FSMO – Operation Masters
• The total name for five roles that are performed only by DC-1 server in the domain.
• Each professional computer network replicates the DC servers to create survivability and create server load sharing with other servers and clients on the network.
• The first DC server will contain the above five roles but can be moved to other servers, if not then there will be conflicts, infringement of “one-value” of certain values and other problems in the network. The five roles are:
Forest Level:
- Schedule Master
a. Role – A schema that contains the definitions and structure of all objects in the forest but does not contain the information itself
b. Only in the responsible DC will the consent be changed
c. All other servers will hold a “read-only” copy of consent
d. The schema changes can only be made to group members: Schema Admins, Enterprise Admins
e. Replicates the changes to the forest - Domain Name Master
a. Role – Add or remove domains in the forest
b. Contains a list of all domain names in the forest
c. Each addition or change of an existing domain name to a forest is made to this server to verify that there is no item in the forest that carries the same name
d. If the responsible DC is dropped – a new domain cannot be created or added to the forest!
At the domain level: - Rid (Relative ID) Master
a. Role – Distributes a unique item number (SID – Security ID) to each item created in the AD (Domain Interior) – SID is similar to any object in a domain other than the last four digits called RID
b. The SID numbers are divided into 500 numbers per requirement
c. If the responsible DC has dropped – no new items can be created in AD! - Infrastructure Master
a. Role – Updating data across domains in the forest
b. This role exists only in a forest with multiple domains
c. This role updates changes made to other domains to maintain uniformity and updates for users who are members of different groups in different domains in the same forest
d. Example: User of domain 1 moved to domain 2 so his SID changed to the SID of the domain to which he moved. Now the user wants to use resources from domain 3 who are unaware of the changes that have happened. Therefore, Domain 3 will contact Infrastructure Master and check the permissions for that user - PDC (Primary Domain Controller) Emulator
a. Role – The domain and traffic coordinator
b. Adjusts and synchronizes the time of all clients in the domain with the DC server using the following method – the DC in the domain versus the DC that holds the role in the domain and its way to the first relevant DC in the forest
c. Adjusts and updates password changes for each USER or computer instantly (within 5 minutes)
d. GPO changes are made on the responsible DC server and then distributed on the domain
e. Works with BDC (Backup Domain Controller) and old stations (pre W2k) in Mixed mode
Global Catalog – The largest forest directory
• A catalog that stores the properties of the objects in AD (usernames, printers, e-mail, etc.) that contains all information about the items in all domains in the forest
• Ability to find a particular User, even if you do not know which domain it is on
• There is no risk of creating more than one GC in the forest / domain. On the contrary, as there is more GC, the time to find an item will be shortened
• All queries pass through the GC
• When a user performs a Log-on he uses the GC
• The GC contains a full copy of all objects in its domain and a partial copy of other objects in the same forest
• The GC contains the permissions for each object
• GC can be configured as soon as the server becomes DC in the NTDS settings