0% found this document useful (0 votes)

7 views53 pages

Domain Controllers and Roles

Lesson 16 covers the configuration of domain controllers in Windows Server 2012, including the installation of Read-Only Domain Controllers (RODC) and the cloning of domain controllers for rapid deployment. It explains the roles of various domain controllers, the importance of global catalogs, and the management of Operations Master roles. The lesson emphasizes the need for fault tolerance and the ability to manage user logins effectively through Universal Group Membership Caching.

Uploaded by

donots2002

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

7 views53 pages

Domain Controllers and Roles

Uploaded by

donots2002

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 53

Lesson 16: Configuring

Domain Controllers
MOAC 70-411: Administering
Windows Server 2012
Overview
• Exam Objective 5.2: Configure Domain
Controllers
• Understanding Domain Controllers
• Installing and Configuring an RODC
• Cloning a Domain Controller
Understanding Domain
Controllers
Lesson 16: Configuring Domain Controllers
Active Directory
Logical Components

Organizati
Domains
on Units

Domain
Forests
Trees

© 2013 John Wiley & Sons, Inc. 4

Active Directory
Physical Components
Global
Domain
Catalog
Controllers
Servers

Read-Only
Operations
Domain
Masters
Controllers

© 2013 John Wiley & Sons, Inc. 5

Domain Controllers
• A domain controller is a Windows server that
stores a replica of the account and security
information for the domain and defines the
domain boundaries.
• To make a computer running Windows Server
2012 a domain controller, you must install the AD
DS and execute dcpromo from Server Manager.
• Each domain has its own set of domain
controllers.
• For fault tolerance, a site should have two or more
domain controllers.

© 2013 John Wiley & Sons, Inc. 6

Global Catalogs
• As a domain controller, a global catalog stores a
full copy of all objects in the domain.
• In addition, as a global catalog, it also has a partial
copy of all objects for all other domains in the
forest.
• The partial copy of all objects is used for logon,
object searches, and universal group membership.
• A global catalog is created automatically on the
first domain controller in the forest.
• Optionally, other domain controllers can be
configured to serve as global catalogs.

© 2013 John Wiley & Sons, Inc. 7

Global Catalogs and
Universal Groups
• One of the primary functions of a global catalog is to
provide search capability of any object in the forest.
• Another function of global catalog is to resolve User
Principal Names (UPNs).
• Membership of universal groups is stored only in the
global catalog and is replicated across the forest.
• When a user logs on, the domain controller must be
able to view the membership of the universal
groups, so that it can be determined whether a user
is allowed or denied logon based on the membership
of the universal group.

© 2013 John Wiley & Sons, Inc. 8

Universal Group
Membership Caching
• If the membership of the universal groups
cannot be determined, a user’s logon request
denies the request, and the user cannot log
on.
• The only exception to this is that the
Administrator account can always log on.
• Therefore, for all other users to log on, there
must be at least one domain controller acting
as a global catalog available or you need
Universal Group Membership Caching
enabled.
© 2013 John Wiley & Sons, Inc. 9
Enable Global Catalogs

Navigating to domain controllers

© 2013 John Wiley & Sons, Inc. 10

Enable Global Catalogs

Opening the NTDS Settings Properties dialog box

© 2013 John Wiley & Sons, Inc. 11

Universal Group
Membership Caching
(UGMC)
• Universal group membership caching
(UGMC) allows the local domain controller to
store the membership of the universal groups
in its local cache indefinitely.
• The cache is refreshed by default every eight
hours. As a result, domain controllers can
process a logon or resource request without
the presence of a global catalog server.
• UGMC provides better logon performance and
minimizes WAN usage.
• UGMC is enabled on a per-site basis.
© 2013 John Wiley & Sons, Inc. 12
Enable Universal Group
Membership Caching

Navigating to a site

© 2013 John Wiley & Sons, Inc. 13

Enable Universal Group
Membership Caching

Opening the NTDS Site Settings Properties dialog box

© 2013 John Wiley & Sons, Inc. 14

Operations Master
Roles
Primary Domain Controller (PDC) Emulator

Infrastructure Master

Relative Identifier (RID) Master

Schema Master

Domain Naming Master

© 2013 John Wiley & Sons, Inc. 15

Managing Operations
Masters
Guidelines for placing the Operations Master roles:
• Place the domain-level roles on high-performance domain
controllers.
• Do not place the infrastructure master on a global catalog
server unless you have only one domain or all the domain
controllers in your forest are also global catalogs.
• The Schema Master and Domain Naming Master should be on
domain controllers in the forest-root domain.
• If the Primary Domain Controller (PDC) Emulator becomes
overworked, you should offload non-AD DS roles to other
servers, upgrade the PDC Emulator, or move the PDC
Emulator to a more powerful computer.

© 2013 John Wiley & Sons, Inc. 16

Operations Masters
Role Holders
• The easiest way to view the holders of all
Operations Masters at once:
netdom query fsmo
• To view the RID Masters, PDC Emulators,
or Infrastructure Master, use the Active
Directory Users and Computers console.

© 2013 John Wiley & Sons, Inc. 17

Viewing Operations Masters

Viewing the holders of the Operations Masters roles at

the command prompt

© 2013 John Wiley & Sons, Inc. 18

Operations Masters
Role Holders
• To view the holder of the Domain Naming
Master role, use the Active Directory
Domains and Trusts console.
• To view the holder of the Schema Master
role, use the Active Directory Schema.

© 2013 John Wiley & Sons, Inc. 19

View the Holders of RID Master, PDC
Emulator, or Infrastructure Master

Selecting Operations Masters

© 2013 John Wiley & Sons, Inc. 20

View the Holders of RID Master, PDC
Emulator, or Infrastructure Master

Using the Active Directory Users and Computers console to

view the holders of the domain-based Operation Masters roles
© 2013 John Wiley & Sons, Inc. 21
View the Domain Naming Operations
Master Role Holder

Using the Active Directory Domains and Trusts

console to view the holders of the Domain Naming
Operations Master
© 2013 John Wiley & Sons, Inc. 22
View the Schema Master Operations
Master Role Holder

Opening the Add or Remove Snap-in dialog box

© 2013 John Wiley & Sons, Inc. 23

Operations Masters
Role
Reasons to transfer the Operations Master:
• Planned maintenance
• Retiring a domain controller that holds a
role of Operations Master
• Moving a role of Operations Master to a
domain controller with more resources
Transferring a FSMO role requires that the
source domain controller and the target
domain controller be online.

© 2013 John Wiley & Sons, Inc. 24

Transfer the Holders of RID Master,
PDC Emulator, or Infrastructure
Master

Selecting the Change Domain Controller option

© 2013 John Wiley & Sons, Inc. 25

Transfer the Holders of RID Master,
PDC Emulator, or Infrastructure
Master

Selecting a domain controller to transfer the role to

© 2013 John Wiley & Sons, Inc. 26

Seizing the Operations
Masters Role
• If a domain controller that holds an
Operations Master role has an unrecoverable
failure, you cannot transfer roles because
the current domain controller is not online.
Therefore, you need to seize the role.
• Seizing a FSMO role is a drastic measure that
should be performed only in the event of a
permanent role holder failure.
• To seize a role of an Operations Master, you
use the ntdsutil.exe utility.

© 2013 John Wiley & Sons, Inc. 27

Seize the Role of an
Operations Master Holder

Seizing the PDC Emulator role

© 2013 John Wiley & Sons, Inc. 28

Installing and
Configuring an RODC
Lesson 16: Configuring Domain Controllers
Read-Only Domain
Controller (RDOC)
The Read-Only Domain Controller
(RODC):
• Contains a full replication of the domain
database.
• Was created to be used in places where a
domain controller is needed but the
physical security of the domain controller
could not be guaranteed.

© 2013 John Wiley & Sons, Inc. 30

Installing an RDOC
When you install an RODC, you need to
define a delegated administrator that has
local administrative permission to the RODC,
even though the account is not a member of
the Domain Admin or domain built-in
Administrators group.

© 2013 John Wiley & Sons, Inc. 31

Deploying an RDOC
To deploy an RODC:
• Ensure that the forest functional level is
Windows Server 2003 or higher.
• Deploy at least one writable domain
controller running Windows Server 2008 or
higher.

© 2013 John Wiley & Sons, Inc. 32

Configuring an RDOC
You can configure each RODC to have its
own Password Replication Policy (PRP).
To allow enterprise-wide configuration of the
RODC PRP, Windows Server 2008 creates
the following security groups:
• Denied RODC Password Replication Group
• Allowed RODC Password Replication Group