A domain is the main logical unit of organization in the Active
Directory. The objects in a domain share common security and account
information. Each domain must have at least one domain controller (DC).
The domain controller (DC) is a Windows 2000 Server computer that
stores the complete domain database.
Active Directory Operations Masters Servers
A master server generally contains copies of a database and allows
both read and write operations. Multimaster replication allows multiple
masters. The ability to make changes to Active Directory on any
domain controller is a functionality refered to as multimaster
replication and is the basis of Active Directory. A single-master
operation requires all changes to the database to be performed on a single
machine, the master server.
The follwing Operations Masters functions and roles are performed on
specially designated machines within the Active Directory forest thus they
are Single Master Operations machines. The first two apply to the entire
forest, the next three apply to each domain.
FUNCTIONS
- Schema Master - All modifications to the schema must be made on this machine. By default, the first domain controller installed in the tree or forest is the Schema Master. To assign this function, you must install the Windows 2000 Administrative Tools (\i386\adminpak.msi) and use the Active Directory Schema snap-in.
- Domain Naming Master - Serves as a central authority for the Active Directory configuration, the Domain Naming master ensures all information within AD forest is consistent and is responsible for registering new domains. To assign this function, use "AD Domains and Trusts" admin tool.
ROLES
- Relative ID (RID) Master - Each object must have a unique identifier, the Relative ID (RID) Master is responsible for creating all of these identifiers with each domain and ensuring each object between domains are unique by working with the RID Masters in other domains. To assign this role, use "AD Users and Computers" admin tool, right-click the domain and choose "Operations Master".
- Primary Domain Controller (PDC) Emulator - Provides backward compatibility for Windows NT 4.0 environments during the migration process. To assign this role, use "AD Users and Computers" admin tool, right-click the domain and choose "Operations Master"
- Infrastructure Master - The role of the Infrastructure Master is to ensure consistency between domains for user's and group's SIDs and distinguished names as changes, additions, and deletions are made. This role is not needed to function in a single domain forest. To assign this role, use "AD Users and Computers" admin tool, right-click the domain and choose "Operations Master"
The above ROLES can be performed by a single Windows 2000 Server computer, or distributed within an organization.
Notice that the Active Directory Domains and Trusts MMC snap-in is used to
assign the Operations Masters functions that apply to the entire forest while
the Active Directory Users and Computers MMC snap-in is used to assign
Operations Masters roles within each domain.
If there are more than one domain controllers in the domain, the Global
Catalog should not reside on the same server as the Infrastructure Master.
It would not see the changes and replication would fail. This is unless
every domain controller in the domain contains a copy of the Global Catalog.
The Infrastructure Master and the domain controller with the Global Catalog
should be in the same site.
The Schema Master and Domain Naming Master are most often on the same domain
controller. The Global Catalog should be with the Domain Naming Master. The
RID Master and the PDC emulator go well together in a small domain with the
Global Catalog on another domain controller. In a larger domain, you can
seperate the RID Master and PDC emulator to reduce workload.
The PDC is the only operations master that can be brought back online after
a seizure. All other operations master that are seized are permanent. The
PDC emulator is the most important of the master roles during a downtime
of a few days. All other roles can be halted until repair.
The Lightweight Directory Access Protocol (LDAP) is an IETF standard
used for transferring information between domain controllers and for users
to query information about objects within AD. Like SMTP, FTP, etc, LDAP
operates over the TCP/IP protocol.
Sites are designed to define the physical layout of a company's network by
taking into account multiple subnets, remote access links, and other network
factors. Sites are locations in which network access is quick and
inexpensive. Sites are usually LANs that are seperated by slower (in
relation) WAN links.
Creating A Child Domain (and Domain Tree)
To create a new domain tree, you will need to promote a Windows 2000 Server
computer to a domain controller (DCPROMO). Before you can create a new child
domain, you will need the following information:
- The name of the parent domain.
- The name of the child domain (the one you are creating).
- The file system locations for the AD database, logs, and shared system volume.
- DNS configuration information.
- The NetBIOS name for the new server.
- A domain administrator username and password.
Designating a Global Catalog Server
A Global Catalog Server is designated with the "Active Directory Sites
and Services" admin tool. Find the target Domain Controller, expand this
object, r-click "NTDS Settings", and select Properties. On the General
tab, you will see a checkbox labeled "Global Catalog", this checkbox
determines whether or not the DC contains a copy of the Global Catalog.
The domain controller holding the Domain Naming Master role must also
be a Global Catalog server. When a new domain is being added, the DNM
server queires the GC for an existing domain of that name. It must query
the catalog on the same machine.
The PDC Emulator, in native mode, synchronizes the network clocks, is the
main point of focus for creating and editing GPOs, and in mixed mode, acts
as a PDC for NT4 BDCs.
A security principal's SID = domainSID + assignedRID
You can use dcdiag.exe to view RID pool. If RID Master fails, you may want
to check this. Move objects between domains from the RID Master.
When promoting a Windows 2000 Server to a Domain Controller, the Active
Directory database and log files should be located on seperate physical
hard disks to increase performance. These can be FAT based partitions.
The Shared System Volume (AD public files) must be on an NTFS 5 partition.
It is recommended that you always have at least two domain controllers per
domain. This will provide a good balance between the cost of servers and a
minimal level of fault tolerance and performance.
To find a Domain Controller with DNS:
nslookup
>set type=SRV
>_ldap._tcp.domain-name.com