What is active directory?
Active Directory (AD) is a Microsoft technology used to
manage computers and
other devices on a network.
It is a primary feature of Windows Server, an operating
system that runs both local and
Internet-based servers.
Active Directory allows network administrators to create and
manage domains,
users, and objects within a network. For example, an admin can create a group
of users and give them specific access privileges to certain directories on
the server. As a network grows, Active Directory provides a way to organize a
large number of users into logical groups and subgroups, while providing access
control at each level.
It is referred to as a Flexible
Single Master Operation (FSMO) role. Currently in Windows there are five FSMO
roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
Schema Master FSMO Role
The schema master FSMO role holder is the DC
responsible for performing updates to the directory schema (that is, the schema
naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC
is the only one that can process updates to the directory schema. Once the Schema
update is complete, it is replicated from the schema master to all other DCs in
the directory. There is only one schema master per directory.
Domain Naming Master FSMO Role
The domain naming master FSMO role holder is the DC
responsible for making changes to the forest-wide domain name space of the
directory (that is, the Partitions\Configuration naming context or
LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only
one that can add or remove a domain from the directory. It can also add or
remove cross references to domains in external directories.
RID Master FSMO Role
The RID master FSMO role holder is the single DC
responsible for processing RID Pool requests from all DCs within a given
domain. It is also responsible for removing an object from its domain and
putting it in another domain during an object move.
When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID)
that is unique for each security Principal SID created in a domain.
Each Windows DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DC's allocated RID pool
falls below a threshold, that DC issues a request for additional RIDs to the
domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to the
pool of the requesting DC. There is one RID master per domain in a directory.
PDC Emulator FSMO Role
The PDC emulator is necessary to synchronize time
in an enterprise. Windows includes the W32Time (Windows Time) time service that
is required by the Kerberos authentication protocol. All Windows-based
computers within an enterprise use a common time. The purpose of the time
service is to ensure that the Windows Time service uses a hierarchical
relationship that controls authority and does not permit loops to ensure appropriate
common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator
at the root of the forest becomes authoritative for the enterprise, and should
be configured to gather the time from an external source. All PDC FSMO role
holders follow the hierarchy of domains in the selection of their in-bound time
partner.
In a Windows domain, the PDC emulator
role holder retains the following functions:
Password changes performed by other DCs in the
domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in
a domain because of an incorrect password are forwarded to the PDC emulator
before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
The PDC emulator performs all of the functionality
that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes
unnecessary when all workstations, member servers, and domain controllers that
are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC
emulator still performs the other functions as described in a Windows 2000
environment.
The following information describes the
changes that occur during the upgrade process:
Windows clients (workstations and member servers)
and down-level clients that have installed the distributed services client
package do not perform directory writes (such as password changes) preferentially
at the DC that has advertised itself as the PDC; they use any DC for the
domain.
Once backup domain controllers (BDCs) in down-level
domains are upgraded to Windows 2000, the PDC emulator receives no down-level
replica requests.
Windows clients (workstations and member servers)
and down-level clients that have installed the distributed services client
package use the Active Directory to locate network resources. They do not
require the Windows NT Browser service.
Infrastructure FSMO Role
When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the
SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference.
NOTE: The Infrastructure Master (IM)
role should be held by a domain controller that is not a Global Catalog server
(GC). If the Infrastructure Master runs on a Global Catalog server it will stop
updating object information because it does not contain any references to
objects that it does not hold. This is because a Global Catalog server holds a
partial replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will
be logged on that DC's event log.
If all the domain controllers in a domain also host the global Catalog, all the
domain controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.
When the Recycle Bin optional feature is enabled, every DC is responsible to
update its cross-domain object references when the referenced object is moved,
renamed, or deleted. In this case, there are no tasks associated with the
Infrastructure FSMO role, and it is not important which domain controller owns
the Infrastructure Master role.
No comments:
Post a Comment