Information Technology Reference
In-Depth Information
the forest. Changes made to objects in domain directory partitions are replicated to each
domain controller in the domain. Some object attributes are also replicated to global cata-
log servers (described later in “The Importance of the Global Catalog Server”) in all
domains. Changes to the domain directory partition can occur on any domain controller
in the domain except read-only domain controllers.
•
Schema directory partition
—Contains information needed to define Active Directory
objects and object attributes for all domains in the forest. The
schema directory partition
is replicated to all domain controllers in the forest. One domain controller in the forest is
designated as the schema master domain controller (discussed in the next section) and
holds the only writeable copy of the schema.
•
Global catalog partition
—The
global catalog partition
holds the global catalog, which is a
partial replica of all objects in the forest. It stores the most commonly accessed object
attributes to facilitate object searches and user logons across domains. The global catalog
is built automatically by domain replication of object attributes flagged for inclusion.
Administrators can't make changes to this partition.
•
Application directory partition
—Used by applications and services to hold information
that benefits from automatic Active Directory replication and security. DNS is the most
common service to use an
application directory partition
for the DNS database. The infor-
mation in an application directory partition can be configured to replicate to specific
domain controllers rather than all domain controllers, thereby controlling replication
traffic. There can be more than one application directory partition.
•
Configuration partition
—By default, the
configuration partition
holds configuration infor-
mation that can affect the entire forest, such as details on how domain controllers should
replicate with one another. Applications can also store configuration information in this
partition. This partition is replicated to all domain controllers in the forest, and changes
can be made to information stored in this partition on all domain controllers.
4
Operations Master Roles
A number of operations in a forest require having a single
domain controller, called the
operations master
, with sole responsibility for the function. In most
cases, the first domain controller in the forest takes on the role of operations master for these
functions. However, you can transfer the responsibility to other domain controllers when neces-
sary. There are five operations master roles, referred to as
Flexible Single Master Operation
(FSMO) roles
(discussed more in Chapter 10), in an Active Directory forest:
•
Schema master
—As mentioned, the schema partition can be changed on only one domain
controller, the schema master. This domain controller is responsible for replicating the
schema directory partition to all other domain controllers in the forest when changes
occur.
•
Infrastructure master
—This domain controller is responsible for ensuring that changes
made to object names in one domain are updated in references to these objects in other
domains. For example, if a user account in Domain A is a member of a group in Domain
B and the user account name is changed, the infrastructure master in Domain A is respon-
sible for replicating the change to Domain B. By default, the first domain controller in
each domain is the infrastructure master for that domain.
•
Domain naming master
—This domain controller manages adding, removing, and renaming
domains in the forest. There's only one domain naming master per forest, and the domain
controller with this role must be available when domains are added, deleted, or renamed.
•
RID master
—All objects in a domain are identified internally by a
security identifier (SID)
.
An object's SID is composed of a domain identifier, which is the same for all objects in the
domain, and a
relative identifier (RID)
, which is unique for each object. Because objects
can be created on any domain controller, there must be a mechanism that keeps two
domain controllers from issuing the same RID, thereby duplicating an SID. The RID
master is responsible for issuing unique pools of RIDs to each domain controller, thereby
guaranteeing unique SIDs throughout the domain. There's one RID master per domain.
Search WWH ::
Custom Search