Active Directory host

AD defines five operational master roles (FSMO:

Schema master acts on the forest level (one forest can only have one schema master)

Domain naming master acts on the forest level

Relative ID (RID) master: the RID master acts on the domain level (only one architecture master can be deployed in one domain)

The primary domain controller simulator (PDC) Acts on the domain level

Infrastructure master acts on the domain level

Schema Master)Act on forest level

Function: controls the definition of all objects/attributes in the Active Directory.

Tip: Regsvr32 schmmgmt. dll (registered architecture master) belongs to Schema Admins Group

Fault impact: Schema update is affected, and the impact is generally invisible in the short term.

Typical problems: Unable to install Exchange

Troubleshooting: only capture operations can be used, and reverse transfer is not allowed to ensure that the original PDC is unavailable.

If you modify the Active Directory architecture, you can only perform operations on the Active Directory. Many Advanced Server products need to modify the AD architecture, such as Exchange, during deployment. If you cannot contact the architecture host online when you deploy Exchange in the domain, the deployment of Exchange cannot continue. MCSE has taken this knowledge point

Domain Naming Master)Act on forest level

Function: controls the addition, deletion, addition, and deletion of cross-referenced objects to external directories in the forest.

Tip: it is recommended to be configured with GC to belong to the Enterprise Admins group.

Impact of failure: Changes to the domain structure are affected and will not be affected in the short term.

Typical problems include adding/deleting a domain

Troubleshooting: only capture operations can be used, and reverse transfer is not allowed to ensure that the original PDC is unavailable.

It is mainly responsible for controlling the addition or deletion of domain forest domains. That is, if a new domain is added to the forest domain, the domain name must be named by the Domain Master to determine that the domain name is valid before the operation can continue. If the domain name master is not online, you cannot create a new domain in the forest. In addition to interpreting domain names.

It is also responsible for adding or deleting cross-reference objects that describe External directories.

RID Master)Acting on domain level

Function: manages the object relative identifier (RID) pool in the domain.

Object security identifier (SID) = Domain Security Identifier + relative identifier (RID )*

Such as: S-1-5-21-1343024091-879983540-3...

S-1-5-21-D1-D2-D3-RID, S is short for SID, 1 is SID version number, 5 represents the authority, 21 represents sub-authorization, D1-D2-D3 is three numbers, representing the domain or computer where the object is located, RID is the relative number of an object in a domain or computer. The Administrator's SID is the S-1-5-21-3855104193-3464347045-3256418734-500 where the RID is 500.

Fault impact: new RID pool allocation cannot be obtained

Typical problems: Unable to create (a large number of) User Accounts
Troubleshooting: only capture operations can be used, and reverse transfer is not allowed to ensure that the original PDC is unavailable.

The RID is a part of the SID. It provides an available RID pool (500 by default) for AD and is automatically filled when the RID in the pool is consumed to a certain extent. If the RID host fails, it will obviously cause a lot of trouble for us to create a large number of user accounts.

PDC Emulator)Acting on domain level
Function: simulates Windows nt pdc, the default domain main browser, the default domain authoritative Time Service source, unified management domain account password update, verification and lock

Tip: the PDC analog Master not only simulates nt pdc, but also has a high load.

Fault impact: users at the bottom cannot access AD, change the domain account password, browse service issues, and time synchronization issues.

Troubleshooting: It must be restored in a timely manner. You can use the transfer operation to transfer the PDC online to other hosts.

Compatible with NT4 servers; preferentially serves as the master browser (a computer role in the network: maintaining the list of computers in the network's neighbors); preferentially copies the AD (preferentially replicates the AD content to the PDC when it changes ); acts as the authoritative time source in the domain, and the preferred storage location for group policies.

Infrastructure Master)Acting on domain level

Function: Updates cross-origin object references.

Tip: in a single domain, the infrastructure host does not need to work and cannot be configured with GC at the same time (except for a single DC)
Fault impact: the external domain account cannot be identified and marked as SID

Troubleshooting: recovery is required in a timely manner. You can use the transfer operation to transfer the PDC online to other hosts.

The role of the structure host is to update the reference of cross-origin objects. If A user in Domain A joins A group in Domain B, the Structure Control of Domain B is responsible for paying attention to whether the user of Domain A has changed, such as whether the user is deleted. The structure control can ensure the operability of object reference between domains.

For example, a single domain basically does not require the structure master to do anything.

If you are in a multi-domain forest environment, do not place the structure master on the same DC as GC (Global Catalog). Otherwise, the structure Master cannot work normally.

Suggestion on placing the Operation Master
Default: the architecture master is on the first DC in the root domain, the domain name master is on the first DC in the root domain, and the other three master controls (RID master, PDC analog master, and Infrastructure Master) the role is on the first DC in the respective domain

Considerations: conflicts with GC and performance considerations

Manual Optimization: The Infrastructure Master and GC are not put together; the domain name master and GC are put together; the architecture master and the domain name master can be put together; the PDC simulation master is recommended to be placed separately.