Sunday, 19 July 2015

What is Flexible Single Master Operation (FSMO)



1.a.com and 2.a.com are in same domain, where 1.a.com is the forest root domain controller and has two operation masters i.e. 1.Domain Naming Master  2.Schema Master.
The domain naming master allows creation of other domains within the same forest. The group of Enterprise Admin has the permission.
The schema master declares the schema for all the domain controllers in the forest.
The 2.a.com has ADDS database but not these two roles.
By default global catalog is installed in root domain controller and is optional in other domain controllers(Microsoft recommends to Have Global Catalog installed on all DCs.)
The global catalog is used to search between other domain objects in a multi-domain forest. Since the AD database is same in their domain so to search for objects/resources in other domain we need a global catalog server. Hence it is best practice to have all the domain controllers as global catalog server. GC stores only limited information like location, Username
If we do not have a global catalog server then the domain master operations i.e. Infrasture Master is used to fetch the resources in multi-domain.
It used SID of other ADDs which is obtained partially from AD and partially from the RID master.
The RID master gives the SIDs id unique number to every object in an Active Directory Domain.
For e.g. ClientPC is a member of domain “a.com” then if user1 is logged into it. The LSA (Local Security Authority) will give a unique SID where First three blocks are used for resource type(S-15-21) other three blocks are the AD database number and the final block if (500) is the RID (Unique number given to object user1)
So all the objects should get unique RIDs but incase we have multiple DCs in a domain then RID master assigns them a block. So that they never overlaps.
There is another Operation master in Domain via PDC emulator role this Domain controller in a domain is always synchronized with the forest root domain controllers PDC emulator for time synchronization.
Every domain has its DC paired with the forest root Dc’s PDC emulator.
In case a user’s password is changed by the Administrator in a DC and the user is already logged in using the old password then the DC contacts the DC with PDC emulator and terminated that user’s session.
Domain Servers are built to offer services that provide everything live and synchronized and for this it is important to have a seamless network between the devices. 

Hence, we will see same offline features if this network is not reliable.
·        To join a Device/Computer into a domain then we can use offline join using and command “ djoin ” which will create a file in DC and then should be copied and executed in the other computer/service which is to be joined.
·         
Introduction to Server

1)Used for centralized approach to provide various services like User authentication,Web services,Mail services,etc.

2)For centralized approach we use,Domain names to logically define the boundary of an organization.
   For eg:cms.com <-- Which is also known as FQDN(Fully Qualified Domain name).eg:server1.cms.com <--- This is my FQDN

where server1 is my Hostname and cms.com is my Domain name.

3)Domain names are the object reference which the client looksup for services.They cannot resolve this without the help of

DNS.The DNS has SRV records that enables different services to communicate via their port numbers.
   For eg:port number for ldap is 389,where ldap is lightweight directory services.And it also helps server and client to

resolve the domain name to their IP and viceversa.

   (Note:Kerberos <--- Port Number is 88.It encrypt the username and password )

   (Note:To Check SRV:Open Service Manager(SM) ---> Tools ----> DNS --->__.msdc .)

4)For example:-If a user tries to logon to a domain then firstly that computer has to be a part of that domain and should

be listed in the domain controllers active directory under"computers".
   Next it should be able to resolve the domain name hence always provide the domain controllers IP where DNS is enabled to

the clients network setings.
   Now that we have all the necessary pre-requisites we may logon as "cms\user1"
   where cms->domain name
   user1->user
   Now that the client has provided the computer into the domain.the domain KDC(key directory connection)service will

provide a TGT(Ticket granting Ticket) which is sort of a card used to verify access.
   Back to the user logon that is trying to logon with username "cms\user1" now this
   PC(i.ePC1) will use its TGT and Kerberos to authenticate the credentials and TGT will verify if this user has rights to

logon on this PC1.If it has then that TGT request is granted by the server to this client.

5)AD is the database containing all the objects like users,computers and other network resources.The information is present

in the default directory  "C:\Windows\NTDS" .
   Here,NTDS.DIT is the file that contains the AD which further includes the Schema partition.The Schema partition defines

the attributes of the objects that AD stores.
   This Schema can only be selected in the root forest domain. Since the Schema Master Role is only present there.
   The root forest domain has the two groups that have those rights i.e. Enterprise Admin's and Schema Admin's.
   Enterprise Admin's group members have the right to edit the domain naming context.While the Schema Admin's can edit the

Schema.

6)All the domain controllers in a forest share the same schema.The AD database is replicated among all of them in a Domain

only except for RODC(Read Only Domain Controller).