The Configure Operations Masters Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The date and time for all computers running on a Windows Server 2008 network is synchronized by the Window Server 2008 Window Time service (W32time). In making it reliable and scalable time service for enterprise administrators, Network Time Protocol (NTP) and time providers is integrated in the service.

The purpose of the Window Time service is to make sure that all computers running the Windows Operating System in an organization use a common time. The Window Time service uses a hierarchical relationship that control authority and does not permit loops to guarantee appropriate common time usage. A domain controller at the top of the hierarchy, which is the primary domain controller (PDC) operations master in the forest root domain, provides authoritative time to other domain controller and domain controller use by domain clients as their time source.

5.1.1 Window time source selection

By default, Windows-based computers use the following sources for time synchronization:

The first query is to a time source in the parent domain for those computers that are joined to a domain.

The first query is to the PDC emulator in the domain for the time client is in a single domain forest.

By connecting to an installed hardware clock on the internal network or by connecting to an external NTP server which connected to a hardware device are the ways for the authoritative time source at the root of the forest to acquire its time. Time is provided to forest computer by the domain controller that holds the PDC emulator operations master role by using its internal clock if that is no domain controller in the forest root domain configured as the authoritative time source.

5.1.2 External NTP time servers

There are many external NTP servers available over the Internet:

The National Institute of Standards and Technology (NIST) in Boulder, Colorado.

The U.S. Naval Observatory (USNO) Time Service Department in Washington, DC.

We can configure a hardware clock as the time source for the PDC for the most highly accurate time synchronization. It is possible for us to install the device on an internal network for use with the PDC as there are many consumer and enterprise devices that use NTP.

Command-line tool to configure Windows Time service: w32tm

5.1.3 W32tm and net time

The net time commands are predecessors of w32tm commands. When the Windows Time service is actively running, they should not be used to configure the Windows Time service or to set the time on a computer. Using w32tm commands is the recommended method for configuring the Windows Time service and displaying Windows Time service information for the Operating System.

The command net time /querysntp does not display complete time configuration information even though it display the Simple Network Time Protocol (SNTP) for the Window Operating System. We can use the w32tm /query /configuration command to determine the configuration of computer regarding the synchronize time from the domain hierarchy on Windows Vista and Windows Server 2008. The line which labeled Type in the command output is the time synchronization method that the client is using. The following is the possible output of Type line:

NoSync indicate that client does not synchronize time.

NTP indicate that client synchronize time from external time source. (View NtpServer to see the name of the server that uses for synchronize time.)

NT5DS indicate the client synchronize time by configured to use the domain hierarchy.

AllSync indicate the client synchronize time from any available time source.

5.2 Introduction to Administering Operations Master Roles

By performing specific tasks, domain controllers that hold operation master roles keep the directory functioning properly which is not allowed to perform by other domain controller.

3 operations master roles exist in each domain:

The primary domain controller (PDC) emulator operations master which processes all replication request. Password updates for client not running AD-enabled client software and any other directory write operations also processes by the PDC emulator. The default Window Time service time source for the forest is the PDC emulator in the forest root domain.

The relative ID (RID) operations master allocates RID pools to all domain controllers. This is to ensure new security principals can be created with a unique identifier.

The Infrastructure operations master manages references from objects in its domain to objects in other domains. When the members of groups are renamed or modified, the infrastructure operations master updates group-to-user references.

2 operations master roles exist in each forest:

The schema operations master which handles any changes make to the schema.

The domain naming operation master handles the creating, updating and deleting domain directory partitions to and from the forest.

The domain controllers that hold operations master roles must always be available and must be located in high network reliability areas to perform their respective operations. As more domains and sites are added into the forest, placement of the operations master becomes more important.

5.2.1 Guidelines for role placement

Client will be prevented from the modification of their password or being able to add domain and new objects if there is the improper placement of the operation master role holders. Besides that, it might be impossible for schema changes and name changes might appear improperly within group memberships that are displayed in the user interface (UI). It should be noted that operations master roles cannot be placed on a read-only domain controller (RODC).

Improper infrastructure master role placement can cause the infrastructure master to perform incorrectly. Other improper operations master configurations can increase administrative overhead. By follow the guidelines will help to minimize administrative overhead and ensure the proper performance of AD Domain Service as well as simplify the recovery process if a domain controller that is hosting an operations master role fails.

Follow these guidelines for operations master role placement:

Configure an additional domain controller as the standby operations master for the forest-level roles and one for domain-level roles.

Place the domain-level roles on a high-performance domain controller.

Do not place domain-level roles on a global catalog server.

Leave the two forest-level roles on a domain controller in the forest root domain.

In the forest root domain, transfer the tree domain-level roles from the first domain controller that we in the forest root domain to an additional domain controller that has a high performance level.

In all other domains, leave the domain-level roles on the first domain controller.

Adjust the workload of the PDC emulator, if necessary.

5.2.2 Guidelines for role transfer

Role transfer is the preferred method to move an operations master role from one domain controller to another. The two domain controllers replicate to ensure that no information is lost during a role transfer. The previous role holder no longer to attempts to perform as the operation master after the transfer is complete. Possibility of duplicate operations masters existing on the network will eliminate.

Following is the conditions of consideration moving for operations master:

Inadequate service performance.

Failure of a domain controller that hosts an operations master role.

Decommissioning of a domain controller that hosts an operations master role.

Administrative configuration changes that affect operations master role placement.

5.3 Transferring an Operations Master Role

When we create a new domain, all the domain-level operations master roles automatically assigns to the first domain controller that is created in that domain by the AD Domain Services Installation Wizard. The wizard also assigns the two forest-level operations master roles to the first domain controller when you create a new forest. We might transfer various operations master roles to different domain controllers to optimize performance and simplify administration after the domain is created and functioning.

When we transfer domain-level roles, we must determine the domain controller that we want to assume an operations master role is a global catalog server. The infrastructure master for each domain must not host the global catalog.

The following are required to perform the procedures for this task:

Repadmin.exe

Active Directory Sites and Services

Active Directory Domains and Trusts

Active Directory Schema snap-in

Active Directory Users and Computers

Ntdsutil.exe

To complete transfer an operations master role, perform the following procedure:

Verify successful replication to a domain controller.

Determine whether a domain controller is a global catalog server.

Install the Schema Snap-In.

Transfer the schema master.

Transfer the domain naming master.

Transfer the domain-level operations master roles.

View the current operations master role holders.

5.3.1 Verify Successful Replication to Domain Controller

We can use the repadmin /showrepl command to verify successful replication to a specific domain controller. We can specify a destination domain controller in the command if we are not running Repadmin on the domain controller whose replication we are checking. Repadmin lists INBOUND NEIGHBORS for the current or specified domain controller. INBOUND NEIGHBORS shows the distinguished name of each directory partition for which inbound directory replication has been attemped, the site and name of the source domain controller, and whether replication succeeded or not, as follows:

Last attempt @ <YYYY-MM-DD HH:MM:SS> was successful.

Last attempt @ [Never] was successful.

If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection.

To verify successful replication to a domain controller:

Start  Command Prompt.

Type the following command into Command Prompt and press ENTER:

repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*

At the Password prompt, type the password for the user account, and then press ENTER.

5.3.2 Determine Whether a Domain Controller is a Global Catalog Server

We can use the setting on the NTDS Settings object to determine whether a domain controller is designated as a global catalog server.

The minimum requirement to complete this procedure when we perform the procedure remotely by using Remote Server Administration Tools (RSAT) is membership in Domain Users, or equivalent.

Following is to determine whether a domain controller is a global catalog server:

Start Administrative Tools  Active Directory Sites and Services.

In the console tree, expand Sites container  expand the site of the domain controller  expand Servers container  expand Server object.

Right-click NTDS Settings  click Properties.

On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

5.3.3 Install the Schema Snap-In

Following is the steps to install the Active Directory Schema snap-in:

Start  Command Prompt.

At the command prompt, type the following command and press ENTER:

regsvr32.schmmgmt.dll

A message indicates that the command succeeded. Click OK.

Start  Control Panel  Appearance  Show hidden files and folders.

On the View tab  Show hidden files, folders, and drives  click OK.

Start  Run  type mmc  click OK.

On the File menu  click Add/Remove Snap-in.

Under Available snap-ins  click Active Directory Schema  click Add  click OK.

To save this snap-in, on the File menu  click Save.

In the Save As dialog box, do one of the following:

To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, such as Active Directory Schema. In Save In, navigate to the following folder:

%systemroot%/ProgramData/Microsoft/Window/Start Menu/Programs/Administrative Tools

Click Save.

To save the snap-in in a location other than the Administrative Tools folder, in Save in; navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save.

5.3.4 Transfer the Schema Master

The schema master is a forest-wide operations master role (also known as flexible single master operations or FSMO).

Following is the steps to transfer the schema master:

Open the Active Directory Schema.

In the console tree, right-click Active Directory Schema  click Change Active Directory Domain Controller.

In the Change Directory Server, under Change to, click This Domain Controller or AD LDS instance.

In the list of domain controllers, click the name of the domain controller to which we want to transfer the schema master role, and then click OK.

In the console tree, right-click Active Directory Schema  click Operations Master. The Change Schema Master box displays the name of the server that is currently holding the schema master role. The targeted domain controller is listed in the second box.

Click Change  click Yes to confirm choice. The system confirms the operation. Click OK again to confirm the operation succeeded.

Click Close to close the Change Schema Master dialog box.

5.3.5 Transfer the Domain Naming Master

Following is the steps to transfer the domain naming master:

Start  Administrative Tools  Active Directory Domains and Trusts.

In the console tree, right-click Active Directory Domains and Trusts  click Change Active Directory Domain Controller.

Ensure that the correct domain name is entered in Look in this domain.

In the Name column, click the domain controller to which we want to transfer the domain naming master role  click OK.

At the top of the console tree, right-click Active Directory Domains and Trusts  click Operations Master.

Click Change. To confirm the role transfer, click Yes  click OK again to close the message box indicating that the transfer took place  click Close to close the Operations Master dialog box.

5.3.6 Transfer the Domain-Level Operations Master Roles

Following is the steps to transfer a domain-level operations master role:

Start  Administrative Tools  Active Directory Users and Computers.

At the top of the console tree, right-click Active Directory Users and Computers  click Change Active Directory Domain Controller.

Ensure that the correct domain name is entered in Look in this domain.

In the Name column, click the domain controller to which we want to transfer the role  click OK.

At the top of the console tree, right-click Active Directory Users and Computers  click All Tasks  click Operations Masters.

Click the tab for the operations master role that we want to transfer: RID, PDC or Infrastructure  verify computer names that appear  click Change  click Yes to transfer the role  click OK.

Repeat steps 5 and 6 for each role that we want to transfer.

5.3.7 View the Current Operations Master Role Holders

We can use this procedure to verify that the transfer has occurred successfully throughout the domain after we transfer an operations master role. The change must be replicate to all domain controllers in the domain for a domain-level role and to all domain controllers in the forest for a forest level role to have full effect.

Following is the steps to view the current operations master role holders:

Start  type ntdsutil in Start Search.

At the ntdsutil: prompt, type roles  press ENTER.

At the fsmo maintenance: prompt, type connections  press ENTER.

At the server connections: prompt, type connect to server <servername>.

After receive confirmation of the connection, type quit  press ENTER to exit this menu.

At the fsmo maintenance: prompt, type select operation target  press ENTER.

At the select operation target: prompt, type list roles for connected server  press ENTER.

The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers that are currently assigned to host each role.

Type quit  press ENTER to exit each prompt in Ntdsutil.exe. At the ntdsutil: prompt, type quit  press ENTER to close the window.

5.4 Seizing an Operations Master Role

Role seizure is the act of assigning an operations master role to a new domain controller without the cooperation of the current role holder. This is because the role holder is offline as a result of a hardware failure. The new domain controller assumes the operations master role without communication with the current role holder during role seizure.

Role seizure should be performed only as a last resort. Role seizure can cause the following directory problems:

Data loss or directory inconsistency as a result of replication latency.

Two domain controllers performing the same role.

The following is required to perform the procedures for seizing an operations master role:

Repadmin.exe

Ntdstil.exe

To complete seizing an operations master role, perform the following procedure:

Verify successful replication to a domain controller

Seize the operations master role

View the current operations master role holders

5.4.1 Seize the Operations Master Role

Following is the steps to seize an operations master role:

Start  Command Prompt.

At the command prompt, type ntsutil  press ENTER.

At the ntdsutil: prompt, type roles  press ENTER.

At the fsmo maintenance: prompt, type connections  press ENTER.

At the server connections: prompt, type connect to server <servername>.

After receive confirmation of the connection, type quit  press ENTER.

Depending on the role we want to seize, at the fsmo maintenance: prompt, type the appropriate command  press ENTER.

Role

Credentials

Command

Domain Naming Master

Enterprise

Admins

Seize naming master

Schema Master

Schema

Admins

Seize schema master

Infrastructure Master

Domain

Admins

Seize infrastructure master

Primary Domain Controller (PDC) emulator

Domain

Admins

Seize pdc

RID Master

Domain

Admins

Seize rid master

Type quit  press ENTER  type quit  press ENTER to exit Ntdsutil.exe.

5.5 Designating a Standby Operations Master

A standby operations master is a domain controller that we identify as the computer that assumes the operations master role if the original computer fails. A single domain controller can act as the standby operations master for all the operations master roles in a domain or we can designate a separate standby for each operations master role.

The following tools are required to perform the designating of standby operations master:

Active Directory Sites and Services

Repadmin.exe

To complete designating a standby operations master, perform the following procedure:

Determine whether a domain controller is a global catalog server.

Create a connection object on the operations master and standby.

Verify successful replication to a domain controller.

5.5.1 Create a Connection Object on the Operations Master and Standby

We can manually create connection objects between current operations master role holder and the standby operations master to ensure that the two domain controllers are replication partners.

Following is the steps to create a connection object on the operations master and standby:

Start  Administrative Tools  Active Directory Sites and Services.

Expand the site name in which the current operations master role holder is located to display the Servers folder.

Expand the Servers folder to see a list of the servers in that site.

To create a connection object from the standby server on the current operations master, expand the name of the operations master server on which we want to create the connection object to display its NTDE Settings object.

Right-click NTDS Settings  click New  click Connection.

In the Final Active Directory Domain Controllers dialog box, select the name of the standby server from which we want to create the connection object  click OK.

In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name  click OK.

To create a connection object from the current operations master to the standby server, repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6, select the name of the current operations master.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.