FSMO ROLE INTERVIWE QIESTAITION
Though Windows 2K/2K3 domain models are
multimaster, there are certain roles performed only by a single server. These
are known as Flexible Single Master Operations.
There are five FSMO roles: Domain naming Master, Schema Master, RID
Master, PDC Emulator and Infrastructure Master. There must be a domain
controller that owns each one of those roles.
1. Domain
naming Master:
The
machine which hasDomain Naming mastershould be available for adding and
removing a domain the roll is forest wide
2. Schema
Master:
this is permits the extention of schema. the
schema to be extented the schema master should be on line
the roll is
forest wide
3. RID
Master: Relative ID will alocate the pool of RIDs to domain cotrolers. the
roll is Domain wide
4. PDC
Emulator: Primary Domain Controler Emulats as a PDC for
backword compactability.the roll is Domain wide
5. Infrastructure
Master: This will initiate replication of group membership changes .the roll is
Domain wide
What are the FSMO roles and explain their functions?
• Schema master
• Domain naming master
• RID master
• PDC emulator
• Infrastructure daemon
Ø Schema Master
The schema master is responsible for
performing updates to the directory schema. This DC is
the only one that can process updates
to the directory schema. Once the Schema update is
complete, it is replicated from the
schema master to all other DCs in the directory. There is
only one schema master per directory.
Ø Domain Naming Master
The Domain Naming Master is
responsible for making changes to the forest-wide domain
name space of the directory. This DC
is the only one that can add or remove a domain from
the directory.
Ø RID Master
The RID master is responsible for
processing RID Pool requests from all DCs within a given
domain. It is also responsible for removing
an object from its domain and putting it in another
domain during an object move.
When a DC creates a security
principal object such as a user or group, it attaches a unique
SID to the object. This SID consists
of a domain SID (the same for all SIDs created in a
domain), and a relative ID (RID) that
is unique for each security principal SID created in a
domain.
Each Windows 2000 DC in a domain is
allocated a pool of RIDs that can be assigned to the
security principals it creates. When
a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs
to the domain's RID master. The domain-RID master
responds to the request by retrieving
RIDs from the domain's unallocated RID pool and
assigns them to the pool of the
requesting DC. There is one RID master per domain in a
directory.
Ø PDC Emulator FSMO Role
The PDC emulator is necessary to
synchronize time in an enterprise. Windows 2000 includes
the W32Time (Windows Time) time
service that is required by the Kerberos authentication
protocol. All Windows 2000-based
computers within an enterprise use a common time. The
purpose of the time service is to
ensure that the Windows Time service uses a hierarchical
relationship that controls authority
and does not permit loops to ensure appropriate common
time usage.
Sanjo Thomas, CCNA, MCSE, MCDBA
Sanjo900@yahoo.com
The PDC emulator of a domain is
authoritative for the domain. The PDC emulator at the root
of the forest becomes authoritative
for the enterprise, and should be configured to gather the
time from an external source. All PDC
FSMO role holders follow the hierarchy of domains in
the selection of their in-bound time
partner.
In a Windows 2000 domain, the PDC
emulator role holder retains the following functions:
• Password changes performed by other
DCs in the domain are replicated preferentially
to the PDC emulator.
• Authentication failures that occur at
a given DC in a domain because of an incorrect
password are forwarded to the PDC
emulator before a bad password failure message is
reported to the user.
• Account lockout is processed on the
PDC emulator.
Note that the PDC emulator role
becomes unnecessary as down-level workstations, member
servers, and domain controllers are
all upgraded to Windows 2000, in which case the
following information applies:
• Windows 2000 clients (workstations
and member servers) and down-level clients that
have installed the distributed
services client package do not perform directory writes
(such as password changes)
preferentially at the DC that has advertised itself as the
PDC; they use any DC for the domain.
• Once backup domain controllers (BDCs)
in down-level domains are upgraded to
Windows 2000, the PDC emulator
receives no down-level replica requests.
• Windows 2000 clients (workstations
and member servers) and down-level clients that
have installed the distributed
services client package use the Active Directory to locate
network resources. They do not
require the Windows NT Browser service.
Ø Infrastructure FSMO Role
When an object in one domain is
referenced by another object in another domain, it
represents the reference by the GUID,
the SID (for references to security principals), and the
DN of the object being referenced.
The infrastructure FSMO role holder is the DC responsible
for updating an object's SID and
distinguished name in a cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain
controller that is not a
Global Catalog server(GC). If the
Infrastructure Master runs on a Global Catalog server it will
stop updating object information
because it does not contain any references to objects that it
does not hold. This is because a
Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain
object references in that domain will not be updated and
a warning to that effect will be
logged on that DC's event log.
Ø How will you place the FSMO roles?
• Place the RID and PDC emulator roles
on the same domain controller. Good
communication from the PDC to the RID
master is desirable as downlevel clients and
applications target the PDC, making
it a large consumer of RIDs.
• As a general rule, the infrastructure
master should be located on a nonglobal catalog
server that has a direct connection
object to some global catalog in the forest,
preferably in the same Active
Directory site.
Sanjo Thomas, CCNA, MCSE, MCDBA
Sanjo900@yahoo.com
Two exceptions to the "do not
place the infrastructure master on a global catalog server"
rule are:
o Single domain forest:
In a forest that contains a single
Active Directory domain, there are no phantoms,
and so the infrastructure master has
no work to do. The infrastructure master may
be placed on any domain controller in
the domain.
o Multidomain forest where every domain controller holds the global catalog:
If every domain controller in the
domain also hosts the global catalog, then there
are no phantoms or work for the
infrastructure master to do. The infrastructure
master may be placed on any domain
controller in the domain.
• At the forest level, the schema
master and domain naming master roles should be
placed on the same domain controller
as they are rarely used and should be tightly
controlled. Additionally, the Domain
Naming master FSMO should also be a global
catalog server.
Ø Responding to operations master failures
Some of the operations master roles
are crucial to the operation of your network. Others can
be unavailable for quite some time
before their absence becomes a problem
If an operations master is not
available due to computer failure or network problems, you can
seize the operations master role.
In general, seizing an operations
master role is a drastic step that should be considered only
if the current operations master will
never be available again.
Ø SCHEMA MASTER FAILURE
Temporary loss of the schema
operations master will be visible only if we are trying to modify
the schema or install an application
that modifies the schema during installation.
A DC whose schema master role has
been seized must never be brought back online.
To seize the schema master role
1. Click Start, click Run, and then type cmd.
2. At the command prompt, type ntdsutil.
3. At the ntdsutil prompt, type roles.
4. At the fsmo maintenance prompt, type connections.
5. At the server connections prompt, type connect to server, followed by the fully
qualified domain name.
6. At the server connections prompt, type quit.
7. At the fsmo maintenance prompt, type seize schema master.
8. At the fsmo maintenance prompt, type quit.
9. At the ntdsutil prompt, type quit.
Sanjo Thomas, CCNA, MCSE, MCDBA
Sanjo900@yahoo.com
Ø DOMAIN NAMING MASTER FAILURE
Temporary loss of the schema
operations master will be visible only if we are trying to add a
domain to the forest or remove a
domain from the forest.
A DC whose domain naming master role
has been seized must never be brought back online.
Ø RELATIVE ID MASTER FAILURE
Temporary loss of the schema
operations master will be visible if you are creating objects and
the domain in which you are creating
the objects runs out of RIDs.
A DC whose relative identifier master
role has been seized must never be brought back
online.
Ø PDC EMULATOR FAILURE
The loss of the PDC emulator affects network
users. Therefore, when the PDC emulator is not
available, you may need to immediately seize the
role.
If the current PDC emulator master will be
unavailable for an unacceptable length of time and
its domain has clients without Windows 2000
client software, or if it contains Windows NT
backup DCs, seize the PDC emulator master role to
the standby operations master. When the
original PDC emulator master is returned to
service, you can return the role to the original
DC.
Ø INFRASTRUCTURE MASTER FAILURE
Temporary loss of the infrastructure
master is not visible to network users or administrators
either, unless they have recently
moved or renamed a large number of accounts.
If the infrastructure master will be
unavailable for an unacceptable length of time, you can
seize the role to a DC that is not a
GC but is well connected to a GC, ideally in the same site
as the current GC.
No comments:
Post a Comment