Well, maybe you think it's not an expert question, everybody knows about FSMO role holders.
FSMO in brief :
Active Directory Domain Services defines five operations master roles: the schema master, domain naming master, RID master, PDC emulator, and infrastructure master.The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain.
The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest.
The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RID master, PDC emulator, and infrastructure master.
For more informations about FSMO : Operations Masters Technical Reference
So, if I ask how many Infrastructure Masters do you think you have in your forest ?
Well, your answer should be naturally : One for each domain !
Obviously, if I ask this question it's that maybe not the correct answer.
Your answer should be : It depends !
Before going further, we have to talk about Active Directory partitions.
Active Directory partitions in brief :
The Active Directory database is logically separated into directory partitions:- Configuration partition
- Schema partition
- Domain partition
Configuration Partition : Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest.
Schema Partition : Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest.
Domain Partition : Contains a < domain > container, which stores users, computers, groups, and other objects for a specific Windows 2000 domain. Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers if the update is made to an attribute that is marked for replication to the Global Catalog.
Windows Server 2003 introduces a new type of partition : Application directory partitions
An application directory partition is a directory partition that is replicated only to specific domain controllers. Application directory partitions are usually created by the applications that will use them to store and replicate data. The data can be replicated to a specific domain controller or any set of domain controllers anywhere in the forest. Application directory partitions can
contain any type of object, except security principals.
If your DNS is integrated in Active Directory, you have two application partitions for DNS zones : ForestDNSZones and DomainDNSZones.
For more informations about Directory Partitions : Directory Partitions and Application directory partitions
Maybe you ask yourself why we are talking about Directory partitions ?
Because there is one Infrastructure Master for each Application directory partition.
So you've got the answer !
How many Infrastructure Masters do you think you have in your forest ?
One for each domain + one for each Application directory partition.
For exemple if I have a forest with 3 domains with IAD DNS, I have 7 Infrastructure Masters.
So you've got the answer !
How many Infrastructure Masters do you think you have in your forest ?
One for each domain + one for each Application directory partition.
For exemple if I have a forest with 3 domains with IAD DNS, I have 7 Infrastructure Masters.
- 3 for each Domain
- 1 for the ForestDNSZones
- 3 for the DomainDNSZones
How can you check that ?
I've build the following lab :
First we'll see how you can view Application partitions.
That's really easy with Powershell :
You can also use dsquery :
So we've got the ncname for our four Application partitions but that's not enough to find their Infrastructure Master.
For that we need the following attribute : ms-DS-NC-Replica-Locations
To retrieve this attribute we can use the following cmdlet:
So now we also know for every Application partitions which domain controllers have a replica of the Application partition.
You have probably noticed that it's an array composed of the distinguished name of the nTDSDSA object of each Domain Controller which have a replica of the Application partition.
With this information we can't retrieve the Infrastructure Master of each Application partitions directly but with the distinguished name of the nTDSDSA object we can retrieve the DNS name of the domain controller.
Here is the script :
As you can see we now have retrieve the information and we know which domain controller is the Infrastructure Master for each Application partitions.
I hope you've learn something in this post.
We'll see in the next part why it could be important to check that attribute.
- One Forest with Three Domains with IAD DNS :
- ROOT.ADDS
- CHILD1.ROOT.ADDS
- CHILD2.ROOT.ADDS
First we'll see how you can view Application partitions.
That's really easy with Powershell :
Import-Module ActiveDirectory
Get-ADForest
You can also use dsquery :
dsquery * "CN=CONFIGURATION,DC=ROOT,DC=ADDS" -filter "(systemflags=5)" -attr ncname
So we've got the ncname for our four Application partitions but that's not enough to find their Infrastructure Master.
For that we need the following attribute : ms-DS-NC-Replica-Locations
To retrieve this attribute we can use the following cmdlet:
Get-ADObject -Filter {systemFlags -eq 5} -SearchBase ((Get-adforest).PartitionsContainer) -properties msDS-NC-Replica-Locations,ncname | fl
So now we also know for every Application partitions which domain controllers have a replica of the Application partition.
You have probably noticed that it's an array composed of the distinguished name of the nTDSDSA object of each Domain Controller which have a replica of the Application partition.
With this information we can't retrieve the Infrastructure Master of each Application partitions directly but with the distinguished name of the nTDSDSA object we can retrieve the DNS name of the domain controller.
Here is the script :
Import-Module ActiveDirectory
Get-ADObject -Filter {systemFlags -eq 5} -SearchBase ((Get-adforest).PartitionsContainer) -properties msDS-NC-Replica-Locations,ncname|%{
$nTDSDSADN=$_.'msDS-NC-Replica-Locations'[0]
$Server=$nTDSDSADN.Replace("CN=NTDS Settings,","")
$DC = Get-adobject $Server -Properties dNSHostName
Get-ADObject -SearchBase $_.ncname -filter {objectclass -eq "infrastructureUpdate"} -properties objectclass,fsmoroleowner -server $DC.dNSHostName | select DistinguishedName, ObjectClass, FSMORoleOwner}|fl
As you can see we now have retrieve the information and we know which domain controller is the Infrastructure Master for each Application partitions.
I hope you've learn something in this post.
We'll see in the next part why it could be important to check that attribute.
Aucun commentaire:
Enregistrer un commentaire