- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.
Microsoft Exam 70-640 – Configure operations masters / Domain 2, Subobjective 6
For each exam domain, I will compose two blog posts. One blog post represents a nutshell summary of the content underlying a particular subobjective from the 70-640 certification exam outline. The second blog post offers a representative practice exam question that covers the same topic from that content domain.
The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring operations masters.
Today’s subobjective centers upon the operations master roles. Operations master roles are special, well, roles that domain controllers are assigned in order to ensure the consistency of the Active Directory Domain Services (AD DS) database.
NOTE: Operations master roles used to be known as flexible single master operations (FSMO, pronounced FIZZ-moh) roles.
Operations master roles are either forest-wide or domain-wide; the following list summarizes the scope and primary purpose of each of the five roles:
- Schema Master (1/forest): Performs updates to the AD DS schema
- Domain Naming Master (1/forest): Manages the addition of domains and directory partitions
- Relative Identifier (RID) Master (1/domain): Allocates RIDs to each domain controller in the domain
- Primary Domain Controller (PDC) Emulator (1/domain): Preferred administration point for Group Policy, DFS, password management
- Infrastructure Master (1/domain):Updates object references between domains
Before you even think about registering to take the 70-640 exam, please ensure that you are very comfortable with all of technologies and procedures that are referenced in this subobjective:
- Seize and Transfer
- Back Up Operations Master
- Operations Master Placement
- Schema Master
- Extending the Schema
- Time Service
Seize and Transfer ^
The first domain controller in each domain automatically inherits all domain-level operations master roles. The first domain controller installed in the forest receives the forest-wide operations master roles as well.
However, administrators can transfer roles from one domain controller to another. This process can be accomplished by using one of the built-in Active Directory administrative consoles or the Repadmin command-line utility.
We’ve summarized the tool to use to transfer each operations master role:
- Transfer the schema master: Active Directory Schema console
- Transfer the domain naming master: Active Directory Domains and Trusts console
- Transfer the RID master, PDC emulator, or infrastructure master: Active Directory Users and Computers console
If a domain controller that hosts an operations master role goes unexpectedly offline, you may need to seize that role by forcibly transferring the role to another domain controller. We use the Ntdsutil command-line tool in order to seize an operations master role.
Back Up Operations Master ^
Stated very simply, when we back up a domain controller, we also back up any operations master roles that the server owns. However, Microsoft advises against restoring a RID Master or a Schema Master to avoid the possibility of introducing corruption into the Active Directory Domain Services database.
Operations Master Placement ^
First of all, recall that two operations master roles are forest-wide, and the other three roles are domain-specific. Remember also that of all the roles, the PDC Emulator role requires the highest number of CPU cycles. Thus, consider the network connectivity and hardware profile of the domain controller to which you want to assign the PDC Emulator role.
Of course, it (almost) goes without saying that you want to spread operations master roles across separate domain controllers. Generally speaking, only the smallest of domains can practically have a single domain controller host multiple operations master roles.
Speaking of the PDC Emulator role, Microsoft recommends that you ensure that the PDC Emulator is placed in a well-connected location so as to minimize latency when password changes are propagated among domain controller within a domain.
Microsoft’s biggest suggestion with regard to the infrastructure master is to avoid placing this role on a domain controller that is also a global catalog server. If you do so, the infrastructure master will quite simply cease to function.
NOTE: Because read-only domain controllers (RODCs) possess a read-only copy of the Active Directory database, RODCs cannot be operations master role holders.
Finally, Microsoft strongly recommends that the same domain controller host both of the forest-wide operations master roles (schema master and domain naming master). In addition, this domain controller must also be configured as a Global Catalog server.
In all but the largest domains, Microsoft recommends assigning the RID Master and PDC Emulator roles to the same domain controller.
- Planning Operations Master Placement
- FSMO placement and optimization on Active Directory domain controllers
- Placing Operations Master Roles
Schema Master ^
The schema master is the only domain controller in the entire AD DS forest that can write changes to the AD DS schema. The current schema master can be identified by opening the Active Directory Schema MMC snap-in, right-clicking the Schema node, and selecting Operations Masters from the shortcut menu. This is shown in the following exhibit.
Identifying the schema master role holder
Your domain user account must be a member of the Schema Administrators built-in group in order to make changes to the schema.
Extending the Schema ^
The Active Directory schema describes the master list of object classes and attributes that comprise the AD DS forest. When you examine the properties of a domain user account, for instance, you are viewing the attributes of the user class. This is shown in the following graphic.
Mapping a user account property to the AD DS schema
To extend the schema means to define new object classes and/or attributes to the schema. Sometimes enterprise applications extend the schema as a part of their installation (Microsoft Exchange is a good example). Forest administrators can also manually add new data to the schema and even optionally replicate the new schema data to the Global Catalog.
Specifically, we can manually extend the schema by using one of the following methods or tools:
- Active Directory Schema MMC snap-in
- ADSI script
- ADSI Edit
Time Service ^
For the exam, you need to remember that it is the domain controller that holds the PDC Emulator role that is the default Windows Time Service (W32time) time source for the forest.
I discussed Active Directory time synchronization in another blog post; please check that out if you desire additional information on this subject.
I hope that you find this approach to 70-640 exam preparation to be beneficial. Please feel free to leave your questions, comments, and exam experiences (no brain dumps, please) in the comments portion of this post.
In the next post I will provide a sample practice question for the “Configure operations masters” subobjective.