230 likes | 416 Vues
IT:Network:Microsoft Server 2. Operation Roles and Multiple Domains. Operations Terms. Single-Master Replication NT 4.0 replication method Only the primary domain controller could right to the SAM database Other domain controllers could only handle authentication
E N D
IT:Network:Microsoft Server 2 Operation Roles and Multiple Domains
Operations Terms • Single-Master Replication • NT 4.0 replication method • Only the primary domain controller could right to the SAM database • Other domain controllers could only handle authentication • Server 2003 Mixed-mode is single master • Multi-master Replication • Active Directory replication method • Multiple DC’s can write to NTDS
NT 4.0 v. 2000/2003/2008 • NT 4.0: maintains SAM on the PDC and only on the PDC. • NT 4.0: only changes can be made on PDC. Windows Server: accounts are managed through the directory through multimaster replication. This is only available in Native mode, not mixed mode, which supports Single-Master
Server 2003/2008 • With Active Directory, all DC’s are equal, although some are more equal than others. They maintain the FSMO roles (Flexible Single Master of Operations)…now simply called Operations Masters • FSMO pronounced PHIZZ-MO. • Roles: • RID Master • Schema Master • Domain Naming Master • PDC Emulator • Infrastructure Master • First DC maintains all 5.
Operation Roles • Schema master - Forest-wide and one per forest. • Domain naming master - Forest-wide and one per forest. • RID master - Domain-specific and one for each domain. • PDC - PDC Emulator is domain-specific and one for each domain. • Infrastructure master - Domain-specific and one for each domain.
Schema Master • Is the working structure of the AD database. (think Access database with many tables that have many fields) • You can view the schema of AD by running mmc /a and Add/Remove Snap-in->Active Directory Schema. • regsvr32 schmmgmt.dll (First) • Things that change the schema: • Applications: Exchange Server, SQL Server • Adds additional fields to support apps
Domain Naming Master • Modified with the AD Domains and Trusts Tool/Snap-in • Handles Domain naming when additional domains are brought into the forest • It’s the clearing house for domain names and prevents duplicate domain names to be brought in
RID Master • Relative ID • Is generated when SIDS are created, it is the last 32 bits of the SID • All sids start out with S-1-5 and then appends random numbers to the end a • 1-b1-c1
Infrastructure and PDC • Infrastructure • Speeds up the process of reflecting changes across the domains. • PDC • Used for legacy (pre W2k) systems • Knows the most up-to-date passwords • When a password is changed, the DC’s contact the PDC FSMO immediately • Also used for account unlocks
Transferring Roles command line • Command to find out who has what? • Netdom query fsmo • Command to manage roles • NTDSUTIL • Connect to servername • Quit • Transfer fsmotype master • Or • Seize fsmotype master
Why is this important to know? • Delegating the roles to other servers reduces the possibility of the network going down in the event of a failure on the first server. • Your company may purchase new servers to function as replica domain controllers, however the first domain controller contains all the operations roles and does not automagically nominate the new hardware to carry the load. • The roles would be transferred automatically if you retire the first domain controller by performing a dcpromo to demote the domain controller
Designing a Domain Model • Your domain design is relative to the size of the network. • A small business typically will maintain a single server/domain controller setup. • Microsoft Small Business Server • Domain Controller • Exchange Server • SQL Server • ISA Server • Intranet • Maximum of 50 license
Designing a Domain Model • Larger businesses (25+ clients) • Secondary Domain Controllers should be introduced for fault tolerance. • FISMO roles should be delegated appropriately • Larger Business with remote locations • Active Directory Sites and Services • Create site for remote location • Domain Controllers can be placed at the remote locations to help with authentication. • Replication decisions have to be made based on the connection speed between the sites. • Must determine how dynamic the network is • If the network does not change often, replication can be scheduled at off peak time.
Forest-wide Time Synchronization • All DC’s should be within 5 minutes of each other. • Kerberos fails if time sync is DC’s disagree on time • Member servers and workstations synchronize to the DC that logged them in. • PDC Emulators between domains must agree on time
Creating Multiple Domains • Hierarch of domains works best. This is referred to a tree structure in Active Directory • Multiple-domain namespaces must be supported by DNS • Preferred method is to allow DCPROMO.EXE to handle the namespaces • Child domains have their own name space since they have the same last name as the parent domain
Creating Multiple Domains • After creating a child domain, accounting.mycompany.com, you will find the following • AD integrated zone on the new domain controller for the child domain such as accounting.mycompany.com • A forwarder DNS server listing on this domain controller for the child domain • A delegated DNS sub domain on mycompany.com to the new DC
Creating Multiple Domains • Steps to create • Set preferred DNS on proposed DC to point to parent domain DNS • Install Active Directory Domain Services from the Add Roles Wizard • Before you run DCPROMO.EXE, be sure your logon account is a member of the Enterprise Admins group • Run DCPROMO.exe • Create a new domain in an EXISTING forest
Creating Multiple Domains • DCPROMO Guidelines • The first domain you create in a forest is the forest root domain • You should create replica domain controllers for the new domain which will add fault tolerance to the domain • You have to add domains by creating them through DCPROMO in relation to existing domains.