Shulou(Shulou.com)06/02 Report--

Essential skills for AD administrators (1) online role transfer

As an enterprise administrator, daily server backup and disaster recovery are essential skills, so some catastrophic problem fixes for AD are not a big deal for engineers, but for architecture deployment, it is very serious, for example, there are multiple DC in the environment, how to deploy roles under AD separately, and so on. Today, we mainly talk about the problems of the five roles under AD and their online migration.

First of all, let's talk about the five major roles:

* * 1. Forest level (only one DC exists in a forest):

1.1.Schema Master: architecture master

1.2.Domain Naming Master: domain naming master

Domain level (only one DC in a domain has this role):

2.1.PDC Emulator: PDC simulator

2.2.RID Master: RID

2.3.Infrastructure Master: structure master * *

Next, let's talk about the functions of the five characters:

1.Schema Master architecture master

The function is to modify the source data of the active directory. We know that there are all kinds of objects in the active directory, such as users, computers, printers, etc., these objects have a series of attributes, the active directory itself is a database, and there is a corresponding relationship between objects and attributes like tables, so who defines the relationship between these objects and attributes, that is, Schema Master, if you have deployed Exchange? You will know that Schema can be extended, but it should be noted that the extended Schema must be extended in Schema Master. The extension program is executed on other domain controllers or member servers. In fact, the data is transferred to Schema through the network and then extended on Schema Master. To extend Schema, you must have the permission of the Schema Admins group.

2.Domain Naming Master: domain naming master

This is also a forest-level role, whose main role is to manage the addition or deletion of domains in the forest. If you want to add a domain or delete a domain to your existing forest, you must contact Domain Naming Master if Domain Naming Master is in Down

If the machine is in state, your add and delete operations are bound to fail.

3.PDC Emulator: PDC simulator

⑴, handling password authentication requirements

Password modification, in general, once the password is modified, it will first be copied to PDC Emulator, and then PDC Emulator will trigger an instant update to ensure the real-time performance of the password.

⑵, unified domain time; Microsoft active Directory uses Kerberos protocol for identity authentication. By default, the time difference between the verifier and the verified party cannot exceed 5 minutes, otherwise it will be rejected. Microsoft's design is mainly used to prevent playback. Therefore, the time in the domain must be unified, and the work of unifying time is done by PDC Emulator.

(3) uniformly modify the template of the reorganization strategy

4.RID Master: RID

In the security subsystem of Windows 2000, the identity of the user does not depend on the user name. Although we use the user name in some permission settings, it actually depends on the security principal SID, so when two users have the same SID, although their user names may be different, the security subsystem of Windows will regard them as the same user, which will give rise to security problems. And users in the domain secure SID=Domain SID+RID, so how to avoid this situation? This requires the use of RID Master,RID Master to allocate available RID pools to DC in the domain and to prevent SID duplication of security principals.

5.Infrastructure Master: structural master

This role is probably the least important of the five roles of FSMO, its main function is to update the list of group members, because it is very likely that some users in the active directory will move from one OU to another OU, then the user's DN name will change, and other domains will have to change the user reference to this user. This change is done by Infrastructure Master.

When planning for FSMO, please follow the following principles:

1. The domain controller that occupies the role of Domain Naming Master must also be GC.

2. Infrastructure Master and GC cannot be put on the same DC.

3. It is recommended to put Schema Master and Domain Naming Master on the GC server in the root domain of the forest.

4. It is recommended to put Schema Master and Domain Naming Master on the same domain controller.

5. It is recommended that PDC Emulator, RID Master and Infrastructure Master be placed on the same domain controller with better performance.

6. Try not to put PDC Emulator, RID Master and Infrastructure Master on the GC server

Next, let's introduce how to transfer roles online.

Let's first take a look. We have two AD servers in our environment.

Site information

Let's first look at the owner of the role

Our current roles are all on the ADDS-2 server, and we need to transfer the role to ADDS-1

Before the transfer, we need to confirm that there are two ways to transfer. The first is online transfer. The implication is that all DC are working normally.

In the second case, the DC server where the role is located is offline, and in order to ensure that we need to force the role to be transferred to the online DC server.

Let's first talk about the first kind.

When all the DC is online; we use the command line to operate here

Start running-- enter-- ntdsutil at the cmd--- command prompt

Then enter the question mark (?) To help.

Enter roles to enter administrative NTDS role owner token management

Through help, we found that there are two kinds of commands, one is transfer, the other is seize

Transfer means that all DC servers are online.

Seize is when the role owner is offline to use the

We first use transfer for online transmission; before transmitting, we need to connect to the server; so we need to use connections

At the fsmo maintenance command prompt, type:

Connection, enter. Go ahead? (question mark) View help

At the server connections command prompt, type:

Connect to server ADDS-1 (computer name that needs to be promoted to primary domain controller), enter.

At the server connections command prompt, type:

Quit, enter.

At the fsmo maintenance command prompt, type:

At this point, we pass? (question mark) View help commands

The order of the transfer roles is recommended in the following order

1.Transfer naming master 2.Transfer infrastructure master3.seize pdc4.seize rid master5.schema master

Let's start transmitting domain naming hosts.

Transfer naming master

Transfer infrastructure master

Transfer RID master

Transfer PDC

Transfer schema master

If we check again, all the roles will be transferred to the ADFS-1 server.

Netdom query fsmo

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.