Monday, October 15, 2007

General Recommendations for FSMO Roles Placement

  • Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down level clients and applications target the PDC, making it a large consumer of RIDs.

  • As a general rule, the infrastructure master should be located on a non global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:

    1. Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

    2. Multi domain forest: Where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multi domain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

  • At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.

    Note: If the Schema Master or RID role is seized, it is critical that the original server never be restored and brought back to the forest. To do so may cause Schema corruption and data inconsistency.

  • In order to facilitate faster user authentication, the PDC emulator should be placed in a location that includes a large number of users from that domain. In addition, ensure that the location is well connected to other locations to minimize replication latency.

What is FSMO (Flexible Single-Master Operation) Roles?

The Microsoft Windows Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multi-master enabled database, capable of storing millions of objects. Because it is multi-master, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the DC is connected or disconnected from the network. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) Role.

Currently in Windows 2000 and Windows Server 2003 there are Five FSMO roles, which are owned by the First Domain Controller installed into the Forest, any new domain installed under the forest will have Three (Domain-Level) FSMO Roles. These roles break down into Two Forest-Level roles and Three domain-level roles.
The two forest-level roles are:
  • The schema master, which governs changes to the schema, controls all updates and modifications to the Active Directory Schema. To update the schema of a forest, you must have access to the Schema Master; therefore you need to be member of Schema Admins Group in Active Directory. There can be only one schema master in the whole forest.
  • The domain naming master, which adds domains to and removes domains from the forest, controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. You need to be member of Enterprise Admins Group in order to gain access on the Domain Naming Master Role Functionality.

The three domain-level roles for Active Directory domain controllers are:

  • The primary domain controller (PDC) emulator, which processes any replication requests from Microsoft Windows NT 4.0 backup domain controllers (BDCs) and processes all password updates from clients not running the Active Directory client software. In addition, the PDC emulator is checked on an authentication failure to see if a password has been changed but has not had a chance to replicate to all the domain controllers at that point in time.
  • The Relative Identifier (RID) master, which allocates RIDs to all domain controllers to ensure that all security principles are unique.
  • The infrastructure master for a given domain, which maintains a list of the security principals from other domains that are members of groups within its domain

Windows Server 2008: Web, Virtualization, Security, and a Solid Foundation for Your Business Workloads

Windows Server 2008, with its built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. Learn how new virtualization tools, Web resources, and security enhancements can help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools, such as Internet Information Services 7.0 (IIS7), Server Manager, and Windows PowerShell, allow you to have more control over your servers and streamline web, configuration, and management tasks. Advanced security and reliability enhancements, such as Network Access Protection (NAP) and the Read-Only Domain Controller, harden the operating system and protect your server environment to ensure you have a solid foundation to build your business on.

Watch these 90-minute Windows Server 2008 webcasts and learn how your organization can leverage the enhancements in Windows Server 2008. Tune in for live webcasts and stream or download webcasts for on-demand viewing.

Virtual Labs
Try out Windows Server 2008 during a virtual lab. It's simple—no complex setup or installation is required. You get a downloadable manual and a 90-minute block of time for each module, and you can sign up for additional 90-minute blocks anytime.

Stream or download these TechNet audio podcasts onto your favorite podcast software or mobile device. These podcasts are free and do not require registration—just click, listen, and learn about Windows Server 2008.

Join an online, text-based question and answer session in real time from a chat room. This is your opportunity to interact with Microsoft experts on Windows Server 2008, provide feedback, and get answers to your tough questions.

Tuesday, October 2, 2007

Some Usefull Commands / Shortcuts for IT People

These Shortcuts or commands for the people who loves working with shortcuts like me, to be honost with you, i forgot where is the location of Active Directory Users and Computers :) , whenever i want to access it, i ran the shortcut :). which is much easier for me to remember.

Authorization Manager -----> AZMAN.MSC
Certificates snap-in -----> CERTMGR.MSC
Certification Services -----> CERTSRV.MSC
Certificate Templates -----> CERTTMPL.MSC
Index Service -----> CIADV.MSC
Command Prompt -----> CMD.EXE
Computer Management -----> COMPMGMT.MSC
Computer Management other than local computer ----> COMPMGMT.MSC /COMPUTER=COMPUTERNAME
Domain Controller Security Policy -----> DCPOL.MSC
promote server to a Domain Controller -----> DCPROMO.EXE
Device Manager -----> DEVMGMT.MSC
Disk Defragmenter -----> DFRG.MSC
Distributed File System -----> DFSGUI.MSC
DHCP Manager -----> DHCPMGMT.MSC
Disk Management -----> DISKMGMT.MSC
DNS Manager -----> DNSMGMT.MSC
Active Directory Domains & Trust -----> DOMAIN.MSC
Domain Security Policy -----> DOMPOL.MSC
Active Directory Users & Computers -----> DSA.MSC
To run Active Directory Users & Computers for a specific domain, if you have Root/Child Domain Structure. -----> DSA.MSC /DOMAIN=domainname
To run Active Directory Users & Computers from a specific Domain Controller
-----> DSA.MSC /SERVER=servername
Active Directory Sites & Services -----> DSSITE.MSC
Event Viewer -----> EVENTVWR.MSC
File Server Management -----> FILESVR.MSC
Shared Folders -----> FSMGMT.MSC
Fax Service Manager -----> FXSADMIN.MSC
local Group Policy Editor -----> GPEDIT.MSC
Look and edit the local Group Policy on a remote machine ----->GPEDIT.MSC /gpcomputer:
Internet Authentication Service -----> IAS.MSC
Internet Information Service (\Windows\system32\inetsrv) -----> IIS.MSC
Local Users and Groups -----> LUSRMGR.MSC
Microsoft Management Console -----> MMC.EXE
Hardware and software configuration information -----> MSINFO32.EXE
Remote Desktop Connection -----> MSTSC
Connect to a Console Session of a Server -----> MSTSC /Console
Network Diagnostics scans your system to gather information about your hardware, software, and network connections -----> netsh diag gui
Removable Storage Manager -----> NTMSMGR.MSC
Removable Storage Operator Request -----> NTMSOPRQ.MSC
Performance Monitor -----> PERFMON.MSC
Run Registry Editor -----> REGEDIT.EXE
starts the Remote Installation Service setup wizard -----> RISETUP.EXE
Routing and Remote Access -----> RRASMGMT.MSC
Resultant Set of Policy -----> RSOP.MSC
Local Security Policy -----> SECPOL.MSC
Service Configuration -----> SERVICES.MSC
Telephony -----> TAPIMGMT.MSC
Terminal Services -----> TSCC.MSC
Remote Desktop -----> TSMMC.MSC
Windows Management Instrument -----> WMICORE.EXE
Windows Managment Instrumentation -----> WMIMGMT.MSC