3. Installing and Managing Domain, Trees, and Forests
**********************
Creating Multiple Domains
You would create multiple domains to meet security requirements, meet administrative requirements, optimize replication traffic, and to retain existing Microsoft Windows NT domains.
**********************
Mail-based replication can only occur between domains.
**********************
Renaming and Restructuring Domains
Windows Server 2003 allows you to rename any domain that has domain controllers running Windows Server 2003.
You can use the domain rename utility (Rendom.exe) to rename or restructure a domain.
The Rendom.exe utility can be found in the \Valueadd\Msft\Mgmt\Domren folder on the Windows Server 2003 CD-ROM.
**********************
Renaming and Moving a Domain Controller
Fully qualified domain name (FQDN)
To move a domain controller to another domain, you must use DCPromo.exe to first demote the domain controller and uses DCPromo.exe to promote the domain controller with a new domain name.
You can also rename a domain controller by using the Netdom command-line utility.
**********************
The Global Catalog
The Global Catalog (GC) performs three important functions:
It provides data that permits network logon
It stores the information that is necessary to locate an object in Active Directory
It contains the access permissions for each object and attribute stored in the global catalog
By default, the first domain controller that you create in Active Directory is designated the global catalog server
You can move the default GC to another domain controller by modifying the NTDS setting properties in the Sites and Server Management snap-in.
You can also use Sites and Servers Management snap-in to add additional GC servers.
**********************
Master Operations Roles
To reduce potential data consistency problems, certain Active Directory functions cannot be shared. These special functions are called Flexible Single Master Operations (FSMOs)
The domain controller assigned a particular FSMO is called a role master.
There are five FSMOs:
The PDC Emulator
The RID Master
The Infrastructure Master
The Domain Naming Master
The Schema Master
**********************
PDC Emulator
You can transfer the PDC Emulator master role to another domain controller through the Active Directory Users and Computers snap-in.
**********************
RID Master
Security Identifier (SID)
Relative ID (RID)
Only one domain controller can perform the role of the RID Master per domain.
You can transfer the RID Master role to another domain controller through the Active Directory Users and Computers snap-in.
**********************
Infrastructure Master
The domain controller assigned the Infrastructure Master role is responsible for managing group and user references.
You can transfer the Infrastructure Master role to another domain controller through the Active Directory Users and Computers snap-in.
Except in single domain controller environments, and an environment where every domain controller retains a copy of the GC, the GC should not be hosted on the Infrastructure Master. The Infrastructure Master compares its data with the GC, therefore may be significant replication impacts and full replication may fail.
**********************
Domain Naming Master
Only one domain controller in a forest, the Domain Naming Master, can make changes to the Partitions container. This ensures that two administrators cannot create new domains with identical names during the same replication interval.
By default, the Domain Naming Master is the first domain controller in a forest. You can transfer this role to any domain controller in any domain through the Active Directory Domains and Trusts snap-in. However, it recommended that this domain controller reside in the root domain.
**********************
Schema Master
The schema is a framework of definitions that establishes the type of objects available to Active Directory.
Only one domain controller in the entire forest can update the schema, and that is the Schema Master.
The Schema Master role can be transferred to another domain controller through the Active Directory Schema Master snap-in.
**********************
Seizing a Role Master
If the domain controller hosting a FSMO role master crashes and cannot be recovered, you cannot use the management consoles to transfer roles.
Instead, you must seize the role using the Ntdsutil utility.
**********************
Planning Operations Master Locations
There can be only one schema master and one domain naming master in the forest, these roles remain in the first domain on the first domain controller created in the forest.
**********************
Planning Operations Master Locations for a Domain
The Infrastructure master role should not be assigned to any domain controller that is hosting the global catalog. You should assign the infrastructure master role to any domain controller that is well connected to a global catalog (from any domain) in the same site.
If the Infrastructure Master and global catalog are on the same domain controller, the infrastructure will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
**********************
Planning the Operations Master Roles for the Forest
The Schema Master and the domain naming master roles should always be assigned to the same domain controller.
**********************
Trust Relationships
A trust relationship is a logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain.
Trust have three characteristics
Trust can be created manually (explicitly) or automatically (implicitly)
They can be either transitive (not bound by the domains in the trust relationship) or nontransitive (bound by the domains in the trust relationship) and they can be one or two-way.
**********************
Trust Types
Tree-root trust
Parent-child trust
Shortcut trust
Realm trust
External trust
Forest trust
**********************
Shortcut trusts can be created only between Windows Server 2003 domains in the same forest.
A Realm trust can be established between any non-Windows Kerberos version 5 realm and a Windows Server 2003 domain to allow cross-platform interoperability with security based on other Kerberos version 5 implementations, such as UNIX or MIT.
**********************
Creating and Administering Trusts Using the Command Line
Windows Domain Manager command line tool (Netdom.exe)
No comments:
Post a Comment