Geek HQ
Embrace the geek
Global Catalog server
02 months ago
by Alex
in Active Directory
Every domain controller in an Active Directory forest has it’s own copy of the Active Directory Database, this information is stored into the NTDS.DIT file with each change replicated to all domain controllers in the domain. This process is straight forward when accessing resources in your local forest Windows will automatically use your own username and password to authenticate you against the required server, but the domain does not know where resources outside of your forest are kept.
This is where global catalog (GC) servers are used, the GC acts as an index for the forest, any domain controller can be assigned the GC role, the GC contains a subset of all objects data this is used to help locate any object within the forest and it holds information for universal groups.
The assumption would be that a normal domain controller would have all the available information to log a user on, but this is incorrect as domain controllers do not contain forest wide information. The most noticeable piece of missing information is universal groups.
GC’s are also required when a user logs in with a Universal Principal Name (UPN) or allows forest wide searching for directory information regardless of location within the forest.
Global Catalog rule of thumb
- Any domain controller can be a GC
- You must have one GC per domain
- There should be additional GC’s for redundancy
- If you run exchange you must have a GC
- By default Windows Server 2008 R2 creates all domain controllers as GC’s during their promotion
- GC’s require more disk space
- GC’s require more bandwidth
The last two points in bold are no longer a concern, these were originally a constraint during NT4/Server 2000/Server 2003 but as disk space & network bandwidth are much cheaper and more available this is no longer a problem and Microsoft advises all domain controllers to be global catalog servers.
Seizing Operations Master Roles
02 months ago
by Alex
in Active Directory
When moving operations master roles you should always try to transfer where possible, you can find out how to transfer these roles from this link, or to find out what operation master roles are all about check here.
If for any reason you are unable to recover the domain controller which holds a operation master role it will need to be seized, but bear in mind that if there is currently no impact on your infrastructure then it is worth trying to recover the machine holding this role.
Here is a list of impacts that would be experienced from having these operation master roles unavailable:
- Schema Master: If you are not planning on making changes to the schema then this role can be offline indefinitely.
- Domain Naming Master: If you are not planning on adding or removing domains then this role can be offline indefinitely.
- Infrastructure Master: In a single domain environment this can be down indefinitely, however in a multiple domain environment this will affect group membership changes in the domains.
- RID Master: If you are not making large amount of changes within Active Directory and/or creating large numbers of objects, then this role can be offline for quite sometime.
- PDC Emulator: This role being unavailable is the most likely to make an noticeable impact onto your network as this will affect password changes and time synchronises will be unavailable. Microsoft recommended this role is available 24/7.
Before seizing the roles check the recommendations below:
- The domain controller will need to be offline
- Do not seize roles during an network outage
- Seizing roles should be considered as a last resort
- After the role has been seized then the domain controller cannot be used on the network again
- Make sure you have an available domain controller to transfer the seized role too
- After the role is seized the domain controller will need to be reinstalled before joining back to the network
- After the role is seized the domain controllers configuration will exist in Active Directory and will require manual removal
Seizing Operations Master Roles
If the role is unavailable for transfer the following error will be displayed when using the transfer process outlined here.
To carry out the process of seizing a role you must use NTDSUTIL from an administrator command prompt. Below are the prompts and user entries in bold to complete seizing of a role:
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server domain_controller
Binding to domain_controller
Connect to domain_controller using credentials of locally logged on user.
server connections: quit
fdmo maintenance: seize RID master role
You will now be prompted to confirm if the action you wish carry out is correct, click Yes to continue or No to cancel.
fsmo maintenance: quit
ntdsutil: quit
Once the process has been completed you can confirm which servers hold the operation master roles by using the following command netdom query fsmo.
The last step is to clean-up the information data regarding the failed server before it is brought back online if the same computer name is to be used.
ntdsutil
ntdsutil: metadata cleanup
metadata cleanup : connections
connections: connect to server domain_controller
Binding to domain_controller
Connect to domain_controller using credentials of locally logged on user.
server connections: quit
metadata cleanup: select operation target
select operation target: list domain
select operation target: select domain 0/1/2/etc.
select operation target: list sites
select operation target: select site: 0/1/2/etc.
select operation target: list servers in site
select operation target: select domain_controller
select operation target: quit
metadata cleanup: remove selected server
After completing this process, the server will be removed from Active Directory database, however you will just need to remove the server from within Active Directory Sites and Services by deleting the record.
Transfer Operation Master Roles
02 months ago
by Alex
in Active Directory
When installing your first domain controller into a new forest all five operation master roles will be stored on this server. To find out more on operation master roles view this in-depth post regarding what they do.
As you add more domain controllers you should consider moving the operation master roles, the location these are moved too will depend on not only server hardware but also the network layout.
Transferring Domain Wide Roles
To transfer any of the three domain wide roles requires you to use Active Directory Users and Computers. Before transferring any roles you should know which server you wish to move this role too.
Moving the RID, PDC and Infrastructure roles
To move any of the three roles mentioned above, open Active Directory Users and Computers and right click your domain then select Change Domain Controller. You must now select the domain controller you want to change a role too:
Once again right click the domain but this time select Operations Masters, from this menu select either the RID, PDC or Infrastructure master role you wish to transfer, in the dialog box the current operations master is displayed at the top and the server you wish to transfer the operations master to is underneath.
Transferring Forest Wide Roles
To transfer the last two roles it is the same process as above but using different administrative tools to do so. The Schema master role requires an additional set, you first need to register the DLL for this MMC snap-in. This can be done by using the following run command regsvr32 schmmgmt.dll, once registered use the following run command MMC this will open the Microsoft Management Console, the click File and select Add/Remove Snap-in then follow the same steps as above for transferring domain wide roles.
The last to transfer iss the Domain Name master role, this is done using the same steps as the domain wide roles but instead of Active Directory Users and Computers you will need to use Active Directory Domains and Trusts.
Operation Master Roles
02 months ago
by Alex
in Active Directory
What are Operation Master roles and what do they do?
Operation Master roles are also know as Flexible Single Master Operation (FSMO) roles, Active Directory is a multi-replication service and some of these roles are best performed on one server at a time. By having one server look after only one role this:
- Guarantees operation will be consistent
- Eliminates replication conflicts
To know where to place these roles you must first understand what they do, this is broken down into two sections Forest wide roles and Domain wide roles, we will start with the Forest Wide Roles:
Schema Master
The schema master contains the structure of the active directory within the active directory database. By default user accounts can contain information about the users phone number, address, job title, etc. If you wanted to include a additional field ‘car registration’ then this would be done within the schema.
Domain Naming Master
The domain naming master is only used when adding a domain, or removing a domain from the forest. This role ensures that duplicate domain names cannot be joined to your domain.
Now there are another three roles which are in the Domain Wide Roles:
Relative Identifier (RID) Master
The RID master allocates RID pools, the RID pools are a series of sequential numbers used in Security Identifiers (SID). SID’s are used in active directory as every object within active directory has a series of unique numbers for example if you open command prompt as an administrator and use the following command dsquery * -attr objectsid -filter objectcategory=user you will see all SID’s for the user accounts within your domain, there is a number appended at the end this is the relative ID of that object.
Primary Domain Controller (PDC) Emulator
The PDC emulator was introduced originally to bridge connections between Windows 2000 domain controllers and NT4 domain controllers, however Windows Server 2008 no longer supports NT4 domain controllers so it will be unlikely to see these in the same environment. The PDC emulator still keeps the time accurate within your domain, the PDC emulator synchronises with external time sources and the rest of the internal domain controllers synchronise their time to the PDC emulator then all member servers and desktops synchronise their time with all domain controllers in their domain. Also when a password is changed within the domain, this is replicated to the PDC emulator using urgent replication thus the PDC emulator is considered the most up-to-date source of password changes. The PDC also tracks changes to DFS and GPO editing defaults to the PDC.
Infrastructure Master
The infrastructure master keeps object references consistent across domains in the forest, updates multi-domain references in active directory when changes are made.
What servers do I assign these roles to?
The first domain controller you install into your forest will hold all of the five operation roles and automatically made a global catalog server. You should have more than one domain controller for redundancy within the domain, the main consideration is load on the server that will decide where there roles are placed.
The Schema Master and Domain Naming Master are used rarely it is recommended that you keep these roles on the same server for ease of administration, if the server holding these roles was to go down and be unavailable then this would only stop changes to the schema and adding or removing domains from the forest. It is recommended to place these operation roles within the root domain of your forest as both these roles affect the entire forest.
The RID Master allocates blocks of RID’s and therefore does not require to be on a high specification server or the fastest link possible within the network. If there a large volumes of objects being created in active directory then you would need to ensure the server and network are not only above the O/s minimum requirements but also reliable. Also though not required in busy domains it is advised to put the PDC emulator and RID master on the same server as the PDC emulator requests the most RID’s out of all domain controllers.
The PDC Emulator should be placed on the network that has the most authentication requests, if there are performance problems the global catalog role can be removed from the PDC decrease load on this domain controller
The Infrastructure Master role in a multi domain forest must be put onto a non-global catalog domain controller, or all domain controllers must be global catalog servers. If you do not then the infrastructure master will not update other domain controllers as it thinks it has the most up-to-date copy, this bug has been fixed in Windows Server 2008 as during the DCPROMO stage all domain controllers are made into global catalog servers.