Ad practice 9: Host operations

This article from the "yue lei's Microsoft Network Classroom" blog, please be sure to keep this source http://yuelei.blog.51cto.com/202879/127848

 

In the previous blog, we have learned that each domain controller can independently modify Active Directory, and the modified results will be recognized by other domain controllers. From this perspective, the status between domain controllers is equal, but we cannot think that there is no difference between domain controllers! In fact, the first domain controller in the domain often undertakes more tasks than other domain controllers.

When multiple domain controllers are deployed in some enterprises, the role of the first domain controller is ignored. Sometimes, the first domain controller may be accidentally processed. However, these enterprise users will soon find some exceptions in the domain, such as the inability to create domain user accounts, the inability to install exchange, and the inability to deploy subdomains. The reason is very simple. The tasks undertaken by the first domain controller are not transferred to other domain controllers, and these tasks are indispensable for one domain, therefore, we will face so many problems. So what are the more tasks undertaken by the first domain controller than other domain controllers? This is the topic we will discuss today. Host operations!

The operating host is a role played by the domain controller,There are five types of host role operations:PDCHost, RIDHost, schema host, domain name host, and schema hostIn this blog today, we will introduce the usage of five types of operating hosts.

We will first introduce the PDC host, which is the abbreviation of the master domain controller. In the NT4 era, the domain controller is divided into the PDC (Master Domain Controller) and BDC (Backup Domain Controller ), only the PDC can modify the directory database. The BDC database is copied from the PDC. Starting from Win2000, all domain controllers can modify Active Directory. Why is there a PDC host role in the operating host of win2003? The reason is that, in order to protect users' initial investment, Microsoft allows the NT4 server to be called an extra-Domain Controller in the win2003 domain. However, when NT4 acts as a domain controller, it must contact the PDC in the domain, in this case, the PDC host must come forward and communicate with the NT4 domain controller as the master domain controller. This is the first use of the PDC host and is compatible with the NT4 server.

The second purpose of the PDC host is to give priority to the master browser. The browser mentioned here is not a browser for surfing the Internet, but a computer role in the network. We all know how many computers are in the current network when we turn on the network neighbor. Double-click the computer name to view the shared resources provided by this computer. WHO provides the list of network resources? In Microsoft, it is provided by a computer called a browser. Which computers can become the main browsers? As long as windows workgroup 3.1 or later versions of the operating system have the opportunity to become the master browser. If multiple computers in a network want to become the main browser, these computers will solve the problem through "election, we sometimes use a packet capture tool to capture the electronic election package, which is related to this process. During the election of each computer, the operating system version is compared first. The new version takes precedence over the master browser. For example, win2003 is better than Win2000. If the operating system version is the same, the domain controller takes precedence over the common computer. If multiple domain controllers are selected, the PDC host takes priority. Finally, if a broadcast domain has multiple domains and multiple PDC hosts, how can they elect the primary browser? They will use guid to select the final winner.

The third purpose of the PDC host is to give priority to the replication of Active Directory. Normally, the replication cycle of Active Directory is 5 minutes. However, if an emergency occurs in Active Directory, for example, you have modified the user password. In this case, the source domain controller notifies the PDC host in the shortest time, And the PDC host manages these Active Directory emergencies in a unified manner. If a domain controller finds that the password entered by the user is inconsistent with the password stored in Active Directory, the domain controller may consider two possibilities, one possibility is that the password entered by the user is correct, but the user's Active Directory has not received the latest changes. In order to avoid self-judgment errors, the domain controller sends a query to the PDC host. Ask the PDC host to verify whether the password is correct, because as mentioned above, any domain controller modifies the user password, the PDC host will be notified within the shortest time.

In addition to the above usage, the PDC host can also act as the authoritative time source in the domain, and the PDC host is also the preferred storage location for group policies. By the way, the role level of the PDC host is the domain level. That is to say, only one domain controller can act as the PDC host in a domain.

After introducing the functions of the PDC host, we will introduce the RID host. RID is a part of Sid. What is Sid? Sid is a security identifier (SEcurityIDEntify). When we create a user account or computer account in the domain, the operating system creates a corresponding Sid for the account to be created, that is, sid actually corresponds to the user account or computer account. A domain user corresponds to the SID format is like this, S-1-5-21-D1-D2-D3-RID, S is the abbreviation of Sid, 1 is the SID version number, 5 represents the authority, 21 represents the sub-authorization, A D1-D2-D3 is a number that represents the domain or computer where the object is located, and a RID is the relative number of the object in the domain or computer. Take the familiar Administrator Account as an example, the Administrator's Sid is the S-1-5-21-3855104193-3464347045-3256418734-500, where the RID is 500.

The RID is an integral part of the Sid. The RID host is used to provide an available rid pool for Active Directory (500 by default ), in addition, when the RID in the pool is consumed to a certain extent, it is automatically filled up. If the RID host fails, it will obviously cause a lot of trouble for us to create a large number of user accounts. Similar to the PDC host, the role level of the RID host is also the domain level.

The role of the structure host is to update the reference of cross-origin objects. If a user in Domain A joins a group in Domain B, the structure host of Domain B is responsible for paying attention to whether the user of Domain A has changed, for example, whether the user is deleted. The structure host can ensure the operability of object reference between domains. For a single domain, there is basically no need for a structured host to do anything. If you are in a multi-domain Forest Environment, remember not to place the structure host and GC (Global Catalog) on the same domain controller. Otherwise, the structure host will not work properly. The role level of the structure host is also the domain level.

The next operation host to be introduced is the domain name host. The role level of this operation host is forest level! The domain name host is mainly responsible for controlling the addition or deletion of domain domains in the domain forest. That is to say, if a new domain is added in the domain forest, the domain name host must determine that the domain name is valid before the operation can continue. If the domain name host is not online, we cannot create a new domain in the domain forest. In addition to interpreting the domain name, the domain name host is also responsible for adding or deleting cross-reference objects that describe External directories.

Finally, we will introduce the architecture host. The role level of the Architecture host is also forest level. The role of the Architecture host is very important. To modify the Active Directory architecture, we can only operate on the architecture host. Many of Microsoft's Advanced Server products need to modify the Active Directory architecture during deployment, such as exchange, Office Communications Server, and SMS. Take the most famous exchange as an example. If we cannot contact the architecture host online when deploying exchange in the domain, the exchange deployment will not continue. This knowledge point has been tested in MCSE.

From the above introduction, we can see that the operating host has its own functions. Once the operating host has problems, we will encounter various troubles, so in the next blog, we will introduce how to transfer the operating host role and how to seize the operating system role.

This article from the "yue lei's Microsoft Network Classroom" blog, please be sure to keep this source http://yuelei.blog.51cto.com/202879/127848