Chapter 5: Placing Operations Master Roles Flashcards
Describe a multi-master database in the context of AD
Any writable domain controller in the domain can change the Active Directory configuration and it will replicate to all other domain controllers
What is the purpose of “Flexible Single Master Operation (FSMO) roles”?
Operations that need to be controlled in a sensible manner; These operations are better managed in single-master mode
Define “single master mode” in “ Flexible Single Master Operation (FSMO) roles”
These roles can run from one domain controller or be distributed among multiple domain controllers; Each role can appear only once in a domain or forest
How many FSMO roles are there?
5
What are the two types of FSMO roles?
Forest level and Domain level
What are the two forest level FSMO roles?
- Schema operations master
- Domain-naming operations master
What are the three domain level FSMO roles?
- primary domain controller (PDC) operations master
- relative identifier (RID) operations master
- infrastructure operations master
Where are the FSMO roles located when a domain is first created?
All FSMO roles will be installed in the domain’s first domain controller
What is the purpose of spreading out the FSMO roles to additonal domain controllers?
Increases availability of the domain
Describe the “Schema operations master”
The owner of this role is the only domain controller in the
forest who can update the Active Directory schema
Describe the “Domain-naming operations master”
Responsible for adding and removing domain controllers to and from the Active Directory forest
Are domain-wide master operation roles available in all domains in a forest?
Yes; Each domain in the forest will have the 3 level domain FSMO roles
Describe the “PDC emulator operations master”
This handles password changes, time synchronization, and GPO edit’s within the domain
How does NTP function in the domain?
Computers in a domain will sync their time with the domain controller they are authenticated with;
Then, all of the domain controllers will sync their time with the domain PDC role holder;
All the domain PDC role holders will sync the time with the forest root domain PDC role holder;
Finally, the root domain PDC role holder will sync the time with an external time source.
Describe the “RID operations master role”
Responsible for maintaining a pool of RIDs that will be used
when creating objects in the domain
Describe a “RID”
The RID value is used in the process of SID value creation to ensure a unique SID
Describe the “Infrastructure operations master”
Responsible for replicating SID and distinguished name (DN) value changes to cross-domains; If objects are moved between domains their SID and DN values change based on their location in the forest
What is the most used FSMO role?
PDC
For high availability within the domain, which two FSMO roles should be coupled together on the same DC?
PDC and RID
FSMO best practices
- Domain controllers in the forest should be able to reach FSMO role holders without any network layer connection barriers. If domain controllers are in a segmented network, make sure traffic is routed correctly.
- We can distribute FSMO roles to multiple servers; however, more servers means more management overhead. Unless it is a real requirement, try to keep FSMO roles to a fewer number of computers.
- Place the PDC role in the most reliable and powerful domain controller. Avoid installing applications and other Windows Server roles in PDC to reduce unnecessary resource usage.
- Keep the RID master and PDC roles in the same domain controller (same domain). Communication between these roles is crucial and keeping this in the same domain controller ensures reliable connectivity. Resource usage of the RID master role is small and it will not make a significant impact.
- Place the schema master role and domain-naming master role in the PDC of the forest root domain. In a mature Active Directory forest, we will rarely change the schema or add/remove domain controllers. But when it comes to that, it needs to be done in a controlled manner. When these critical changes happen in a domain, both of these role holders need to be available.
- If possible, keep the infrastructure master role in a non-global catalog server. This is because a global catalog server keeps a partial copy of every Active Directory object in the forest. The infrastructure master role will not update any object as it will not have any information about objects it doesn’t hold. However, if the Active Directory recycling bin feature is enabled, every domain controller is responsible for updating cross-domain object references. In that case, it doesn’t matter where the infrastructure role is placed.
What is a FSMO seize?
When an Operation Master role holder experiences a failure or is otherwise taken out of service before its roles are transferred, you must seize the roles to a new DC
What needs to be considered after successfully seizing a FSMO role?
The old FSMO role holder should not be brought online again; recommended that you format and remove it from the network
