Windows Server 2003 Administrator

FMSO (Flexible Single Master Operations) Roles

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:
The Schema Master role controls all the updates and modifications to the schema itself. The schema controls the definition of each object in the directory and the object’s associated attributes.

Domain naming master:
The Domain Naming Master role controls the addition or removal of domains from the forest.

Infrastructure Master:
The Infrastructure Master role is responsible for maintaining all inter-domain object references. In other words, the Infrastructure Master informs certain objects (such as groups) that other objects (such as users in another domain) have been moved, changed, or otherwise modified. This update is needed only in a multiple domain environment. If there is only a single domain, then all domain controllers already know of the update, and this role is unnecessary. Likewise, if all domain controllers are also global catalog servers, the domain controllers are aware of the updates and do not need the assistance of the Infrastructure Master.

Relative ID (RID) Master:
The Relative ID (RID) Master role controls the sequence number for the domain controllers within the domain. The master assigns a unique sequence of RIDs to each of the domain controllers. When a new object is created by a domain controller, the object is assigned a security ID (SID). The SID must be unique within the domain and is generated by combining a domain SID and a RID. The domain SID is a constant ID within the domain, while the RID is assigned to the object by the domain controller. When the domain controller uses all the RIDs that the RID Master has assigned, the domain controller receives another sequence of RIDs from the RID Master. If the RID Master is unavailable and a domain controller exhausts its pool, it will be unable to create additional objects.

PDC Emulator:
The PDC Emulator role is used whenever a domain contains non–Active Directory computers. It acts as a Windows NT PDC for legacy client operating systems, as well as for Windows NT BDCs. The PDC Emulator processes password changes and receives preferential treatment within the domain for password updates. If another domain controller is unable to authenticate a user due to a bad password, the request is forwarded to the PDC Emulator.

GPO behavior
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

A Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.

Storage of Group Policy objects
Each computer that runs Windows XP Professional, Windows XP 64-bit Edition (Itanium), or the Windows Server 2003 operating systems, has exactly one local Group Policy object (GPO). It is stored in systemroot\System32\GroupPolicy.
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain. For more information about the local Group Policy object, see Local Group Policy.

Group Policy container
The Group Policy container is a directory service object. It includes subcontainers for computer and user Group Policy information. The Group Policy container contains the following data:
Version information--Used to verify that the information is synchronized with Group Policy template information.
Status information--Indicates whether the Group Policy object is enabled or disabled for this site, domain, or organizational unit.
List of components--Specifies which extensions to Group Policy have settings in the Group Policy object.

Group Policy sections
Each GPO is built from 2 sections:
• Computer configuration contains the settings that configure the computer prior to the user logon combo-box.
• User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.
Within these two section you can find more sub-folders:
• Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine.
• Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates.

Tools used to configure GPO
You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article):
1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command.
2. Active Directory Users and Computers snap in - or dsa.msc – to invoke the Group Policy tab on every OU or on the Domain.
3. Active Directory Sites and Services - or dssite.msc – to invoke the Group Policy tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed.


1 2 3 4 5