Active Directory FSMO Placement Guidance

FSMO Placement Guidance Summary:

  • Make sure the PDC is highly available and connected.
  • Place the PDC on your best hardware in a reliable hub site that contains replica domain controllers in the same Active Directory site and domain.
  • Place the Forest FSMOs on the forest root PDC (schema master & domain naming master).
  • Place the RID master on the domain PDC in the same domain.
  • If you have a single domain environment, all DCs are GCs, OR you have enabled the recycle bin (see MSDN note below), place the infrastructure master on the PDC (which likely contains the other FSMO roles as well).
  • Don’t move FSMOs around regularly. The PDC is targeted for a number of operations and network connections. It is best to not force clients to rediscover the PDC on a regular basis.

This means, in a single domain environment, it makes sense to place all the FSMOs on a single DC. Pick one that is highly available and well-connected. You may decide that selecting a virtual DC is the way to go since it can usually be moved to different hosts for DR/COOP reasons. Note that if you do go virtual for this DC, consider disabling VM host time synchronization.Though, there may be valid reasons for not doing so.

In a multiple domain environment, place the Forest FSMOs on the forest root PDC (schema master & domain naming master) and select one DC per domain on which to place all of the FSMOs – the PDC is a good choice assuming they are all GCs or the AD Recycle Bin is enabled.

MSDN NOTE:

When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

From MSDN: “6.1.5.5 Infrastructure FSMO Role

 

FSMO Role Information:
Continue reading

Windows Server 2012 MCSM Reading List

Here’s a link to download the MCM/MCSM Directory Services Reading List document that I developed for the MCSM Directory Services (Windows Server 2012) program and was created after the MCSM Directory Services (Windows Server 2012) test questions were written.

It is based on the original one created for the MCM DS program provided to candidates.

MCSM_Directory_Reading_List_June_2013.docx

The AD Reading Library on this site also has Active Directory references worth reading and is updated occasionally.

Enabling and Managing the Active Directory Recycle Bin

So, you have upgraded all your DCs in the forest to Windows Server 2008 R2 and raised the domain and forest functional levels to Windows Server 2008 R2. Congratulations!
Now what?

Yes, you have to enable the AD Recycle Bin manually by running the following PowerShell commands:

Import-Module ActiveDirectory

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=com’ –Scope ForestOrConfigurationSet –Target ‘DOMAIN.com’

Note that this effectively removes the importance of the Infrastructure Master FSMO since all DCs will perform that role. From MSDN: Continue reading

Facebook increases privacy on all new posts by default

Looks like Facebook might be coming to its senses…

http://www.theverge.com/2014/5/22/5739744/facebook-changes-default-privacy-of-posts-from-public-to-friends

 

AD Reading: How Key Active Directory Components Work

The following links provide in-depth information on how key Active Directory components work.

 

AD Reading: Windows Server 2012 Active Directory Features

The following are extremely useful resources for Windows Server 2012 Active Directory Features.

 

Windows 2012 Features

Group Managed Service Accounts (gMSA)

RID Protection

DC Cloning & SafeGuarding


Dynamic Access Control (DAC)

Kerberos FAST

Kerberos Constrained Delegation Enhancements

o   Part 1

o   Part 2

 

Kerberos Proxy

AD Reading: Active Directory Group Policy

The following are extremely useful resources for understanding the Active Directory Group Policy.

Group Policy

o   Core Group Policy Architecture

o   Core Group Policy Physical Structure

o   Core Group Policy Processes and Interactions

o   Network Ports Used by Group Policy

o   Related Information

o   Change and Configuration Management

o   Core Group Policy Infrastructure

o   Core Group Policy Scenarios

o   Core Group Policy Dependencies

o   Related Information

o   Group Policy Tools

o   Group Policy Settings

o   Group Policy WMI Classes

o   Related Information

o   Overview of Group Policy

o   Planning Your Group Policy Design

o   Designing Your Group Policy Model

o   Deploying Group Policy

o   Maintaining Group Policy

o   Additional Resources for Group Policy Infrastructure

o   What Is Group Policy Management Console?

o   How Group Policy Management Console Works

o   Group Policy Management Console Tools and Settings

o   What Is Group Policy Object Editor?

o   How Group Policy Object Editor Works

o   Group Policy Object Editor Tools and Settings

  • Group Policy Loopback processing

o   Part 1: Circle Back to Loopback

o   Part 2: Back to the Loopback: Troubleshooting Group Policy loopback processing

AD Reading: Active Directory Read Only Domain Controller

The following are extremely useful resources for the Active Directory Read Only Domain Controller (RODC).

Read Only Domain Controller

o   Understanding Planning and Deployment for Read-Only Domain Controllers

o   RODC Branch Office Guide

o   Appendix A: RODC Technical Reference Topics

o   Appendix B: RODC-Related Events

o   Appendix C: Acronyms Used in This Guide

o   Installing Remote Server Administration Tools

o   Administering the Password Replication Policy

o   Who Should Use This Guide?

o   What Is an RODC?

o   RODC Placement Considerations for Windows Server 2003 Domains

o   Prerequisites for Deploying an RODC

o   Known Issues for Deploying an RODC

o   Steps for Deploying an RODC

o   Steps for Administering an RODC

o   RODC Frequently Asked Questions

o   Appendix A: Client Operations

o   Appendix B: How the Authentication Process Works with RODCs

o   Appendix C: Application Compatibility with RODCs

o   Appendix D: Steps to Add an Attribute to the RODC Filtered Attribute Set

AD Reading: Windows Server 2008 Active Directory Features

The following are extremely useful resources for Windows Server 2008 Active Directory Features.

Server 2008 AD Features

AD Reading: Active Directory Replication

The following are extremely useful resources for understanding the Active Directory Replication.

Replication

o   Active Directory KCC Architecture and Processes

o   Replication Topology Physical Structure

o   Performance Limits for Replication Topology Generation

o   Goals of Replication Topology

o   Topology-Related Objects in Active Directory

o   Replication Transports

o   Replication Between Sites

o   KCC and Topology Generation

o   Network Ports Used by Replication Topology

o   Related Information

o   What Is the Active Directory Replication Model?

o   How the Active Directory Replication Model Works

o   Active Directory Replication Tools and Settings

o   What Is Active Directory Replication Topology?

o   How Active Directory Replication Topology Works

o   Active Directory Replication Tools and Settings