Detailed operations master role, Active directory series Nine

Active Directory operation of the mainframe detailed In the previous blog post, we have learned that each domain controller can modify Active Directory autonomously, and that the modified results are recognized by other domain controllers. From this perspective, the status of domain controllers is equal, but we must not assume that there is no difference between domain controllers. In fact, the first domain controller in the domain often takes on more tasks than the other domain controllers. When multiple domain controllers are deployed in some enterprises, they begin to ignore the role of the first domain controller, and sometimes may even inadvertently dispose of the first domain controller. However, users of these enterprises will soon find that there are some anomalies in the domain, such as the inability to create domain user accounts, the inability to install Exchange, the inability to deploy subdomains, and so on. The simple reason is that the first domain controller's tasks are not passed on to other domain controllers, and these tasks are essential to a domain, so we face so many problems. So, what are the first domain controllers to assume more tasks than other domain controllers? That's what we're going to talk about today, the operations master. The operations master is a role played by a domain controller,There are five operations master roles, respectively PDC Host, RID host, infrastructure host, domain naming master and schema master , today's blog post will describe the purpose of the five operations masters respectively. Let's first introduce the PDC master, which is the abbreviation for the primary domain controller, in the NT4 era, the domain controller is the PDC (primary domain controller) and the BDC (backup domain controller), only the PDC can modify the catalog database, and the BDC database is copied from the PDC. Starting with Win2000, all domain controllers can modify Active Directory, so why is there a PDC master role in WIN2003 's operations master? The reason is this, in order to protect the user's upfront investment, the NT4 server is allowed to be called an additional domain controller in the Win2003 domain, but NT4 must be contacted with the PDC in the domain when acting as a domain controller, in which case the PDC master will stand up to communicate with the primary domain controller and the NT4 domain controller. This is the first use of the PDC master, compatible with the NT4 server. The second use of the PDC master is to prioritize the master browser, which is not a browser for surfing the web, but a computer role in the network. We all know how many computers are available on the current network when you open the online neighborhood, and you can also see the shared resources provided by this computer by double-clicking the computer name. Who is providing the list of these network resources, which is provided by a computer called the master browser in the Microsoft network. So which computers can be the main browser? As long as the operating system version in Windows workgroup more than 3.1 computers have the opportunity to become the master browser. If more than one computer in a network wants to be the master browser, then these computers will be "elected" to solve the problem, we sometimes use the grab tool to catch the electronic election package is related to this process. Each computer is elected first to compare the operating system version, the version of the new priority to become the main browser, such as Win2003 better than Win2000. If the operating system version is the same, and then compares who is a domain controller, the domain controller takes precedence over the average computer. If there are multiple domain controllers involved in the election, then the PDC master takes precedence. Finally, if there is more than one domain in a broadcast domain and there are multiple PDC operations masters, then how do you elect the master browser? Between them, the final winner is chosen by the GUID. The third use of the PDC master is the preemptive right of Active Directory, which normally has a 5-minute replication cycle, but if some urgent events occur in Active Directory, such as modifying a user's password. In this case, the source domain controller notifies the PDC master in the shortest amount of time, the PDC master manages the emergency events for these Active Directory. If a domain controller discovers that the password entered by the user is inconsistent with the password stored in Active directory, the domain controller takes into account two possibilities, one that may be a user input error, and one that may be the correct password entered by the user, but its own Active directory The latest changes have not yet been received. To avoid errors, the domain controller issues a query to the PDC master to verify that the password is correct, because as mentioned earlier, any one domain controller modifies the user's password and notifies the PDC master in the shortest possible time. In addition to several of these uses, the PDC master can also be used to act as authoritative time sources within the domain, while the PDC master is also the preferred storage location for Group Policy. By the way, the PDC master's role level is the domain level, that is, there can be only one domain controller acting as the PDC master in a domain. After describing the role of the PDC master, let's introduce the RID master. The RID is part of the SID and what is SID. The SID is a security identifier (SEcurityId Entify), when we create a user account or computer account in a domain, the operating system creates a corresponding SID for the account created, that is, the SID really corresponds to the user account or computer account. The SID format for a domain user is this, S-1-5-21-d1-d2-d3-rid, S is the SID's abbreviation, 1 is the SID version number, 5 is the authorization authority, 21 is a child authorization, and D1-D2-D3 is three digits representing the domain or computer where the object is located, R The ID is the relative number of the object in the domain or computer. Take the familiar administrator account as an example, the administrator's SID is s-1-5-21-3855104193-3464347045-3256418734-500, where the RID is 500. A RID is part of a SID that is used by the RID master to provide an available RID pool for Active Directory (the default 500), and when the RID in the pool is consumed to a certain extent, it is automatically filled. If the RID master fails, it is obvious that we are having trouble creating a large number of user accounts. Similar to the PDC master, the RID master's role level is also the domain level. The role of the infrastructure master is to update the reference for Cross-domain objects. If a user of a domain joins a group of B domains, the infrastructure master of Domain B will be responsible for the change of the user in domain A, such as whether it has been deleted, and the work of the infrastructure master can ensure the operability of object references between domains. If it's a single domain, there's basically no need for a structure host to do anything. If you are in a multi-domain forest environment, it is important to remember that the infrastructure master does not have to be placed on the same domain controller as the GC (global catalog) or the infrastructure master will not function properly. The role level of the infrastructure master is also the domain level. The next operation master to be described is the domain naming master, which is a forest-level action master. The domain naming master is primarily responsible for controlling the addition or deletion of domains in the domain forest, which means that if a new domain is added to the domain, the domain naming master must determine the domain name to be valid for the operation to continue. If the domain naming master is not in line, we cannot complete the creation of a new domain in the domain forest. In addition to interpreting domain names, the domain naming master is responsible for adding or removing cross-reference objects that describe external directories. The last thing we want to introduce is the schema master, which has the same level of action as the forest level. The role of the schema master is important, and if you want to modify the schema of Active Directory, we can only operate from the schema master. Many of Microsoft's Advanced Server products need to be deployed to modify the schema of Active Directory, such as Exchange, offIce Communications Server, SMS and so on. In the most famous exchange, for example, if we cannot contact the schema master online when we deploy Exchange in the domain, then the deployment of exchange cannot continue, and MCSE's test has tested this knowledge. From the above introduction we can see that the operation of the host have their own functions, once the operation of the host has problems we will encounter all kinds of trouble, so we in the next blog to describe how to transfer the operations master role and how to capture the operating system role, please look forward to.