Operations Masters are also commonly known flexible single master operations or FSMO roles. There are commonly 5 FSMO roles which can be divided into Forest and Domain. These roles are as follows:
Forest:
1. Domain Naming
2. Schema
Domain:
1. Infrastructure
2. RID Master
3. PDC Emulator
I will explain these roles one by one now.
1. Domain Naming: This role is applied forest wide and it prevents someone accidently creating another domain with the same name.
2. Schema: All the options that can be filled in to a objects properties like their name, all the radio buttons, checkboxes, etc is because of the schema master.
Before you add this role, you have to register it by following command on command prompt:
regsvr32 schmmgmt.dll
5. PDC Emulator: This is one of the most important roles in Win Srv environment. PDC Emulator does the following tasks:
i) Acts as PDC for NT4 domain and NT4 based apps.
ii) Acts as a password authority and dictates all the password changes to the other DC's.
iii) GPO authority role and dictates the other DC's about any GPO changes in the domain and other DC's report to PDC Emulator about GPO changes.
iv) Domain Master Browser- Acts as a domain master browser and is responsible for the network browsable objects in the windows explorer windows.
v) Master Time source- all objects in the domain get the time from PDC emulator. It has to access the NTP (UDP port 123) which should be open on the firewall.
Follow this document to configure NTP on your PDC emulator.http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspxLet's talk about dividing the roles among DC's. One way of doing this is shown below.You can also use ADSI Edit to check the SID of the object. Right click on the object and go to properties to find the SID.
4. RID Master : RID masters purpose is to keep a track of SID. To check your SID, type the following command.
whoami /user
To find the information about the RID pool, use the following command.
dcdiag /test:ridmanager /v
3. Infrastructure: Purpose of this role is to keep the cross domain referencing straight especially when it comes to locate the users in a different domain's security group.
Forest:
1. Domain Naming
2. Schema
Domain:
1. Infrastructure
2. RID Master
3. PDC Emulator
I will explain these roles one by one now.
1. Domain Naming: This role is applied forest wide and it prevents someone accidently creating another domain with the same name.
2. Schema: All the options that can be filled in to a objects properties like their name, all the radio buttons, checkboxes, etc is because of the schema master.
Before you add this role, you have to register it by following command on command prompt:
regsvr32 schmmgmt.dll
5. PDC Emulator: This is one of the most important roles in Win Srv environment. PDC Emulator does the following tasks:
i) Acts as PDC for NT4 domain and NT4 based apps.
ii) Acts as a password authority and dictates all the password changes to the other DC's.
iii) GPO authority role and dictates the other DC's about any GPO changes in the domain and other DC's report to PDC Emulator about GPO changes.
iv) Domain Master Browser- Acts as a domain master browser and is responsible for the network browsable objects in the windows explorer windows.
v) Master Time source- all objects in the domain get the time from PDC emulator. It has to access the NTP (UDP port 123) which should be open on the firewall.
Follow this document to configure NTP on your PDC emulator.http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspxLet's talk about dividing the roles among DC's. One way of doing this is shown below.You can also use ADSI Edit to check the SID of the object. Right click on the object and go to properties to find the SID.
4. RID Master : RID masters purpose is to keep a track of SID. To check your SID, type the following command.
whoami /user
To find the information about the RID pool, use the following command.
dcdiag /test:ridmanager /v
3. Infrastructure: Purpose of this role is to keep the cross domain referencing straight especially when it comes to locate the users in a different domain's security group.
This divides the roles according to the forest roles and domain roles classifications.Another way of doing this in a busy environment like schools, where many accounts have to be created every year is shown below. By dividing roles this way we divide the RID master and PDC emulator roles, which would get very busy in such environments. We also have a standby master in case one of the DC fails.
No comments:
Post a Comment