Server – Ruoli domain Controller Windows 200X Server

Mi segno a titolo di promemoria quali siano i ruoli dei domain controller in una foresta.

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. Per vedere lo schema è necessario registrare la seguente DLL :

regsvr32 schmmgmt.dll

poi va eseguito mmc /a

There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.  Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
One of the first things understood about a security identifier (SID) is that they are unique.  There are two parts of a SID: the domain identifier (domain ID), and the relative ID (RID).  The domain identifier part of the SID is uniform among all security principals in the domain.  When looking at a list of SIDs in a domain, it’s easy to identify the domain SIDs – they all look the same.  On the contrary, the relative ID part of the SID is the unique part.  The two parts together make up what we commonly identify as a SID.
It is conceivable, then, that if two or more domain controllers were responsible for determining the relative IDs for the SIDs that two domain controllers may come up with the same relative ID for two different objects before they’ve replicated with each other.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
Ideally, you put the PDC emulator on the domain controller with the best hardware available, and ensure that it’s in a reliable hub site.  It should have other domain controllers in the same active directory domain and site to replicate with. 

Global Catalog:

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
In Windows Server® 2003 and Microsoft Windows® 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services. The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
Per approfondimenti
[fonte ]
Due tool interessanti per la gestione dell’AD sono :

NTDSUTIL per fare delle operazioni sul dominio (mettere help per avere le opzioni)
DCDIAG per fare i test del dominio (mettere help per avere le opzioni)
REPLMON Replmon is a graphical tool for monitoring replication between sites. Replmon is
installed when you install the Support Tools, as described earlier in the “DCDiag”

_ Update the Status Displays any errors in the right pane and displays the
current status for the selected server
_ Check Replication Topology Displays in graphical format direct replication
partners of the selected controller
_ Synchronize Each Directory Partition with All Servers Sends out a message
to server to initiate replication across the domain
_ Generate Status Report Allows you to export a status report to a log file on
the computer
_ Show Domain Controllers in the Domain Displays all domain controllers
within the domain currently in focus
_ Show Replication Topologies Displays all replication paths to the various
sites within your forest
_ Show Group Policy Object Status Displays the status of GPOs within the forest
_ Show Current Performance Status Provides performance information for
your forest replication
_ Show Global Catalog Servers in the Enterprise Displays any servers within
the forest configured as a Global Catalog server
_ Show Bridgehead Servers Displays servers used as bridgehead servers;
bridgehead servers are the preferred replication server for a particular site
_ Show Trust Relationships Displays trust relationships for the forest. Trusts
are explained in more detail latter in this chapter
_Show Attribute Meta-Data for Active Directory Object
NETDIAG anche questo presente nel support tool permette di identificare eventuali problemi di rete

Ecco degli articoli interessanti :