servers to be used by DHCP clients, double click
DNS Server and then type an IP address for a DNS server in the edit box and
click add. The list should be in the order of preference, so that the first server
in the list is the first server to be consulted.
To Remove a Configured Option:
Full backup
Stack backup
Incremental backup
This is a backup in which only the files that have been
modified since the last backup are copied. It consists of "full
backup" and N folowing sequental incremental backups.
(where N - is a stack size parameter). The first backup
should include all files - a "full backup". The next backup
copy could also be a "full backup" but it is usually much
quicker to do, because only files which have been changed
since the last backing up will be included in the incremental
backup. When N incremental copies will be created, at the
next step all old backup files will be deleted and the cycle
will be repeated from the beginning.
Exists possibility to save the full backup at the beginning of
the new cycle. If an additional parameter save full backups
it checked, then the full backup is renamed and saved in the
same directory.
Differential backup
Mirror backup
To back up
system state
including
system-
protected files
1. To start the Windows Server 2003 backup utility, click
Start, click Run, type ntbackup, and then click OK.
This procedure provides steps for backing up in
Wizard Mode. By default, the Always Start in
Wizard Mode check box is selected in the Backup or
Restore Wizard. If the Welcome to the Backup
Utility Advanced Mode page appears, click Wizard
Mode to open the Backup or Restore Wizard.
2. On the Welcome to the Backup or Restore Wizard
page, click Next.
3. Select Back up files and settings, and then click
Next.
4. Select Let me choose what to back up, and then
click Next.
5. In the Items to Back Up window, double-click My
Computer.
6. In the expanded list below My Computer, check
System State, and then click Next.
7. Select a location to store the backup:
• If you are backing up to a file, type the path and
file name for the backup (.bkf) file (or click
Browse to find a folder or file).
• If you are backing up to a tape unit, choose the
tape that you want to use.
Note:
You should not store the backup on the local
hard drive. Instead, store it in a location, such as
a tape drive, away from the computer that you
are backing up.
System State data
With Backup, you can back up and restore the following
system components to back up the System State:
Registry Always
COM+ Class Registration Always
database
Boot files, including the system Always
files
Certificate Services database If it is a Certificate Services server
Active Directory directory If it is a domain
service
SYSVOL directory Only if it is a domain controller
Cluster service information If it is within a cluster
IIS Metadirectory If it is installed
System files that are under Always
Windows File Protection
Backup refers to these system components as the System
State data. The exact system components that make up
your computer's System State data depend on the
computer's operating system and configuration.
MORE INFORMATION
By default, trust relationship and computer account
passwords are negotiated every thirty days, except for
computer accounts that can be disabled by the
administrator.
• Schema table
the types of objects that can be created in the Active Directory,
relationships between them, and the optional and mandatory attributes
on each type of object. This table is fairly static and much smaller
than the data table.
• Link table
contains linked attributes, which contain values referring to other
objects in the Active Directory. Take the MemberOf attribute on a user
object. That attribute contains values that reference groups to which
the user belongs. This is also far smaller than the data table.
• Data table
users, groups, application-specific data, and any other data stored in
the Active Directory. The data table can be thought of as having rows
where each row represents an instance of an object such as a user, and
columns where each column represents an attribute in the schema
such as GivenName.
• Schema information
definitional details about objects and attributes that one CAN store in
the AD. Replicates to all domain controllers. Static in nature.
• Configuration information
configuration data about forest and trees. Replicates to all domain
controllers. Static as your forest is.
• Domain information
object information for a domain. Replicates to all domain controllers
within a domain. The object portion becomes part of Global Catalog.
The attribute values (the actual bulk of data) only replicates within the
domain.
Although GUIDs are unique, they are large. AD uses distinguished name tag
( DNT ). DNT is a 4-byte DWORD value which is incremented when a new
object is created in the store. The DNT represents the object's database row
number. It is an example of a fixed column. Each object's parent relationship
is stored as a parent distinguished name tag ( PDNT ). Resolution of parent-
child relationships is optimized because the DNT and PDNT are indexed
fields in the database. For more technical info on the AD datastore and its
organization, a good starting point is the Active Directory Database Sizing
document.
The size of ntds.dit will often be different sizes across the domain controllers
in a domain. Remember that Active Directory is a multi-master independent
model where updates are occuring in each of the ADs with the changes being
replicated over time to the other domain controllers. The changed data is
replicated between domain controllers, not the database, so there is no
guarantee that the files are going to be the same size across all domain
controllers.
This is a server by server task. Monitor the size of ntds.dit and if it starts
growing and performance is slow and you can not see why either situation
should apply, consider offline defrags.
When you move the database and log files, you must back up the domain
controller.