Windows Server 2003 Administrator
FMSO (Flexible Single Master Operations) Roles
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The Schema Master role
controls all the updates and modifications to the schema itself.
The schema controls the definition of each object in the
directory and the object’s associated attributes.
Domain naming master:
The Domain Naming
Master role controls the addition or removal of domains from the
forest.
Infrastructure Master:
The Infrastructure
Master role is responsible for maintaining all inter-domain
object references. In other words, the Infrastructure Master
informs certain objects (such as groups) that other objects
(such as users in another domain) have been moved, changed, or
otherwise modified. This update is needed only in a multiple
domain environment. If there is only a single domain, then all
domain controllers already know of the update, and this role is
unnecessary. Likewise, if all domain controllers are also global
catalog servers, the domain controllers are aware of the updates
and do not need the assistance of the Infrastructure Master.
Relative ID (RID) Master:
The Relative ID
(RID) Master role controls the sequence number for the domain
controllers within the domain. The master assigns a unique
sequence of RIDs to each of the domain controllers. When a new
object is created by a domain controller, the object is assigned
a security ID (SID). The SID must be unique within the domain
and is generated by combining a domain SID and a RID. The domain
SID is a constant ID within the domain, while the RID is
assigned to the object by the domain controller. When the domain
controller uses all the RIDs that the RID Master has assigned,
the domain controller receives another sequence of RIDs from the
RID Master. If the RID Master is unavailable and a domain
controller exhausts its pool, it will be unable to create
additional objects.
PDC Emulator:
The PDC Emulator role is
used whenever a domain contains non–Active Directory computers.
It acts as a Windows NT PDC for legacy client operating systems,
as well as for Windows NT BDCs. The PDC Emulator processes
password changes and receives preferential treatment within the
domain for password updates. If another domain controller is
unable to authenticate a user due to a bad password, the request
is forwarded to the PDC Emulator.
GPO behavior
Group Policy is processed in
the following order:
Local Policy > Site GPO > Domain GPO >
OU GPO > Child OU GPO
GPO
A Group
Policy Object (GPO) is a collection of settings that define what
a system will look like and how it will behave for a defined
group of users. Microsoft provides a program snap-in that allows
you to use the Group Policy Microsoft Management Console (MMC).
The selections result in a Group Policy Object. The GPO is
associated with selected Active Directory containers, such as
sites, domains, or organizational units (OUs). The MMC allows
you to create a GPO that defines registry-based polices,
security options, software installation and maintenance options,
scripts options, and folder redirection options.
Storage of Group Policy objects
Each computer that
runs Windows XP Professional, Windows XP 64-bit Edition
(Itanium), or the Windows Server 2003 operating systems, has
exactly one local Group Policy object (GPO). It is stored in
systemroot\System32\GroupPolicy.
Group Policy objects, other
than the local Group Policy object, are virtual objects. The
policy setting information of a GPO is actually stored in two
locations: the Group Policy container and the Group Policy
template. The Group Policy container is an Active Directory
container that stores GPO properties, including information on
version, GPO status, and a list of components that have settings
in the GPO. The Group Policy template is a folder structure
within the file system that stores Administrative Template-based
policies, security settings, script files, and information
regarding applications that are available for Group Policy
Software Installation. The Group Policy template is located in
the system volume folder (Sysvol) in the \Policies subfolder for
its domain. For more information about the local Group Policy
object, see Local Group Policy.
Group Policy
container
The Group Policy container is a directory
service object. It includes subcontainers for computer and user
Group Policy information. The Group Policy container contains
the following data:
• Version information--Used
to verify that the information is synchronized with Group Policy
template information.
• Status information--Indicates
whether the Group Policy object is enabled or disabled for this
site, domain, or organizational unit.
• List of
components--Specifies which extensions to Group Policy
have settings in the Group Policy object.
Group
Policy sections
Each GPO is built from 2 sections:
• Computer configuration contains the settings that configure
the computer prior to the user logon combo-box.
• User
configuration contains the settings that configure the user
after the logon. You cannot choose to apply the setting on a
single user, all users, including administrator, are affected by
the settings.
Within these two section you can find more
sub-folders:
• Software settings and Windows settings both of
computer and user are settings that configure local DLL files on
the machine.
• Administrative templates are settings that
configure the local registry of the machine. You can add more
options to administrative templates by right clicking it and
choose .ADM files. Many programs that are installed on the
computer add their .ADM files to %systemroot%\inf folder so you
can add them to the Administrative Templates.
Tools used to configure GPO
You can configure GPOs
with these set of tools from Microsoft (other 3rd-party tools
exist but we will discuss these in a different article):
1.
Group Policy Object Editor snap-in in MMC - or - use gpedit.msc
from the Run command.
2. Active Directory Users and Computers
snap in - or dsa.msc – to invoke the Group Policy tab on every
OU or on the Domain.
3. Active Directory Sites and Services -
or dssite.msc – to invoke the Group Policy tab on a site.
4.
Group Policy Management Console - or gpmc.msc - this utility is
NOT included in Windows 2003 server and needs to be separately
installed.
Practice Test Exam