Operations Masters In Active Directory Environment Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Before we began with defining Operations masters, we will have to get an understanding of what Active Directory is. Active Directory is nothing but a database enabled for multimaster use, and provides the flexibility of making directory changes at any domain controller. For this to happen, we assign one domain controller, known as the Operation Master, to accept request for change. Only the domain controller holding Operation master role is allowed to process the updates to the directory.

In an Active Directory environment, we assign five Operation Masters to perform dedicated tasks.

The first two are Forest Wide roles while the next three are Domain Wide roles. Forest wide implies that only one of each of these Operation Masters will exist in a Forest. Domain wide says that one of each of these is present in each domain in a Forest.

Operation masters are important to directory performance and are used to perform dedicated tasks and hence they should be available to all domain controllers and directory clients that need or utilize their services.

Further, we shall discuss in brief the roles of various Operation Masters. As mentioned above, we have five Operation Masters managing single-master operations in the Active Directory

The two masters in Forest

Schema Master: It oversees all changes made to the schema

Domain Naming Master : It manages addition and removal of Domains, to and from the Forest

Apart from the forest wide Operation Masters, we have three domain wide Operation Masters

Primary Domain Controller Emulator: It processes

Password updates for clients not running software which is Active Directory enabled

Replication requests from Microsoft Windows NT 4.0 backup domain controllers.

Relative Identifier Master: It ensures all security principals have a unique identifier by allocating RIDs to all Domain Controllers.

Infrastructure Master: It keeps a list of security principals of other domains that are member of groups within its domain.


1) Delegating Control in Active Directory

Although every environment is different in some way, shape, or form, the reality is that most large enterprises are similar in many ways and face the same IT challenges. For instance, many organizations are divided into geographic regions, have evolved from separate IT engineering or operational support teams, and have independent business units. And many large organizations must deal with such matters as privilege escalation, service account abuse, and "trust." Trust is an interesting term and often becomes the justification for having multiple Active Directory forests. Trust issues frequently stem from one division's or region's ability to impact the system availability of another division or region. It's common for skill levels to differ across organizational boundaries and for there to be a lack of in-depth knowledge of specific systems required to support a particular region or business unit. Thus, divisions typically don't want to give up their administrative rights to a central group.

Service administration is the management of critical directory service infrastructure components, such as Exchange servers and domain controllers. Data administration is the management of objects, such as mailboxes and user accounts that reside within these services. Within the scope of Active Directory, service administrators are ultimately responsible for the delivery and availability of directory services while data administrators manage user and server accounts, groups, and other domain resources. Since many characteristics of large organizations are similar, it's safe to assume that a common delegation model can be implemented. For the purposes of this article, we'll provide a sample set of roles that enable management capabilities while respecting organizational boundaries and attempting to mitigate trust issues (such as the availability of enterprise wide assets like domain controllers).

The Domain Administrators form a group. Domain Administrators, Enterprise Administrators and Administrator account are all members of the Administrator group. Since this group is assigned the complete control of the domain, we should exhibit caution in adding users to it. Data owners are responsible for the maintenance of the information stored in the directory. This includes user and computer account management and management of local resources, such as member servers and workstations.

One of the basic reasons behind organizations having various units is distribution of administrative tasks effectively across the organization by delegation of control. When we are looking at a decentralized administrative model, the importance of delegation is certainly increased. With delegation of administration, the responsibility to manage organizational units is shifted from a central administrator to a group of administrators. One of the important features of Active Directory is its ability to provide access to individual organizational units. Without creating multiple active directory domains, we can control access to lowest level in the organization.

2) Weighing User Authentication Options:

User authentication validates the identity of any user that tries to log in to network or access any of its resources. In Windows 2000, access to all network resources can be granted based on a single sign-on. A user needs to provide password only once while logging in, and then can access resources on any machine in the domain. This is quick and efficient from users perspective while for administrators, the support required is reduced significantly as only one account per user needs to be managed.

Windows 2000 user authentication consists of two parts, interactive logon and network authentication. It is essentially single process, but implemented in two parts. Success of authentication is dependent on both parts of this process. The next section briefly describes both parts

When a user starts work on a computer, he needs to provide his credentials so that the computer grants him access to resources (mouse, network access, monitor, etc.). This is the first part involved in single sign-on process, known as Interactive logon. It confirms user's identity to his local machine or Active Directory domain account.

The single sign-on credentials are stored in Active Directory. The user logs with his domain account into the network, and if authorized, can access resources in that domain or any other trusting domains. While logging into a Windows 2000 computer using a domain account active in Windows 2000 domain, if password is used, Kerberos version 5 (V5) is used by windows for authentication. If the user chooses smart card instead, windows handle it using Kerberos V5 authentication with certificates. On the other hand, if Windows NT 4.0 is the domain controller or the user's computer has Windows NT 4.0 installed, Windows NT LAN Manager (NTLM) is the authentication used. (For further details on Kerberos and NTLM, please refer the next section). Security Accounts Manager is windows 2000 local security account database. A user logging into a local computer with a local account does so based on credentials stored in SAM. Local user accounts can be stored on any Windows 2000 computer which is not a domain controller. But these accounts provide access to that local computer only. For users using domain account, credentials are only required for single sign-on. But for users with only a local account, they must provide credentials each and every time they try to access a network resource.

A good security system performs multiple tasks. One of them is user authentication, discussed in previous section, while the other is protection of specific data or resources from use by unauthorized users. Active directory ensures that no unauthorized access is allowed to resources. Based on where we see from, this can be termed as

User authorization when we see it from user's side

Object based access control when seen from the standpoint of objects being protected.

Based on the access control permissions attached to the object or user rights that are assigned to the group, the type of access granted to a user account is determined.


1) Windows Restriction:

Group policies need to be mentioned when we talk about Active Directory. Group Policies are essentially used by administrators to define computer and user settings all over the network. The settings are stored in Group Policy Objects (GPOs), and these are in turn associated with Active Directory objects which include sites and domain. For making changes to users and computers throughout the Windows network, this is the mechanism applied.

The configurable aspects of Windows, example being ports open in firewall, are controlled by Policy settings. These settings are intended to be for user or the computer. They can be anything from logon logoff, running scripts at startup, installing software or making changes in registry over administrative templates.

One of the biggest reasons behind deploying Active Directory is it allows us to manage user and computer objects. GPOs contain Group policy settings, and are associated with organizational units(OUs), sites and domain (Active Directory service containers).The intended targets then evaluate the settings using hierarchical nature of Active Directory.

For configuring Terminal Services User Configuration, we use ADSI in a similar manner as to management of other AD attributes with only one exception: the properties mapped exposed by Terminal Services User component are not mapped to individual AD attributes. Instead , all the terminal Services settings are stored in user Parameters, a binary attribute. Hence, delegating administrative control over individual settings is not possible but we can use the extension for reading and configuring a user's Terminal Services settings.

Equal Rights:

One important benefit of Windows Server 2003 Active Directory Domains with respect to all previous versions of Windows network directory services is its feature to delegate administrative authority over individual object attributes. Going forward, to grant single purpose administrative level authorities you must not grant a user administrative group membership. It implies that the department head of a small organization will be able to administer the PC's in his department without being an administrator or having admin access. OU's and group policy makes delegation happen .Delegation can be configured either manually or with the help of Delegation of Control Wizard found in the Active Directory of Users and Computers MMC Console. For launching a wizard one should select the OU and fire the delegate control command. With the help of this wizard for a non administrative user, we can change the administrative level authorities.

Once we have delegated we need to cross-check that we have done the delegation properly. We will have to navigate to View| Advanced features thorough the Active directory users and MMC console. Once there, we need to right click and on the concerned OU and select properties. In the box that appears next, click Advanced. The control permissions are visible on the Permission tab on the resultant dialog box.

The load on administrators can be reduced a great extent with a little bit of planning and thought. Delegating tasks to "power users" by giving them extra capability and responsibility makes life much easier and simpler.