The final step in creating a site topology plan is to place global catalog servers and operations masters. To place global catalog servers and operations masters, you must assess the organization's need for global catalog servers and operations masters and then determine their location. This lesson discusses how to place global catalog servers and operations masters.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Recall that a global catalog server is a Windows 2000 domain controller that holds a copy of the global catalog for the forest. A global catalog server must be available when a user logs on to a Windows 2000 native-mode domain or logs on with a user principal name because in native mode a domain controller must send a query to a global catalog server to determine the user's membership in universal groups. Because universal groups can be used to deny access to resources, knowledge of universal group membership is necessary in order to enforce access control. Consequently, if a global catalog server is not available during user logon, the domain controller refuses the logon request. Therefore, it is imperative that you plan the location of global catalog servers carefully.
By default, the initial domain controller in a forest is designated as a global catalog server. However, you can configure any domain controller or designate additional domain controllers to serve this function.
Operations master roles are special roles assigned to one or more domain controllers in an Active Directory domain to allow the domain controllers to perform single-master replication for specific operations. Active Directory supports multimaster replication of the database between all domain controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one or more domain controllers can be assigned to perform single-master operations (operations that are not permitted to occur at different places in a network at the same time).
In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest. You can change the assignment of operations master roles after Setup, but in most cases this will not be necessary. You must be aware of operations master roles assigned to a domain controller if problems develop on a domain controller or if you plan to take it out of service.
Every Active Directory forest must have the following roles:
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.
The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. At any time, there can be only one domain naming master in the entire forest.
Every domain in the forest must have the following roles:
The relative ID master allocates sequences of relative IDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. At any time, only one domain controller can act as the relative ID master in each domain in the forest.
If the domain contains computers operating without Windows 2000 client software or if it contains Windows NT backup domain controllers (BDCs), the PDC emulator acts as a Windows NT primary domain controller. It processes password changes from clients and replicates updates to the BDCs. In a Windows 2000 domain operating in native mode, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt. At any time, only one domain controller can act as the PDC emulator in each domain in the forest.
The infrastructure master is responsible for updating the security identifiers and distinguished names in cross-domain object references whenever the name of an object is renamed or changed. At any time, only one domain controller can act as the infrastructure master in each domain.
Figure 6.10 shows how the operations master roles are distributed throughout a forest by default. Domain A was the first domain created in the forest (the forest root domain). It holds both of the forest-wide operations master roles. The first domain controller in each of the other domains is assigned the three domain-specific roles.
Figure 6.10 Operations master role default distribution in a forest
To place domain global catalog servers and operations masters, you must complete the following tasks:
To place global catalog servers and operations masters, you must first consult the site diagram containing domain controller locations and site links that was compiled earlier by your design team to view the network links, sites, domain controllers, and site links defined for your network. From this diagram, you can determine which domain controllers to designate as global catalog servers and operations masters. In addition to locating domain controllers, it is imperative that you assess any changes that may be planned for the sites or domain controller locations to address growth, flexibility, and the ideal design specifications of the organization.
For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. A global catalog server in each site provides users with a local computer that can service query requests for their domain over LAN connections. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic.
To determine whether to designate additional domain controllers in a site as global catalog servers, the rules for designating additional domain controllers in a site apply. However, you must balance the need for additional global catalog servers with the increased replication traffic that these servers will generate.
If your organization uses Microsoft Exchange 2000, you should try to place a global catalog server in each site that contains an Exchange server. This is because Exchange 2000 uses Active Directory as its directory service, and all mailbox names are resolved by queries through Active Directory to the global catalog server. In a large Exchange environment, a global catalog server may need to handle a large number of queries, so placing a global catalog server in each site that contains an Exchange server can ensure that all queries are handled promptly.
Using Active Directory Sizer
To determine the number of global catalog servers you need, you may want to use Active Directory Sizer, a tool for estimating the hardware required for deploying Active Directory based on your organization's profile, domain information, and site topology. For more information on Active Directory Sizer, visit http://www.microsoft.com/windows2000/library/resources/reskit/tools/new/adsizer-o.asp.
To place global catalog servers
In a small Active Directory forest with only one domain and one domain controller, that domain controller is assigned all the operations master roles. When you create the first domain in a new forest, all of the operations master roles are automatically assigned to the first domain controller in that domain. When you create a new child domain or the root domain of a new domain tree in an existing forest, the first domain controller in the new domain is automatically assigned the relative identifier master, PDC emulator master, and infrastructure master roles. Because there can be only one schema master and one domain naming master in the forest, these roles remain in the first domain created in the forest.
The default operations master locations work well for a forest deployed on a few domain controllers in a single site. In a forest with more domain controllers, or in a forest that spans multiple sites, you may want to transfer the default operations master role assignments to other domain controllers in the domain or forest.
Planning the Operations Master Role Assignments by Domain
Follow these guidelines when assigning operations master roles for a domain:
Planning the Operations Master Roles for the Forest
Once you have planned all of the domain roles for each domain, consider the forest roles. The schema master and the domain naming master roles should always be assigned to a domain controller designated as the global catalog server. This ensures that when the domain naming master creates an object representing a new domain, no other object has the same name. The load of these operations master roles is very light, so, to simplify management, place these roles on the operations master domain controller of one of the domains in the forest.
Planning for Growth
Normally, as your forest grows, you will not need to change the locations of the various operations master roles. But when you are planning to decommission a domain controller, change the global catalog status of a domain controller, or reduce the connectivity of parts of your network, you may need to revise the operations master role assignments.
To place operations masters
After you've added the global catalog servers and operations masters to your site diagram that already contains sites, domain controllers, and site links, you have a complete site topology diagram.
Review Figure 6.9, which shows the site diagram for Margo Tea Company. Figure 6.11 shows the location of global catalog servers and operations masters for Margo Tea Company. The reasons for locating global catalog servers in this manner are
The reasons for locating operations masters in this manner are
For further information on designing an Active Directory infrastructure design, view the online seminar "Designing the Active Directory Structure," located on the Supplemental Course Materials CD-ROM (\chapt06\OnlineSeminars\Designing). Click the Portal_ActiveDirectoryStructure file to begin the seminar.
You can also view the online seminar "Comparative Active Directory Designs," located on the Supplemental Course Materials CD-ROM (\chapt06\ OnlineSeminars\Comparative). Click the Portal_ActiveDirectoryDesigns file to begin the seminar.
Figure 6.11 Global catalog server and operations masters locations for Margo Tea Company
In this lesson you learned how to place global catalog servers and operations masters for an organization by assessing an organization's need for global catalog servers and operations masters. You learned that for optimum network response time and application availability, you should designate at least one domain controller in each site as the global catalog server. You also learned that you must balance the need for additional global catalog servers with the increased replication traffic that the additional servers will generate. You learned some guidelines for assigning domain-wide operations master roles, which include not assigning the infrastructure master role to the domain controller that is hosting the global catalog. You learned some guidelines for assigning forest-wide operations master roles, which include always assigning the schema master and the domain naming master roles to the domain controller designated as the global catalog server. Finally, you learned to indicate the placement of global catalog servers and operations masters on the site diagram to create a completed site topology diagram.