Friday, 20 July 2012

FSMO Roles in Active Directory in Windows 2008 Server

FSMO Roles in Active Directory in Windows 2008 Server
Lot of applications now-a-days use Active Directory. If you associate your application with username that is part of a domain environment, or the computer where you have installed your application is the member of domain, it can be used for authentication or for many other purposes. Hence, it's somewhere linked with your Windows AD. If you are using Windows AD in your environment it's essential to understand FSMO roles that maintains Active Directory health. So to understand the importance, in this article you will learn what are the roles, its features, and how to seize them in case of any failures.

Flexibility Schema Operations Master (FSMO) Roles in 2008 Server

As we are all aware that certain tasks needs to be performed by single one, so as far AD 2008 goes some tasks are performed by single domain controller and they jointly called as FSMO roles.
There are five roles:
They are further classified in two

1. Forest Roles

·               Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
·               Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.

2. Domain Roles

·               Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
·               RID Master - This role is responsible for making sure each security principle has a different identifier.
·               PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain

Where these roles are configured?

1.              Domain wide roles are configured in Active Directory users and computers. Right click and select domain and here option is operations master.
2.              Forest roles Domain Naming master is configured in active directory domain and trust right click and select operations master. It will let you know the roles.
3.              (c)Forest roles Schema Master is not accessible from any tool as they want to prevent this. Editing schema can create serious problem in active directory environment. To gain access you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.

Seizing of Roles

In case of failures of any server you need to seize the roles. This is how it can be done:

For Schema Master:

Go to cmd prompt and type ntdsutil
1.              Ntdsutil: prompt type roles to enter fsmo maintenance.
2.              Fsmo maintenance: prompt type connections to enter server connections.
3.              Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
4.              Server connections: prompt, type quit to enter fsmo maintenance.
5.              Fsmo maintenance: prompt, type seize schema master.
After you have Seize the role, type quit to exit NTDSUtil.

For Domain Naming Master:

Go to cmd prompt and type ntdsutil
1.              Ntdsutil: prompt type roles to enter fsmo maintenance.
2.              Fsmo maintenance: prompt type connections to enter server connections.
3.              Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
4.              Server connections: prompt, type quit to enter fsmo maintenance.
5.              Fsmo maintenance: prompt, type seize domain naming master.
After you have Seize the role, type quit to exit NTDSUtil.

For Infrastructure Master Role:

Go to cmd prompt and type ntdsutil
1.              Ntdsutil: prompt type roles to enter fsmo maintenance.
2.              Fsmo maintenance: prompt type connections to enter server connections.
3.              Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
4.              Server connections: prompt, type quit to enter fsmo maintenance.
5.              Fsmo maintenance: prompt, type seize infrastructure master.
After you have Seize the role, type quit to exit NTDSUtil.

For RID Master Role:

Go to cmd prompt and type ntdsutil
1.              Ntdsutil: prompt type roles to enter fsmo maintenance.
2.              Fsmo maintenance: prompt type connections to enter server connections.
3.              Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
4.              Server connections: prompt, type quit to enter fsmo maintenance.
5.              Fsmo maintenance: prompt, type seize RID master.
After you have Seize the role, type quit to exit NTDSUtil.

For PDC Emulator Role:

Go to cmd prompt and type ntdsutil
1.              Ntdsutil: prompt type roles to enter fsmo maintenance.
2.              Fsmo maintenance: prompt type connections to enter server connections.
3.              Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer the role
4.              Server connections: prompt, type quit to enter fsmo maintenance.
5.              Fsmo maintenance: prompt, type seize PDC.
After you have Seize the role, type quit to exit NTDSUtil.

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.  Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
·               Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
·               Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
·               Account lockout is processed on the PDC emulator.
·               Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
·               The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
What is a proxy server?
A proxy server, also known as a "proxy" or "application level gateway", is a computer that acts as a gateway between a local network (e.g., all the computers at one company or in one building) and a larger-scale network such as the Internet. Proxy servers provide increased performance and security. In some cases, they monitor employees' use of outside resources.
A proxy server works by intercepting connections between sender and receiver. All incoming data enters through one port and is forwarded to the rest of the network via another port. By blocking direct access between two networks, proxy servers make it much more difficult for hackers to get internal addresses and details of a private network.
Some proxy servers are a group of applications or servers that block common Internet services. For example, an HTTP proxy intercepts web access, and an SMTP proxy intercepts email. A proxy server uses a network addressing scheme to present one organization-wide IP address to the Internet. The server funnels all user requests to the Internet and returns responses to the appropriate users. In addition to restricting access from outside, this mechanism can prevent inside users from reaching specific Internet resources (e.g., certain web sites). A proxy server can also be one of the components of a firewall.
Proxies may also cache web pages. Each time an internal user requests a URL from outside, a temporary copy is stored locally. The next time an internal user requests the same URL, the proxy can serve the local copy instead of retrieving the original across the network, improving performance.
Note: Do not confuse a proxy server with a NAT (Network Address Translation) device. A proxy server connects to, responds to, and receives traffic from the Internet, acting on behalf of the client computer, while a NAT device transparently changes the origination address of traffic coming through it before passing it to the Internet.

Defragmentation
Exchange Server 2007 performs an automated daily defragmentation as part of the scheduled database maintenance. This process, known as an online defragmentation, is intended to keep the databases healthy and free from corruption, but it does not shrink the physical size of the database. The process rearranges mailbox store and public folder store data more efficiently, eliminating unused storage space. Online defragmentation makes additional database space available by detecting and removing database objects that are no longer being used.
In an Exchange environment, as more data is added to a database, the database grows in size. When messages or mailboxes are deleted, however, the database does not decrease in size, it simply frees up available “whitespace” that can be overwritten by new mail or mailboxes.
Although this is not normally a problem for an environment, there are scenarios in which it can create issues. For example, if a database was to grow extremely large and, in an effort to redistribute the load, an administrator was to move 50% of the mailboxes to another server, the database would still remain the same size. Even though the database contains 50% whitespace, it still must be backed up in its entirety and, in the event of a disaster, would have to be restored as such.
The only way to shrink a database is to perform an offline defragmentation, which is a manual process utilizing the eseutil /d command. To determine the amount of whitespace contained within a database, view the application log of the Exchange server and filter on Event ID 1221. This event shows how much free space exists within each database.
Offline drag is a complicated process. Defrag actually works by reading the original database, and copying used database pages into the brand new database file. When that is all done, delete the original database file and rename the new one and copy it into original database file's place. You need to take your databases offline in order to run Offline drag and it is a time consuming process too. Offline defrag is definitely not something to do on regular basis. And it is typically not needed either. You usually do it when your exchange database is growing to its limits or you done a hard repair of the database.
Online Defragmentation
·               Defrag the database online
·               Occurs automatically as part of the database maintenance process
·               Detects and removes database objects that are no longer being used, without changing the file size of the database
Offline Defragmentation
·               Must dismount database first
·               Run Eseutil /d manually.
·               Reduce the physical size of the Exchange database.