You can use the ntdsutil.exe command-line utility to transfer FSMO roles, or you can use an MMC snap-in tool. Depending on which role you want to transfer, you can use one of the fol- lowing three MMC snap-in tools: ■ Active Directory Schema snap-in (Schema Master role) ■ Active Directory Domains and Trusts snap-in (Domain Naming Master role) ■ Active Directory Users and Computers snap-in (RID Master, Infrastructure Master, and PDC Emulator roles) To seize a role, you must use the ntdsutil utility. If a computer cannot be contacted due to a hardware malfunction or long-term network failure, the role must be seized. Locating,Transferring, and Seizing the Schema Master Role The DC that hosts the Schema Master role controls each update or modification to the schema.You must have access to the Schema Master to update the schema of a forest. Refer to the first procedure that follows for instructions on how to identify the DC that is per- forming the Schema Master operation role for your forest using the command line or the GUI. Refer to the second procedure that follows for instructions on how to transfer the Schema Master operations role for your forest to a different DC.The steps for seizing the role to another DC in case of failure are outlined later in this section (see Seize the FSMO master roles) . Temporary loss of the Schema Master is not noticeable to domain users. Enterprise and domain administrators will not notice the loss either, unless they are trying to install an application that modifies the schema during installation or trying to modify the schema themselves.You should seize the schema FSMO role to the standby operations master only if your old Schema master will be down permanently. Locate the Schema Operations Master 1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start | Run. 3. Type regsvr32 schmmgmt.dll in the Open box, and click OK.This registers the Schmmgmt.dll. 4. Click OK in the dialog box showing that the operation succeeded. 5. Click Start | Run, type mmc, and then click OK. 6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK. 7. Expand and then right-click Active Directory Schema in the top left pane, and then select Operations Masters to view the server holding the Schema Master role as shown in Figure 12.4. 476 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 476 Transfer the Schema Operations Master Role 1. Log on as an Enterprise Administrator in the forest where you want to transfer the Schema Master role. 2. Click Start | Run. 3. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.This registers the Schmmgmt.dll. 4. Click OK in the dialog box showing that the operation succeeded. 5. Click Start | Run, type mmc, and then click OK. 6. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Schema, click Close, and then click OK. 7. Right-click Active Directory Schema in the top left pane, and then click Change Domain Controller. 8. Click Specify Name as shown in Figure 12.5, type the name of the DC that will be the new role holder, and then click OK. 9. Right-click Active Directory Schema again, and then click Operations Master. 10. Click Change. Working with Forests and Domains • Chapter 12 477 Figure 12.4 Locating the Schema Operations Master 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 477 11. Click OK to confirm that you want to transfer the role, and then click Close. Locating,Transferring, and Seizing the Domain Naming Master Role The Domain Naming Master DC controls the addition or removal of domains in the forest,AND adding and removing any cross-references to domains in external LDAP directories.There can be only one Domain Naming Master in the forest. Refer to the first procedure that follows for instructions on how to identify the DC that is per- forming the Domain Naming Master operation role for your forest. Refer to the second procedure that follows for instructions on how to transfer the Domain Naming Master operations role for your forest to a different DC.The steps for seizing a role to another DC in case of failure are described later in this section (see Seize the FSMO Master Roles). Locate the Domain Naming Operations Master 1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start | Run, type: mmc, and then click OK. 3. On the menu bar, click File | Add/Remove Snap-in, click Add, double-click Active Directory Domains and Trusts, click Close, and then click OK. 4. Right-click Active Directory Domains and Trusts in the top left pane, and then click Operations Masters to view the server holding the domain naming master role. 478 Chapter 12 • Working with Forests and Domains Figure 12.5 Transferring the Schema Operations Master Role 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 478 Transer the Domain Naming Master Role 1. Click Start | Administrative Tools | Active Directory Domains and Trusts. 2. Right-click Active Directory Domains and Trusts, and click Connect to Domain Controller, unless you are already on the DC to which you are transferring to the role. In the Enter the name of another domain controller window, type the name of the DC that will be the new role holder, and then click OK. Optionally, in the Or, select an available domain controller list, click the DC that will be the new role holder, and click OK. 3. In the console tree, right-click Active Directory Domains and Trusts, and then select Operations Master. 4. Click Change. 5. Click OK for confirmation, and click Close. Locating,Transferring, and Seizing the Infrastructure, RID, and PDC Operations Master Roles The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains.There can be only one Infrastructure Master DC in each domain.The RID Master processes Relative ID (RID) pool requests from all DCs in the local domain.There can be only one RID Master DC in each domain.The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain Master Browser, and handles Active Directory password collisions, or discrepancies.There can be only one PDC Emulator in each domain. Refer to the first procedure that follows for instructions on how to identify the DCs that are performing the FSMO roles for your forest using the Active Directory Users and Computers GUI interface. Refer to the second procedure that follows for instructions on how to transfer the Infrastructure, RID, and PDC Master operations roles for your forest to different DCs. Again, if you need to seize a role, follow the steps later in this section (see Seize the FSMO Master Roles). Locate the Infrastructure, RID and PDC Operations Masters 1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start | Run, type dsa.msc, and click OK.This is an alternate method for opening the Active Directory Users and Computers administrative tool. 3. Right-click the selected Domain Object in the top left pane, and then click Operations Masters. 4. Click the Infrastructure tab to view the server holding the Infrastructure Master role. 5. Click the RID tab to view the server holding the RID Master role. 6. Click the PDC tab to view the server holding the PDC Master role. Working with Forests and Domains • Chapter 12 479 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 479 Transfer the Infrastructure, RID and PDC Master Roles 1. Click Start | Administrative Tools | Active Directory Users and Computers. 2. Right-click Active Directory Users and Computers, and click Connect to Domain Controller unless you are already on the DC you are transferring to. In the Enter the name of another domain controller window, type the name of the DC that will be the new role holder, and then click OK; or in the Or, select an available domain controller list, click the DC that will be the new role holder, and click OK. 3. In the console tree, right-click Active Directory Users and Computers, and click All Tasks | Operations Master. 4. Take the appropriate action below for the role you want to transfer. 5. Click the Infrastructure tab, and click Change. 6. Click the RID tab, and click Change. 7. Click the PDC tab, and click Change. 8. Click OK for confirmation, and click Close. Seize the FSMO Master Roles 1. Log on to any working DC. 2. Click Start | Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and press Enter. 4. In ntdsutil, type ? at any prompt to see a list of available commands, and press Enter. 5. Type connections, and press Enter. 6. Type connect to server servername, where servername is the name of the server that will receive the role, and press Enter. 7. At the server connections: prompt, type q, and press Enter. 8. Type the appropriate seizing command as shown next. See the example in Figure 12.6. If the FSMO role is available, ntdsutil.exe will perform a transfer instead. Respond to the Role Seizure Confirmation Dialog box. seize Schema master seize domain naming master seize Infrastructure master seize RID master seize PDC 480 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 480 Figure 12.6 Seizing the PDC Master Role D:\WINDOWS\system32\ntdsutil.exe: roles fsmo maintenance: connections server connections: connect to server DC4 Binding to DC4 Connected to DC4 using credentials of locally logged on user. server connections: q fsmo maintenance: seize PDC Attempting safe transfer of PDC FSMO before seizure. FSMO transferred successfully - seizure not required. Server "DC4" knows about 5 roles Schema - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site- Name,CN=Sites, CN=Configuration,DC=Dogs,DC=com Domain - CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site- Name,CN=Sites, CN=Configuration,DC=Dogs,DC=com PDC - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN= Configuration,DC=Dogs,DC=com RID - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN= Configuration,DC=Dogs,DC=com Infrastructure - CN=NTDS Settings,CN=DC4,CN=Servers,CN=Default-First-Site- Name,C N=Sites,CN=Configuration,DC=Dogs,DC=com fsmo maintenance:q 9. After you seize the role, type q, and then press Enter repeatedly until you quit the Ntdsutil tool. Placing the FSMO Roles It is a good idea to place the RID and PDC Emulator roles on the same DC. Down-level clients and applications target the PDC, making it a large consumer of RIDs. Good communication between these two roles is important. If performance demands it, place the RID and PDC Emulator roles on separate DCs, but make sure they stay in the same site and that they are direct replication partners with each other. Working with Forests and Domains • Chapter 12 481 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 481 As previously stated, you should place the Infrastructure Master on a non-GC server to maintain proper replication.Additionally, ensure that the Infrastructure Master has a direct connection object to a GC server somewhere in the forest, preferably in the same site.There are two exceptions to this rule: ■ Single domain forest If your forest contains only one Active Directory domain, then there can be no phantoms.The Infrastructure Master has no functionality in a single domain forest. In that case, you can place the Infrastructure Master on any DC. ■ Multidomain forest where every DC holds the GC Again, there can be no phan- toms if every DC in the domain hosts a GC.There is no work for the Infrastructure Master to perform. In that case, you can place the Infrastructure Master on any DC. Considering the forest level, the Schema Master and Domain Naming Master roles are rarely used and should be tightly controlled. For that reason, you can place them on the same DC. Another Microsoft-recommended practice is to place the Domain Naming Master FSMO on a GC server. Taking all of these practices together, a Microsoft-recommended best-practice empty root domain design would consist of two DCs with the following FSMO/GC placement: ■ DC 1: ■ Schema Master ■ Domain Naming Master ■ GC ■ DC 2: ■ RID Master ■ PDC Emulator ■ Infrastructure Master This preferred design remains valid until performance degradation forces you to separate the roles. Consider upgrading the hardware instead, or adding additional GCs, since the recommended configuration is the most efficient. For extremely large forests, install additional DCs and separate roles as needed. For these reasons and more, you need to be able to locate and assess your GC place- ment in relation to your FSMO roles. Here is how you find GCs: 1. Log on to any working DC. 2. Click Start | Programs | Administrative Tools | Active Directory Sites and Services. 3. Double-click Sites in the left console pane, and browse to the appropriate site, or click Default-first-site-name if no other sites are available. 4. Expand the Servers folder, and click the name of the DC that you want to check. 5. In the DC’s folder, double-click NTDS Settings. 6. Click Action | Properties. 482 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 482 7. On the General tab, locate the Global Catalog check box to see if it is selected as shown in Figure 12.7. Using Application Directory Partitions The Active Directory contains several partitions for the storage of object data.These directory parti- tions, also called naming contexts, are contiguous Active Directory subtrees that are replicated across DCs. As a minimum, each DC contains a replica of three partitions: the schema partition, the con- figuration partition, and the domain partition in addition to any application directory partitions that you might choose to create. An instance of an application directory partition on another DC is called a replica. The default security descriptor for objects in the application directory partition is defined by an attribute called the security descriptor reference domain. By default, this attribute is the parent domain of the application directory partition. If the partition is a child of another application directory parti- tion, the default security descriptor reference domain is the security descriptor reference domain of its parent. If it has no parent, the forest root domain becomes the default security descriptor refer- ence domain.This attribute can be modified using the following steps. Administer Application Directory Partitions 1. Log on as an Enterprise Administrator. 2. Click Start | Run, type ntdsutil, and click OK. 3. At the ntdsutil command prompt, type domain management. 4. At the domain management command prompt, type connection. 5. At the connection command prompt, type connect to server servername, where server- name represents the DNS name of the DC where you want to create the application direc- tory partition. Working with Forests and Domains • Chapter 12 483 Figure 12.7 Locating the Global Catalog Function 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 483 6. At the connection command prompt, type quit. 7. At the domain management command prompt, consult the following list of commands for the function you want to perform: ■ Create an application directory partition: use the command create nc application_directory_partition domain_controller ■ Delete an application directory partition: use the command delete nc application_directory_partition ■ Add an application directory partition replica: use the command add nc replica application_directory_partition domain_controller ■ Remove an application directory partition replica: use the command remove nc replica application_directory_partition ■ Display application directory partition information: use the command list ■ Add an application directory partition replica: use the command set nc reference domain application_directory_partition domain_controller In this context, application_directory_partition is the DN of the application directory partition that you want to operate on, and domain_controller is the DNS name of the DC where you want to per- form the operation. If you are operating on the DC that you connected to in step 5, use “NULL” as the domain_controller parameter. 8. Enter q until ntdsutil exits. Establishing Trust Relationships External trusts are a concept left over from Windows NT, but are still necessary for sharing resources with a Windows NT domain or any other Windows domain outside your forest. A realm trust allows cross-platform interoperability with non-Windows Kerberos V5 (version 5) realms, such as those commonly used with UNIX systems. As you can see, trusts are varied in properties and purposes. The most important concepts to understand about trusts before you create them are direction and transitivity.Always be aware of the extent of any internal access that you grant to external users. Direction and Transitivity Two primary attributes of trusts are direction and transitivity.The direction of trust flows from the trusting domain to the trusted domain as shown by the arrow in Figure 12.8. Cats.com trusts Dogs.com.The direction of access is always in the opposite direction; Dogs.com accesses resources in Cats.com.This is a one-way trust. Likewise, Dogs.com trusts Fish.com, but does not trust Cats.com. Two one-way trusts can combine to simulate a single two-way trust. 484 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 484 The second attribute of the trust is transitivity, or a measure of how far the trust extends. A non- transitive trust has limits.The trusted domain, and only the trusted domain, can access resources through the trust to the trusting domain. As shown in Figure 12.8, if the Dogs.com domain has trusts to other domains such as Fish.com, those other domains are barred from access to Cats.com unless they have a nontransitive trust of their own.The absence of the third leg of the trust breaks the circle of access.This is the behavior of all trusts in Windows NT. Conversely, transitive trusts, like the ones shown in Figure 12.9, are the skeleton keys of access. Anyone on the trusted side of the trust relationship can enter, including anyone trusted by the trusted domain. When a user or process requests access to a resource in another domain, a series of hand-offs occurs within the authentication process down the trust path as shown in Figure 12.9. When Cats.com trusts Dogs.com, they must trust all Dogs.com child domains equally at the level of the trust.There are two types of trusts in Figure 12.9, parent and child and tree-root. All trusts shown are bidirectional and transitive, as they are by default in Windows Server 2003. Calico.cats.com has a trust relationship with Yellow.labs.dogs.com because of the trust path that extends through all three intervening domains. If Calico.cats.com has no reason to trust Yellow.labs.dogs.com, then the cats must apply permissions to limit or block the access. Working with Forests and Domains • Chapter 12 485 Figure 12.8 The Nontransitive Trust Dogs.com Fish.com Cats.com Trust Nontransitive Trust Nontransitive Trust Root Domain Domain Domain Figure 12.9 The Transitive Trust Dogs.com Labs.dogs.com Cats.com Yellow.labs.dogs.com Calico.cats.com Trust Transitive Trusts Root Domain Domain Child Domain Child Domain Child Domain 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 485 . tab to view the server holding the Infrastructure Master role. 5. Click the RID tab to view the server holding the RID Master role. 6. Click the PDC tab to view the server holding the PDC Master. connect to server servername, where servername is the name of the server that will receive the role, and press Enter. 7. At the server connections: prompt, type q, and press Enter. 8. Type the appropriate. already on the DC you are transferring to. In the Enter the name of another domain controller window, type the name of the DC that will be the new role holder, and then click OK; or in the Or, select