Active Directory

Site streamlines replication of directory information and reduces replication traffic.

Site membership is determined differently for domain controllers and clients. A client determines it is in when it is turned on, so its site location will often be dynamically updated. A domain controller's site location is established by which site its Server object belongs to in the directory, so its site location will be consistent unless the domain controller's Server object is intentionally moved to a different site.

When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer.

By default, a global catalog is created automatically on the initial domain controller in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest.

Domain Naming Master DC controls the addition or removal of domains in the forest.

The schema master DC controls all updates and modifications to the schema.

Every Active Directory forest must have the following roles:

★ Schema master

★ Domain naming master

There can be only one schema master and one domain naming master for the entire forest.

Every domain in the forest must have the following roles:

★ Relative ID master

★ Primary DC (PDC) emulator

★ Infrastructure master

Each domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master.

The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object.

For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs.

In native-mode, the PDC emulator receives preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt.

Active Directory supports multi-master replication of the directory data between all DCs in the domain. Some changes are impractical to perform in multi-master fashion, so only one DC, called the operations master, accepts requests for such changes. Because the operations master roles can be moved to other DCs within the domain or forest, these roles are sometimes referred to as Flexible Single Master Operations. In any Active Directory there are five operations master roles. Some roles must appear in every forest. Other roles must appear in every domain in the forest.

★ Schema master

★ Domain naming master

★ RID master

★ PDC emulator

★ Infrastructure daemon

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

★ Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down-level clients and applications target the PDC, making it a large consumer of RIDs.

★ As a general rule, the infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem If an operations master is not available due to computer failure or network problems, you can seize the operations master role.

In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.

1) Log on to the computer as an administrator.

2) Click Start, point to Settings, and then click Printers.

3) In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties.

4) Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters.

5) Click to select the List in the Directory check box, and then click OK.

6) Close the Printers folder.