- Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down level clients and applications target the PDC, making it a large consumer of RIDs.
- As a general rule, the infrastructure master should be located on a non global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:
1. Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
2. Multi domain forest: Where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multi domain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
- At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.
Note: If the Schema Master or RID role is seized, it is critical that the original server never be restored and brought back to the forest. To do so may cause Schema corruption and data inconsistency.
- In order to facilitate faster user authentication, the PDC emulator should be placed in a location that includes a large number of users from that domain. In addition, ensure that the location is well connected to other locations to minimize replication latency.
Monday, October 15, 2007
Currently in Windows 2000 and Windows Server 2003 there are Five FSMO roles, which are owned by the First Domain Controller installed into the Forest, any new domain installed under the forest will have Three (Domain-Level) FSMO Roles. These roles break down into Two Forest-Level roles and Three domain-level roles.
- The schema master, which governs changes to the schema, controls all updates and modifications to the Active Directory Schema. To update the schema of a forest, you must have access to the Schema Master; therefore you need to be member of Schema Admins Group in Active Directory. There can be only one schema master in the whole forest.
- The domain naming master, which adds domains to and removes domains from the forest, controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. You need to be member of Enterprise Admins Group in order to gain access on the Domain Naming Master Role Functionality.
The three domain-level roles for Active Directory domain controllers are:
- The primary domain controller (PDC) emulator, which processes any replication requests from Microsoft Windows NT 4.0 backup domain controllers (BDCs) and processes all password updates from clients not running the Active Directory client software. In addition, the PDC emulator is checked on an authentication failure to see if a password has been changed but has not had a chance to replicate to all the domain controllers at that point in time.
- The Relative Identifier (RID) master, which allocates RIDs to all domain controllers to ensure that all security principles are unique.
- The infrastructure master for a given domain, which maintains a list of the security principals from other domains that are members of groups within its domain
Windows Server 2008: Web, Virtualization, Security, and a Solid Foundation for Your Business Workloads
Watch these 90-minute Windows Server 2008 webcasts and learn how your organization can leverage the enhancements in Windows Server 2008. Tune in for live webcasts and stream or download webcasts for on-demand viewing.
Try out Windows Server 2008 during a virtual lab. It's simple—no complex setup or installation is required. You get a downloadable manual and a 90-minute block of time for each module, and you can sign up for additional 90-minute blocks anytime.
Stream or download these TechNet audio podcasts onto your favorite podcast software or mobile device. These podcasts are free and do not require registration—just click, listen, and learn about Windows Server 2008.
Join an online, text-based question and answer session in real time from a chat room. This is your opportunity to interact with Microsoft experts on Windows Server 2008, provide feedback, and get answers to your tough questions.
Tuesday, October 2, 2007
These Shortcuts or commands for the people who loves working with shortcuts like me, to be honost with you, i forgot where is the location of Active Directory Users and Computers :) , whenever i want to access it, i ran the shortcut :). which is much easier for me to remember.
Authorization Manager -----> AZMAN.MSC
Certificates snap-in -----> CERTMGR.MSC
Certification Services -----> CERTSRV.MSC
Certificate Templates -----> CERTTMPL.MSC
Index Service -----> CIADV.MSC
Command Prompt -----> CMD.EXE
Computer Management -----> COMPMGMT.MSC
Computer Management other than local computer ----> COMPMGMT.MSC /COMPUTER=COMPUTERNAME
Domain Controller Security Policy -----> DCPOL.MSC
promote server to a Domain Controller -----> DCPROMO.EXE
Device Manager -----> DEVMGMT.MSC
Disk Defragmenter -----> DFRG.MSC
Distributed File System -----> DFSGUI.MSC
DHCP Manager -----> DHCPMGMT.MSC
Disk Management -----> DISKMGMT.MSC
DNS Manager -----> DNSMGMT.MSC
Active Directory Domains & Trust -----> DOMAIN.MSC
Domain Security Policy -----> DOMPOL.MSC
Active Directory Users & Computers -----> DSA.MSC
To run Active Directory Users & Computers for a specific domain, if you have Root/Child Domain Structure. -----> DSA.MSC /DOMAIN=domainname
To run Active Directory Users & Computers from a specific Domain Controller
-----> DSA.MSC /SERVER=servername
Active Directory Sites & Services -----> DSSITE.MSC
Event Viewer -----> EVENTVWR.MSC
File Server Management -----> FILESVR.MSC
Shared Folders -----> FSMGMT.MSC
Fax Service Manager -----> FXSADMIN.MSC
local Group Policy Editor -----> GPEDIT.MSC
Look and edit the local Group Policy on a remote machine ----->GPEDIT.MSC /gpcomputer:
Internet Authentication Service -----> IAS.MSC
Internet Information Service (\Windows\system32\inetsrv) -----> IIS.MSC
Local Users and Groups -----> LUSRMGR.MSC
Microsoft Management Console -----> MMC.EXE
Hardware and software configuration information -----> MSINFO32.EXE
Remote Desktop Connection -----> MSTSC
Connect to a Console Session of a Server -----> MSTSC /Console
Network Diagnostics scans your system to gather information about your hardware, software, and network connections -----> netsh diag gui
Removable Storage Manager -----> NTMSMGR.MSC
Removable Storage Operator Request -----> NTMSOPRQ.MSC
Performance Monitor -----> PERFMON.MSC
Run Registry Editor -----> REGEDIT.EXE
starts the Remote Installation Service setup wizard -----> RISETUP.EXE
Routing and Remote Access -----> RRASMGMT.MSC
Resultant Set of Policy -----> RSOP.MSC
Local Security Policy -----> SECPOL.MSC
Service Configuration -----> SERVICES.MSC
Telephony -----> TAPIMGMT.MSC
Terminal Services -----> TSCC.MSC
Remote Desktop -----> TSMMC.MSC
Windows Management Instrument -----> WMICORE.EXE
Windows Managment Instrumentation -----> WMIMGMT.MSC