Active Directory Functions
Flexible Single Master Operations (FSMO)
Windows 2000 Domains work using a multiple master design with restricted master operations on a master domain controller. This was done to distribute the load on domain controllers but there are some operations that can only be done on a single or "master" controller.
There are a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include:
- Schema Master - Makes changes to the database schema. Applications may remotely connect to the schema master.
- Domain Naming Master - Adds or removes domains to or from the forest.
- PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC emulator by default. Functions pewrformed by the PDC emulator:
The NTLM protocol is used by the PDC emulator to contact non-Windows 2000 clients and servers for exchange of authentication information. When contacting Windows 2000 servers , the Windows 2000 protocol is used.
- User account changes and password changes.
- SAM directory replication requests.
- Domain master browser requests.
- Authentication requests.
- Relative ID Master (RID Master) - All objects have a Security Identifier (SID) and a domain SID. The RID assigns relative IDs to each domain controller.
- Infrastructure Master - Updates group membership information when users from other domains are moved or renamed. If you transfer this function, it should not be transferred to the domain controller that is the global catalog server. If this is done, the Infrastructure Master will not function.
An Operation Master performs one or more of the flexible single master operations listed above.
Windows 2000 client Authentication
When operating in mixed mode, the PDC emulator will allow non Windows 2000 clients to use NTLM authentication protocol rather than Kerberos. If a Windows 2000 client cannot find a Windows 2000 domain controller for logon purposes, it will attempt to contact a Windows NT PDC using the NTLM protocol. If the Windows 2000 client successfully logs on using an NT server, group policy objects cannot be loaded.
Global Catalog Server
The Global Catalog Server (GCS) maintains an Active Directory global catalog with information about all objects the forest along with universal groups and group members. It has a copy of all objects in its domain and some objects in other domains. It has a copy of domain local and global groups, but not members of those groups. It provides universal group membership information and allows users to find resources. It is used to search for objects in the forest.
Normally the first domain controller is a global catalog server. The "Active Directory Sites and Services tool: in "Administrative Tools" is used to move the global catalog server or create another one.
A global catalog server must be available or the user cannot logon to the domain unless the user is in the group "Domain Admins".
A Universal group may contain users and groups from any domain in a forest.
Adding more global catalog servers will make searching the forest faster, but more network bandwidth will be required for replication between global catalog servers.
AD File Storage
- Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and attributes. Contains these tables:
- Object table - Has a row for each object in AD.
- Link table - Stores inter object relationship information.
- Schema table - Has a list of all objects and their attributes.
- Log file - The following files are stored in the System Rootdirectory in the NTDS folder.
- Checkpoint log files - Holds pointers to transaction logs that have been committed to the AD database. The file name is edb.chk.
- Transaction log files - Stores transactions that are either commited or are about to be committed to the AD database. The file name is edb.log. If more than one log file is used the log file name is edbhhhhhh.log where "hhhhhh" is a hexadecimal based number.
- Patch files - Manages data while backups are done. These files have the file extension ".pat".
- Reserve log files - Reserves hard drive space for transaction log files. The files names are res1.log and res2.log.
Active Directory performs garbage collection. Deleted AD objects are are tagged with a tombstone rather than being immediately removed. The toumbstone lifetime attribute (default of 60 days) defines how long the tombstoned object will remain in the database until it is deleted.