The role, search and planning of the five roles of FSMO

FSMO Chinese translation into operation master, before explaining the role of FSMO, first introduce two concepts:

Single master copy: so-called single Master replication refers to copying from one place to another. This is mainly used for the previous NT4 domain. We know that in the NT4 domain, the PDC and BDC are distinguished on the domain network, and all replications are from PDC to BDC. This is because the NT4 domain uses this kind of replication mechanism, so the modification of the domain on the network must be performed on the PDC, and it is invalid on the BDC. If your network is small, the shortcomings of this kind of organization cannot be fully reflected, but if it is a cross-city network, such as your PDC is in Shanghai and BDC is in Beijing, then your network modification will be very Trouble.

Multi-master replication: Multi-master replication is relative to single-master replication. It refers to the mutual replication of all domain controllers, mainly to compensate for the defects of single-master replication. Microsoft from Windows Beginning with the 2000 domain, PDC and BDC are no longer distinguished on the network. All domain controllers are in an equivalent position, and modifications on any one domain controller are copied to other domain controllers.

Since the domain controllers in the Windows 2000 domain are all equivalent, what is the role of these domain controllers? The role of a domain controller in a Windows 2000 domain does not depend on whether it is the number of domain controllers in the network. Depending on the distribution of the five roles of the FSMO in the network, it is now beginning to get to the point. FSMO has five roles. , divided into two categories:

1, the forest level (that is, only one DC exists in a forest has this role):

(1), Schema Master Chinese translation: architecture master < Br>

(2), Domain Naming Master Chinese translation: domain naming master

2, domain level (that is, only one DC in a domain has this role):

(1), PDC Emulator Chinese translation: PDC emulator

(2), RID Master Chinese translation: RID master

(3), Infrastructure Master Chinese translation: basic Architecture Master

First, let's explain what these five role spaces do:

1. Schema Maste

Use to modify the source data of the Active Directory. . We know that there are various objects in the Active Directory, such as users, computers, printers, etc. These objects have a series of properties. The Active Directory itself is a database. The objects and attributes are like tables. With the correspondence, then the relationship between these objects and attributes is defined by Schema Maste. If you deploy Excahnge, you will know that Schema can be extended, but you need to pay attention to the extension. Schema must be extended in Schema Maste. Execute extensions on other domain controllers or member servers. In fact, the data is transferred to the Schema through the network and then extended on Schema Maste. To extend the Schema, you must Permissions with the Schema Admins group are fine.

Suggestion: High performance is not required on domain controllers that have Schema Maste, because we don't often manipulate Schema unless we often extend Schema, but this is very rare, but We must guarantee availability, otherwise we will make mistakes when installing software such as Exchnage or LCS.

2, Domain Naming Master

This is also a forest-level role, its main role is to manage the addition or deletion of domains in the forest. If you want to add a domain to your existing forest or delete a domain, you must contact the Domain Naming Master. If the Domain Naming Master is in the Down state, your additions and deletions will definitely fail. of.

Suggestion: The domain controller that owns the Domain Naming Master also does not need high performance. I don't think any network administrator will often add or delete domains in the forest. Of course, high availability is necessary, otherwise there is no way to add a domain to delete the forest.

3, PDC Emulator

As mentioned above, Windows 2000 domain starts, no longer distinguish between PDC or BDC, but in fact some operations must be done by PDC, then these What should I do in the Windows 2000 domain? That is done by the PDC Emulator, mainly the following operations:

(1), handle password verification requirements;

By default, all DCs in the Windows 2000 domain will be copied every 5 minutes. However, there are some exceptions, such as password modification. In general, once the password is modified, it will be copied to the PDC Emulator first, and then an immediate update will be triggered by the PDC Emulator to ensure the real-time password. Of course, the actual Since network replication also takes time, there will still be a certain time difference. As for this time difference, it depends on your network size and line conditions.

(2) Time in the unified domain;

Microsoft Active Directory uses the Kerberos protocol for identity authentication. By default, the time difference between the authenticator and the authenticated party cannot exceed 5 Minutes, otherwise it will be rejected. Microsoft's design is mainly used to prevent replay attacks. Therefore, the time in the domain must be unified. This unified time work is done by the PDC Emulator.