MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)

The final step in creating a site topology plan is to place global catalog servers and operations masters. To place global catalog servers and operations masters, you must assess the organization's need for global catalog servers and operations masters and then determine their location. This lesson discusses how to place global catalog servers and operations masters.

After this lesson, you will be able to

• Identify the factors in an organization's environment that impact its need for global catalog servers
• Identify the factors in an organization's environment that impact its need for operations masters
• Analyze an organization's environment to place global catalog servers in sites
• Analyze an organization's environment to assign operations master roles
• Use Active Directory Sizer to determine the number and placement of domain controllers and global catalog servers

Estimated lesson time: 30 minutes

Understanding Global Catalog Servers

Recall that a global catalog server is a Windows 2000 domain controller that holds a copy of the global catalog for the forest. A global catalog server must be available when a user logs on to a Windows 2000 native-mode domain or logs on with a user principal name because in native mode a domain controller must send a query to a global catalog server to determine the user's membership in universal groups. Because universal groups can be used to deny access to resources, knowledge of universal group membership is necessary in order to enforce access control. Consequently, if a global catalog server is not available during user logon, the domain controller refuses the logon request. Therefore, it is imperative that you plan the location of global catalog servers carefully.

By default, the initial domain controller in a forest is designated as a global catalog server. However, you can configure any domain controller or designate additional domain controllers to serve this function.

Understanding Operations Masters

Operations master roles are special roles assigned to one or more domain controllers in an Active Directory domain to allow the domain controllers to perform single-master replication for specific operations. Active Directory supports multimaster replication of the database between all domain controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one or more domain controllers can be assigned to perform single-master operations (operations that are not permitted to occur at different places in a network at the same time).

In any Active Directory forest, five operations master roles must be assigned to one or more domain controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest. You can change the assignment of operations master roles after Setup, but in most cases this will not be necessary. You must be aware of operations master roles assigned to a domain controller if problems develop on a domain controller or if you plan to take it out of service.

Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

• Schema master

  The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. At any time, there can be only one schema master in the entire forest.

• Domain naming master

  The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. At any time, there can be only one domain naming master in the entire forest.

Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:

• Relative ID master

  The relative ID master allocates sequences of relative IDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. At any time, only one domain controller can act as the relative ID master in each domain in the forest.

• Primary domain controller (PDC) emulator

  If the domain contains computers operating without Windows 2000 client software or if it contains Windows NT backup domain controllers (BDCs), the PDC emulator acts as a Windows NT primary domain controller. It processes password changes from clients and replicates updates to the BDCs. In a Windows 2000 domain operating in native mode, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt. At any time, only one domain controller can act as the PDC emulator in each domain in the forest.

• Infrastructure master

  The infrastructure master is responsible for updating the security identifiers and distinguished names in cross-domain object references whenever the name of an object is renamed or changed. At any time, only one domain controller can act as the infrastructure master in each domain.

Figure 6.10 shows how the operations master roles are distributed throughout a forest by default. Domain A was the first domain created in the forest (the forest root domain). It holds both of the forest-wide operations master roles. The first domain controller in each of the other domains is assigned the three domain-specific roles.

Figure 6.10 Operations master role default distribution in a forest

Design Step: Placing Global Catalog Servers and Operations Masters

To place domain global catalog servers and operations masters, you must complete the following tasks:

1. Locate domain controllers.
2. Determine the location of global catalog servers for the organization.
3. Determine the location of operations masters for the organization.

Locating Domain Controllers

To place global catalog servers and operations masters, you must first consult the site diagram containing domain controller locations and site links that was compiled earlier by your design team to view the network links, sites, domain controllers, and site links defined for your network. From this diagram, you can determine which domain controllers to designate as global catalog servers and operations masters. In addition to locating domain controllers, it is imperative that you assess any changes that may be planned for the sites or domain controller locations to address growth, flexibility, and the ideal design specifications of the organization.

Determining the Location of Global Catalog Servers

For optimum network response time and application availability, designate at least one domain controller in each site as the global catalog server. A global catalog server in each site provides users with a local computer that can service query requests for their domain over LAN connections. When considering which domain controllers to designate as global catalog servers, base your decision on the ability of your network structure to handle replication and query traffic.

To determine whether to designate additional domain controllers in a site as global catalog servers, the rules for designating additional domain controllers in a site apply. However, you must balance the need for additional global catalog servers with the increased replication traffic that these servers will generate.

If your organization uses Microsoft Exchange 2000, you should try to place a global catalog server in each site that contains an Exchange server. This is because Exchange 2000 uses Active Directory as its directory service, and all mailbox names are resolved by queries through Active Directory to the global catalog server. In a large Exchange environment, a global catalog server may need to handle a large number of queries, so placing a global catalog server in each site that contains an Exchange server can ensure that all queries are handled promptly.

Using Active Directory Sizer

To determine the number of global catalog servers you need, you may want to use Active Directory Sizer, a tool for estimating the hardware required for deploying Active Directory based on your organization's profile, domain information, and site topology. For more information on Active Directory Sizer, visit http://www.microsoft.com/windows2000/library/resources/reskit/tools/new/adsizer-o.asp.

To place global catalog servers

1. On the site diagram, designate a domain controller in each site as the global catalog server. Use a circle containing "GC" to represent the global catalog server.
2. Determine whether you need to designate additional domain controllers as global catalog servers and indicate them on the site diagram.

Determining the Location of Operations Masters

In a small Active Directory forest with only one domain and one domain controller, that domain controller is assigned all the operations master roles. When you create the first domain in a new forest, all of the operations master roles are automatically assigned to the first domain controller in that domain. When you create a new child domain or the root domain of a new domain tree in an existing forest, the first domain controller in the new domain is automatically assigned the relative identifier master, PDC emulator master, and infrastructure master roles. Because there can be only one schema master and one domain naming master in the forest, these roles remain in the first domain created in the forest.

The default operations master locations work well for a forest deployed on a few domain controllers in a single site. In a forest with more domain controllers, or in a forest that spans multiple sites, you may want to transfer the default operations master role assignments to other domain controllers in the domain or forest.

Planning the Operations Master Role Assignments by Domain

Follow these guidelines when assigning operations master roles for a domain:

• If a domain has only one domain controller, that domain controller must hold all of the domain roles.
• If a domain has more than one domain controller,
  • Choose two, well-connected domain controllers that are direct replication partners. Make one of the domain controllers the operations master domain controller. Make the other the standby operations master domain controller. The standby operations master domain controller is used in case of failure of the operations master domain controller.

• In domains that are not large, assign both the relative identifier master and PDC emulator roles to the operations master domain controller. In very large domains, you can reduce the peak load on the PDC emulator by placing the relative identifier master and the PDC emulator roles on separate domain controllers, both of which are direct replication partners of the standby operations master domain controller. However, to avoid the administrative tasks associated with separating the roles, it's best to keep them together unless the load on the operations master domain controller justifies separating the roles.
• The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. However, you should assign the infrastructure master role to any domain controller that is well connected to a global catalog (from any domain) in the same site. If the operations master domain controller meets these requirements, use it unless the load justifies the extra management burden of separating the roles. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, and so will never replicate any changes to the other domain controllers in the domain. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

Planning the Operations Master Roles for the Forest

Once you have planned all of the domain roles for each domain, consider the forest roles. The schema master and the domain naming master roles should always be assigned to a domain controller designated as the global catalog server. This ensures that when the domain naming master creates an object representing a new domain, no other object has the same name. The load of these operations master roles is very light, so, to simplify management, place these roles on the operations master domain controller of one of the domains in the forest.

Planning for Growth

Normally, as your forest grows, you will not need to change the locations of the various operations master roles. But when you are planning to decommission a domain controller, change the global catalog status of a domain controller, or reduce the connectivity of parts of your network, you may need to revise the operations master role assignments.

To place operations masters

1. On the site diagram, designate the appropriate domain controller(s) with the relative identifier master, PDC emulator master, and infrastructure master roles. Use a diamond shape containing "RID," "PDC," and "IM" to represent each role.
2. On the site diagram, indicate the domain controller designated as the global catalog server with the schema master and domain naming master roles. Use a diamond shape containing "SM" and "DN" to represent each role.

NOTE

Design Step Example: Placing Global Catalog Servers and Operations Masters

Review Figure 6.9, which shows the site diagram for Margo Tea Company. Figure 6.11 shows the location of global catalog servers and operations masters for Margo Tea Company. The reasons for locating global catalog servers in this manner are

• One global catalog server is placed in each site except the Charleston sales office to meet minimum requirements. In addition, there are Microsoft Exchange 2000 servers in the Cincinnati, Pittsburgh, and Louisville sites, so by placing a global catalog server in each of these sites, query traffic can be handled promptly.
• A global catalog server is not placed in the Charleston location because of the relatively small number of users in this location and because the link is operating well below capacity.
• Because locating additional global catalog servers in each site will increase replication traffic, no additional global catalog servers are placed.

The reasons for locating operations masters in this manner are

• Because the domain has more than one domain controller, DC1 in the Cincinnati site was chosen as the operations master domain controller. The standby operations master controller is DC2 in the Cincinnati site.
• Because the domain is not very large, both the relative identifier master and PDC emulator roles were assigned to the operations master domain controller.
• Because the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog, it was assigned to DC2.
• Because the schema master and the domain naming master roles should always be assigned to a domain controller designated as the global catalog server, and because their load is very light, the forest-wide roles were assigned to DC1.

MORE INFO

You can also view the online seminar "Comparative Active Directory Designs," located on the Supplemental Course Materials CD-ROM (\chapt06\ OnlineSeminars\Comparative). Click the Portal_ActiveDirectoryDesigns file to begin the seminar.

Figure 6.11 Global catalog server and operations masters locations for Margo Tea Company

Lesson Summary

In this lesson you learned how to place global catalog servers and operations masters for an organization by assessing an organization's need for global catalog servers and operations masters. You learned that for optimum network response time and application availability, you should designate at least one domain controller in each site as the global catalog server. You also learned that you must balance the need for additional global catalog servers with the increased replication traffic that the additional servers will generate. You learned some guidelines for assigning domain-wide operations master roles, which include not assigning the infrastructure master role to the domain controller that is hosting the global catalog. You learned some guidelines for assigning forest-wide operations master roles, which include always assigning the schema master and the domain naming master roles to the domain controller designated as the global catalog server. Finally, you learned to indicate the placement of global catalog servers and operations masters on the site diagram to create a completed site topology diagram.