Infrastructure Master According to Microsoft, without the Infrastructure Master, changes between your DCs would be slow.The Infrastructure Master speeds this process up.There is one infrastructure FSMO per domain, and it is on the first DC you installed for that domain, unless you have transferred or seized the role (discussed in the next section). The Infrastructure FSMO appears to be somewhat enigmatic in how it does its role.We have seen references to this FSMO indicating as just stated that the speed of services man- aging the domain is increased—but how? First, it updates the group-to-user references whenever a change is made; and second, this FSMO is in charge of seeking and destroying those stale objects floating around your Ethernet. Actually, this refers to the references that are no longer valid.This can occur when an object is moved, renamed, or deleted.The infrastructure FSMO uses the GC to check for these stale references and then removes them. Because the GC and the Infrastructure FSMO have to work so closely together, Microsoft recommends that these two roles run on separate DCs. Of course, by default, they are on the same DC, so it is up to you to move one of these roles to your second DC as soon as you have one. Transferring and Seizing Operations Master Roles With your newfound understanding of FSMOs, you can see that they are essential for domain consistency and integrity. It has been said more than once that these roles are cre- ated automatically, but the defaults assigned by that automatic creation might not suit your environment, and you might consequently need to either transfer these roles to a better machine or move them before retiring a server. It is also possible for you to lose a DC con- taining one or more of these roles and be unable to recover it.This section describes how to transfer and seize these operations master roles. www.syngress.com Working with Domain Controllers • Chapter 7 509 NET TIME /SETSNTP:SERVER_LIST. A list of servers can be found on the Internet. Here are two provided by the United States Naval Observatory: ■ Ntp2.usno.navy.mil (192.5.41.209) ■ Tock.usno.navy.mil (192.5.41.41) Other time servers are managed by the National Institute of Standards and Technology (NIST) found at www.nist.gov. For in-depth instruction and reference on this topic, refer to Microsoft’s white paper, wintimeserv.doc on their Web site. EXAM 70-294 OBJECTIVE 1.2.1 256_70-294_07.qxd 9/4/03 4:35 PM Page 509 Transferring FSMOs You’ve decided to transfer your FSMOs from the original location, on the first DC, to another server that will be your super-server.When the transfer is planned, you can manu- ally move these roles by following the steps outlined in the next sections. Transferring the Schema FSMO First, you must be a member of the Schema Admins group. Next, you need to access the Active Directory Schema snap-in, which is not in the Administrative Tools menu but must be added to an MMC. To install the Active Directory Schema snap-in, follow these steps: 1. Open a command prompt [Start | Run | cmd, and click OK. 2. At the command prompt, type regsvr32 schmmgmt.dll.This command will register schmmgmt.dll on your computer. Successful registration produces the dialog box shown in Figure 7.28. 3. Click Start | Run… and type mmc /a.Then, click OK.This opens a blank MMC in author’s mode. 4. On the File menu, click Add/Remove Snap-in, and then click Add. 5. Under Snap-in, double-click Active Directory Schema, click Close, and then click OK. Looking at the schema attributes, you can identify a few. Figure 7.29 shows the cn or Common-Name attribute, which is mandatory in a user account. Right-clicking on the object named Active Directory Schema affords you several options (see Figure 7.30). From this tool, you can see which DC is currently assigned the Schema Master by selecting Operations Master…, and you can transfer the FSMO to another DC by selecting Change Domain Controller. www.syngress.com 510 Chapter 7 • Working with Domain Controllers Figure 7.28 Register Service 256_70-294_07.qxd 9/4/03 4:35 PM Page 510 Figure 7.31 depicts the next dialog in our quest.You are then given the choice to transfer the FSMO to Any DC or Specify a Name. Specify the new location and click OK.The new location is the FQDN of the DC to which you are transferring the FSMO. The system will refresh the screen and you will see that the focus has changed to the other DC you just specified (see Figure 7.32).To complete the task, you still need to right-click the Active Directory Schema object again, and this time choose Operations Master, which brings up the dialog box shown in Figure 7.33. In our example, we are moving the schema FSMO to the DC, skyline.yourfim.biz. Click Change and the system will ask you to verify that you really want to make this change. Click OK. After a short pause, the con- firmation dialog in Figure 7.34 appears. Click OK.The Schema FSMO is now on the sky- line.yourfirm.biz DC. www.syngress.com Working with Domain Controllers • Chapter 7 511 Figure 7.29 Active Directory Schema Tool Figure 7.30 Management Options Figure 7.31 Change Domain Controller 256_70-294_07.qxd 9/4/03 4:35 PM Page 511 www.syngress.com 512 Chapter 7 • Working with Domain Controllers Figure 7.32 Change in Focus Prior to FSMO Transfer Figure 7.33 Change Schema Master Figure 7.34 Confirmation of FSMO Transfer 256_70-294_07.qxd 9/4/03 4:35 PM Page 512 www.syngress.com Working with Domain Controllers • Chapter 7 513 Finding FSMO If all you ever do is go with the defaults, you probably know where all the FSMOs are. However, there is a good chance of inheriting someone else’s undocumented domain or walking into a foreign network as the perceived network guru. In these cases, you need to know how to find FSMOs. Microsoft has a tool to do just that: www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos- o.asp. Okay, so the tool is not that impressive when you edit the *.cmd file, but the information is. Here are the steps to get a list of the FSMO roles and who has them: 1. Make sure you are logged on as either the local BuiltIn\Administrator for local access or Domain\Administrator or Enterprise\Administrator for remote access. 2. Open a command prompt: Start | Run | “cmd” | OK. 3. If you have access to the dumpfsmos.cmd, go ahead and run it and you are finished; however, you can do the same thing manually by reading on… 4. At the command prompt, type the following (bold text indicates what you should type, the rest depicts the DC’s responses. Note that indents and bolding have been added for emphasis and easier reading): C:\>ntdsutil roles connections ntdsutil: roles fsmo maintenance: connections server connections: connect to server skyline Binding to skyline Connected to skyline using credentials of locally logged on user. server connections: quit fsmo maintenance: select operation target select operation target: list roles for connected server Server “skyline” knows about 5 roles Schema - CN=NTDS Settings,CN=SKYLINE,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=yourfirm,DC=biz Domain - CN=NTDS Settings,CN=TEKEASE-DC1,CN=Servers,CN=Default-First- Site-Name,CN=Sites,CN=Configuration,DC=yourfirm,DC=biz PDC - CN=NTDS Settings,CN=TEKEASE-DC1,CN=Servers,CN=Default-First-Site- Name,CN=Sites,CN=Configuration,DC=yourfirm,DC=biz RID - CN=NTDS Settings,CN=TEKEASE-DC1,CN=Servers,CN=Default-First-Site- Configuring & Implementing Continued 256_70-294_07.qxd 9/4/03 4:35 PM Page 513 Transferring Domain Naming FSMO Transferring this FSMO requires you to have Enterprise Admin level permissions and uses the Active Directory Domains and Trusts (ADDT) tool.Your first step requires you to change the focus of the tool to the DC to which you want to transfer the domain-naming FSMO. In the Active Directory Domains and Trusts tool, click Action | Connect to Domain Controller… .That brings up the dialog shown in Figure 7.35. Fill in the name of another DC and click OK.You are returned to ADDT and nothing appears to have changed; however, your focus is now on the other DC.As with the Schema FSMO change, right-click the Active Directory Domains and Trusts | Operations Master… | Change and the transfer is complete. NOTE The Domain Naming Master can only reside on a DC that contains a GC. It appears that this FSMO requires access to the GC to function. www.syngress.com 514 Chapter 7 • Working with Domain Controllers Name,CN=Sites,CN=Configuration,DC=yourfirm,DC=biz Infrastructure - CN=NTDS Settings,CN=TEKEASE-DC1,CN=Servers,CN=Default- First-Site-Name,CN=Sites,CN=Configuration,DC=yourfirm,DC=biz select operation target: quit fsmo maintenance: quit ntdsutil: quit Disconnecting from skyline C:\> From the output of our request, list roles for connected server, we see that the Schema FSMO is on the Skyline DC, which is where we transferred it, and the other four FSMOs remain on the original DC, tekease-dc1. Ntdsutil is a great tool, so learn how to use it. Another tool you can use uses VBScripting as a GUI approach to the same goal: finding FSMO. This tool is user friendly by generating a pop-up dialog for your input of a server, and then displaying five pop-up dialogs, each with the location of a FSMO. Try searching the Internet for “finding fsmo vbs,” or go to www.server- watch.com/tutorials/article.php/10825_1472341_5. 256_70-294_07.qxd 9/4/03 4:35 PM Page 514 Transferring RID, PDC, or Infrastructure FSMOs To transfer the RID, PDC Emulator, or Infrastructure FSMOs, you use the Active Directory Users and Computers (ADUC) tool.You must be a Domain administrator to perform this function. First, change your focus to the DC that will receive the transfer by right-clicking the domain object. Select Connect to Domain Controller… | Enter the name of another domain controller OR Select an available domain controller, and click OK. Right-click the domain object again and select Operations Masters… . Notice in Figure 7.36 that there are three tabs: one each for the RID, PDC, and Infrastructure operations mas- ters.These three FSMOs are domain specific, not forest specific, and they are all transferred using this same dialog box. As with the forest-specific FSMO transfers, click Change…, con- firm that you want to transfer the FSMO, and the ADUC completes the function. www.syngress.com Working with Domain Controllers • Chapter 7 515 Figure 7.35 Connect to Domain Controller Figure 7.36 Operation Masters: RID, PDC, and Infrastructure 256_70-294_07.qxd 9/4/03 4:35 PM Page 515 NOTE Creating an Infrastructure Master FSMO on a DC that contains a GC is undesirable unless every DC in your domain is a GC. In a single DC domain, that’s easy; all five FSMOs and the GC are on the sole DC. However, GCs are not automatically placed on each new DC, so you should move the Infrastructure FSMO over to a different DC when you begin creating additional DCs. Responding to OM Failures As long as you know where the FSMOs in your domain reside and ensure that they are transferred before decommissioning a DC, you can avoid most problems.A good rule of thumb to follow is to always demote a DC before taking it offline or replacing the com- puter on which a DC exists. By demoting a DC, you ensure that all Active Directory infor- mation is synchronized and any FSMO is automatically transferred.What happens if you lose a DC that had a FSMO on it? If a FSMO is lost in your domain, there is no automatic response within the domain to elect a replacement; you just don’t have a DC performing that role. Depending on which FSMO you lost, this can cause some interesting and sometimes fatal disasters in your domain. Forcing a FSMO into existence is called seizing the master.This process is not gen- erally as user friendly as the transfer process, except when the role being seized is that of the PDC Emulator or the Infrastructure Master. Seizing the PDC Emulator or Infrastructure FSMO Seizing the PDC Emulator or Infrastructure FSMOs is still accomplished through the same GUI tool used previously: Active Directory Users and Computers. Since the DC with the lost FSMO is unavailable, the DC you are focused on should suffice. However, you can switch the focus by right-clicking on the domain object, selecting Connect to Domain Controller… | Enter the name of another domain controller OR Select an avail- able domain controller, and clicking OK (see Figure 7.35).To seize or force a transfer of the PDC or Infrastructure, right-click the domain object and select Operations Masters… | [PDC or Infrastructure] |. Notice that the service has attempted to con- tact the FSMO in question, and the dialog displays a message that it is offline (see Figure 7.37). Click Change… anyway. Confirm your request.This time, a warning dialog box will appear asking you again if you are sure you want to transfer the operations master role. Click OK. A third dialog then appears with an explanation and question: The current operations master cannot be contacted to perform the transfer. Under some circumstances, a forced transfer can be performed. Do you want to attempt a forced transfer? www.syngress.com 516 Chapter 7 • Working with Domain Controllers EXAM 70-294 OBJECTIVE 1.2.1 256_70-294_07.qxd 9/4/03 4:35 PM Page 516 Click Ye s to complete the seizure or forced FSMO role transfer.To summarize, the process requires three confirmations to perform the process, so be patient. Remember, this only applies to two of the domainwide FSMOs: PDC Emulator and Infrastructure.The RID FSMO cannot be seized from the GUI tool. Seizing the RID Master, Domain Naming Master, and Schema Master FSMOs Seizing the roles of RID, Domain Naming, and Schema Master requires the command-line utility NTDSUTIL. Follow these steps to perform this type of seizure: 1. Click Start | Run and type cmd. At the command prompt, type ntdsutil and press Enter. 2. Type Roles | Enter.The prompt will change to fsmo maintenance:. 3. Type Connections | Enter.The prompt changes to server connections:.As in the GUI ADUC, you have to change your DC focus to the DC that is receiving the transferred role. www.syngress.com Working with Domain Controllers • Chapter 7 517 Figure 7.37 Failed to Connect to PDC FSMO Figure 7.38 Forcing a FSMO Transfer 256_70-294_07.qxd 9/4/03 4:35 PM Page 517 4. Type Connect to server <servername> and press Enter, where <servername> is the name of the DC receiving the transferred role. 5. Type Quit and press Enter.This completes the focus change and returns you to the fsmo maintenance: prompt. 6. Type Seize <fsmo> master and press Enter, where <fsmo> is the operations master role you are trying to transfer: RID, Domain Naming, or Schema. 7. Type Quit and press Enter to exit the FSMO maintenance, and type Quit and press Enter a second time to exit NTDSUTIL. Here is an example of the messages that appear when you seize the RID FSMO from the DC named dc3.yourfirm.biz and give it to dc1.yourfirm.biz: C:\>ntdsutil Ntdsutil: roles Fsmo maintenance: connections Server connections: connect to server dc1.yourfirm.biz Binding to dc1.yourfirm.biz… Connected to dc1.yourfirm.biz using credentials of locally logged on user. Server connections: quit Fsmo maintenance: seize rid master N OTE A pop-up dialog will appear, requesting confirmation that you want to proceed. Attempting safe transfer of RID FSMO before seizure. Ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 00002DAF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE), data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of RID FSMO failed, proceeding with seizure… Searching for highest rid pool in domain Server “dc1.yourfirm.biz” knows about 5 roles www.syngress.com 518 Chapter 7 • Working with Domain Controllers 256_70-294_07.qxd 9/4/03 4:35 PM Page 518 [...]... Working with Global Catalog Servers and Schema Exam Objectives in this chapter: 2.1.3 Add or remove a UPN suffix 1.1 Plan a strategy for placing global catalog servers 1.1.1 Evaluate network traffic considerations when placing global catalog servers 1.1.2 Evaluate the need to enable universal group caching 2.1.2 Manage schema modifications Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives... deactivate the class that was added with the mistake and then rename it You then can create a new class with the appropriate name and configuration B You must delete the class that has the mistake and simply create the appropriate Class object C You must wait 24 hours before you can delete any new classes in the schema.You can then delete the class and create the corrected Class object D You can go in and. .. keeps bandwidth usage down Q: I am trying to modify the schema but cannot make any changes.Why? A: Make sure you are logged on as a member of the Schema Admin group Only Schema Admin members can modify the schema www.syngress.com 256 _70 -294 _08.qxd 9/4/03 4:38 PM Page 5 67 Working with Global Catalog Servers and Schema • Chapter 8 Q: What is the difference between a class and an attribute? A: A class defines... Page 562 Chapter 8 • Working with Global Catalog Servers and Schema Deactivating Schema Classes and Attributes If changes or additions are made to the schema, they cannot be deleted .Windows Server 2003 does not allow for deletion of classes or attributes after they are defined in the schema However, you can deactivate a class or attribute if you don’t want to use it anymore.This is essentially the same... it if your forest is at the Windows Server 2003 functional level For example, if you have an attribute that has the wrong syntax, you can deactivate the existing attribute and then create a new attribute with the proper syntax.You can reuse the LDAP display name and the OID Note that you have to rename the original attribute after you deactivate it and before you create the new attribute to prevent... be reached because the information has been cached The schema defines the structure of your Active Directory. Various types of objects can be administered in Active Directory An object in Active Directory is an instance of a class, such as User or Printer A class defines the type of object Associated with each Object class are attributes that can be modified For example, an attribute can be the Location... a lot of extra traffic because of replication of all the multivalued attributes in an instance.When you are working with Schema objects, there are different ways you can reference an object Common ways to describe objects include LDAP names, Common Names, and OIDs LDAP is an industry standard protocol and the primary access protocol for Active Directory. The Common Name is an easier way to identify an... OID is assigned by a third-party authority.There are standards that must be followed in regard to OIDs.We recommend that you follow the naming standards laid out for LDAP and Common Name You can use the Schema MMC snap-in to do all modifications in regard to GC and schema.To install the snap-in, you must first register the schmmgmt.dll file; then you can create a custom MMC and add the Schema snap-in.The... 4:38 PM Page 566 Chapter 8 • Working with Global Catalog Servers and Schema Working with the Active Directory Schema The schema is made up of Object classes such as User, Printer, and Server Each Object class has a series of attributes associated with it There can be multivalue attributes and single-value attributes You must be a member of the Schema Admins group to modify the schema Schema objects... reason for this? Figure 7. 49 Sports Agency of America Domain Tree Montana Oregon Site Site SAA.us Two Sites BT.SAA.us Single Site AS.SAA.us Single Site A The Domain Naming FSMO located in the Montana site is offline B The Schema FSMO in the Montana site is offline C The FSMOs for AS.SAA.us need to be created before you can create a child domain D The Infrastructure FSMO is unavailable 14 Michael is an . your branch office located in Fresno, California use this application.Your headquarters is in Santa Rosa, California, and you created a site for each location and set up directory replication over. with Global Catalog Servers and Schema Exam Objectives in this chapter: 2.1.3 Add or remove a UPN suffix. 1.1 Plan a strategy for placing global catalog servers. 1.1.1 Evaluate network traffic considerations. considerations when placing global catalog servers. 1.1.2 Evaluate the need to enable universal group caching. 2.1.2 Manage schema modifications. Chapter 8 MCSA /MCSE 70 -294  Summary of Exam Objectives 