Chapter 12: Working with Active Directory, Domains, and Trusts

team lib

Access to Active Directory's sheer power is useless unless you can manipulate and configure its content. Only then will you be able to get the most out of its powerful (but cryptic) environment. In this chapter, you take a long hard look at Active Directory. Before you enter into this staring contest with your computer screen, however, we want to show you how manipulating and configuring content is tied to manipulating and configuring domains. That's right; you get to tackle domains one more time. So once more into the breach, dear friend, so that you too can become a master of your own domain.

For details on domain controllers and their changing role in Windows 2003, see Chapter 11. We also suggest you pick up a copy of Active Directory For Dummies by Marcia Loughry (published by Wiley Publishing, Inc.).

Master of Your Domain

Domain controller roles are not defined during the installation of Windows Server 2003 but rather by running the Active Directory Installation Wizard. (For a little more information about the Active Directory Installation Wizard, see Chapter 11.) Windows Server 2003 does borrow the concept of a primary domain controller (PDC) from Windows NT through the use of the PDC emulator domain controller for certain domain functions, but it has jettisoned Windows NT's concept of a backup domain controller (BDC). In Windows 2003, all domain controllers are equal and share peer-to-peer relationships, rather than acting either as a master (PDC) or a slave (BDC) in a master/slave relationship.

REMEMBER 

To support older Windows NT Server 4.0 and 3.51 BDCs in a mixed-mode environment, one of the Windows Server 2003 domain controllers must emulate the actions of a Windows NT Server 4.0 PDC. Then it has to replicate changes to those old-fashioned BDCs so that they can make the necessary changes, such as password modifications.

Having all these peers around can cause problems if you don't watch out. (Ever hear the expression, "Too many cooks spoil the broth"?) Windows Server 2003 utilizes five special roles to keep all these peers in line. One role was specifically designed to support any Windows NT vintage clients and domain controllers. The other four roles work to eliminate the risk of multiple domain controllers making changes to the same object and losing attribute modifications.

These roles are called Flexible Single Master of Operations (FSMO) roles, where each of the five roles manages a particular aspect of a domain or forest. Some of the Flexible Single Master of Operation domain controllers, sometimes referred to as Operations Masters, have a role that is domain wide, so their effect is throughout the given domain. When a forest has multiple domains, each domain has a domain-wide FSMO domain controllers. Other FSMO domain controllers have a forest-wide role. Each forest-wide FSMO domain controller is the only one of its type in the entire forest, regardless of how many domains are within the forest.

The flexibility of the Flexible Single Master of Operation domain controllers comes from the fact that these roles can be moved between domain controllers within a domain if the role of the original FSMO DC was domain wide, or between other domain controllers in the forest if the role of the original FSMO DC was forest wide. However, it does take a bit of effort on your part to move them.

You assign the FSMO roles using the NTDSUTIL utility. For more information on the NTDSUTIL utility, see the Windows Server 2003 Server help files or the Resource Kit.

The following list gives you an idea how these five roles work with domains in Active Directory:

  • Schema master: At the heart of Active Directory, the schema is a blueprint for all objects and containers. Because the schema has to be the same throughout an entire forest, only one domain controller can be used to make modifications to the schema. If the domain controller that holds the role of Schema Master can't be reached, no updates to the Active Directory schema are performed. You must be a member of the Schema Administrators group to make changes to the schema. (See Chapter 11 for a more detailed definition of the schema.)

  • Domain naming master: To add a domain to a forest, its name has to be verifiably unique. The domain naming master of the forest oversees the domain name operation and ensures that only verifiably unique names are assigned. It also functions to add and remove any cross-references to domains in external directories, such as external Lightweight Directory Access Protocol (LDAP) directories. Only one domain naming master exists per forest, and you must be a member of the Enterprise Administrators group to make changes to the domain naming master, such as transferring the FSMO role or adding domains to or removing domains from the forest.

  • Relative ID (RID) master: Any domain controller can create new objects (such as user , group, and computer accounts). The domain controller contacts the RID master when fewer than 100 RIDs are left. This means that the RID master can be unavailable for short periods of time without causing object creation problems. This ensures that each object has a unique RID. There can be only one RID master per domain.

  • PDC emulator: The PDC emulator domain controller acts as a Windows NT primary domain controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs or Windows 2003 DCs (or both). It processes all NT4 password changes from clients and replicates domain updates to the down-level BDCs. After upgrades to the domain controllers have been performed and the last of the BDCs are upgraded or removed from the environment, the Windows 2000 domain or Windows Server 2003 domain (or both) can be switched to native mode. After the domain is in native mode, the PDC emulator still performs certain duties that no other DCs in the domain handle.

    Each domain in the forest, including child domains, has only one PDC emulator domain controller.

  • Infrastructure master: When a user and a group are in different domains, there can be a lag between changes to the user profile (a user-name, for example) and its display in the group. The infrastructure master of the group's domain is responsible for fixing the group-to-user reference to reflect the rename. The infrastructure master performs its fix-ups locally and relies on replication to bring all other replicas of the domain up to date. (For more information on replication, see the "When replication happens" section, later in this chapter.)

team lib


Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net