About

Saturday 10 December 2011

Windows Domain Controller and their Roles

I really favour Linux/Unix working environmental but sadly commercialism has engulfed our societies as the likes of Windows platforms while the former one doesn't matter how much is rated high still lives in the shadows. And now I have to grasp the Windows lingo all along to fit in an organization. So lets learn something about Windows Domain Controller and their roles.

Before going into any details first its important to understand the differences between the following terms.

  • Active Directory: is a directory service that serves as a central location for network administration and security which is responsible for authenticating and authorizing all users and computers within a network of windows domain.
  • Forest: is the top-level container of Active Directory (AD) infrastructure. Can contain one or more domains. These domains are interconnected trough a transitive trust. A forest shares a single schema database.
  • Domain: is one level below AD forest. Can consist of one or more Organizational Units (OU). A domain shares a single administrator group and same set of objects.
  • Domain Controller: A domain can consists one or more domain controllers (DC). A DC holds a directory DB of its perspective domain. The directory DB consists of user, objects, computer objects or more.
  • Organizational Unit: is a container within a domain and is used to organize set of users and computers. It is helpful in implementing set of policies to a group, user or computer within a domain.
  • Windows DC: A server running the version of Windows Server OS and has AD installed on it and is responsible for allowing host access to Windows Domain resources.

Now coming to the roles; there are specialized DC roles that perform specific roles in Active Directory Domain Services (AD DS) environment. The specialized roles are:

  • Global Catalog Servers: A DC designated as a global catalog server stores the objects from all domains in a forest. This is usually the first DC in a forest. Later on other DC can be specified as global catalog servers.
  • Operations Master: This is a DC that is designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the AD DB.

AD DS defines five operation master roles called:

  1. Schema Master: Responsible for propagating changes to all DCs within a forest. Changes regarding schemas required throughout forest should be made on DC serving as schema master. There can be only one schema master in a forest at any time.
  2. Domain Naming Master: It is required to keep track of all the domains within an AD forest. The DC with domain naming master is accessed whenever domains are address/removed from a tree or forest. There can be only one domain naming master per forest. It ensures that no two domains have the same name existing in the same tree.
  3. Relative Identifier (RID): Allocates blocks of RIDs to each DC in a domain. When a DC creates a new security principal (user, group etc.) it assigns the object a unique security identifier SID. The SID contains a domain SID which us same for all the security principals created in the domain and a RID which uniquely identifies each security principal created in the domain.
  4. Primary Domain Controller (PDC) Emulator: PDC receives prefential replication of password changes that are performed by other DCs in the domain and is the source for latest password information. It's also the default time source.
  5. Infrastructure Master: is responsible for updating object references in the domain that point to object in another domain. It updates object references locally and uses replication to being all other replicas of domain up to date. Object reference contains GUID global unique identifier, distinguished name and possible a SID. The distinguished name and SID on object reference are periodically updated to reflect changes made to actual object.

- Schema Master and Domain Naming Master performs operations that must occur on only one DC in the forest.

- PDC, RID, Infrastructure Master perform operations that must occur on only one DC in a domain.