Thursday, April 24, 2014

Flexible Single Master Operation Roles (FSMO)

Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.

The forest wide roles must appear once per forest, the domain wide roles must appear once per domain.

The Roles

There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.

Forest Wide Roles:

  • Schema Master

The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.
  • Domain Naming

When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:

  • Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
  • PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.
  • Infrastructure Master

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.

Important Note :

Unless there is only one DC in a domain the Infrastructure role should not be on the DC that is hosting the global catalogue. If they are on the same server the infrastructure master will not function, it will never find data that is out of date and so will never replicate changes to other DCs in a domain.
If all DCs in a domain also host a global catalogue then it does not matter which DC has the infrastructure master role as all DCs will be up to date due to the global catalogue.

Viewing and Transferring Roles

The roles can be viewed and transferred in the GUI or from the command line.

Gui View

Schema Master

To view the schema you must first register the schema master dll with Windows. To do this enter the following in the RUN dialog of the start menu.
regsvr32 schmmgmt.dll
Once you have done this the schema master mmc snap-in will be available.

Active Directory Domains and Trusts

The Domain naming master can be viewed and transferred from here.

Active Directory User and Computers

The RID, PDC emulator and Infrastructure master roles can be viewed and transferred from here.

NTDSUTIL

NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in the FSMO Role Failure section below).
To transfer a role using ntdsutil use the example below as a template for all the roles.
  • Open a command prompt
  • Enter in ntdsutil
  • At the ntdsutil command prompt enter in roles
  • At the fsmo maintenance prompt enter in connection
  • At the server connections prompt enter in connect to domancontrollername
  • At the server connections prompt enter in quit
  • At the fsmo maintenance prompt enter in transfer schema master
  • Quit from the console

FSMO Role Failure

Some of the operations master roles are essential for AD functionality, others can be unavailable for a while before their absence will be noticed. Normally it is not the failure of the role, but rather the failure of the DC on which the role is running.
If a DC fails which is a role holder you can seize the role on another DC, but you should always try and transfer the role first.
Before seizing a role you need to asses the duration of the outage of the DC which is holding the role. If it is likely to be a short outage due to a temporary power or network issue then you would probably want to wait rather than seize the role.

Schema Master Failure

In most cases the loss of the schema master will not affect network users and only affect Admins if modifications to the schema are required. You should however only seize this role when the failure of the existing holder is considered permanent.
Note: A DC whose schema master role has been seized should never be brought back online

Domain Naming Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if they try and add or remove a domain in the forest. You should however only seize this role when the failure of the existing holder is considered permanent.
Note: A DC whose schema master role has been seized should never be brought back online

RID Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should however only seize this role when the failure of the existing holder is considered permanent.
Note: A DC whose schema master role has been seized should never be brought back online

PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role fails you may need to immediately seize this role. Only pre Windows 2000 clients and NT4 BDCs will be affected.
If you seize the role and return the original DC to the network you can transfer the role back.

Infrastructure Master Failure

Temporary loss of this role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts.
If you are required to seize the role do not seize it to a DC which is a global catalogue server unless all DCs are global catalogue servers.
If you seize the role and return the original DC to the network you can transfer the role back.

Difference between Cache and Buffer

Key difference: A cache transparently stores data so that future requests for that data can be served faster. A buffer, on the other hand, temporarily stores data while the data is the process of moving from one place to another.

Both cache and buffer are types of temporary storage that are utilized in computer science. However, they differ in the methods and the capabilities in which they are used. A cache transparently stores data so that future requests for that data can be served faster. A buffer, on the other hand, temporarily stores data while the data is the process of moving from one place to another, i.e. the input device to the output device.

There are two main types of caches, memory caching and disk caching. Memory caching is when the cache is part of the main memory, whereas disk caching is when the cache is part of some other separate storage area, such as a hard disk. Caching is the process of storing data in a cache so that the data can be accessed faster in the future. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored elsewhere. When some data is requested, the cache is first checked to see whether it contains that data. The data can be retrieved more quickly from the cache than from its source origin.

An easy example to understand caching is to look at web caching. A web cache is a mechanism for the temporary storage (caching) of web documents, such as HTML pages and images. This is mainly done to reduce bandwidth usage, server load, and perceived lag. When a web page is loaded, the data on the pages is cached; hence the next time the page is loaded it is quicker, as data is already present, and only the changes made to the page need to be loaded, which are in turn cached for next time. Google's cache link in its search results provides a way of retrieving information from websites that have recently gone down and a way of retrieving data more quickly than by clicking the direct link.

The buffer, on the other hand, is found mainly in the RAM and acts as an area where the CPU can store data temporarily. This area is used mainly when the computer and the other devices have different processing speeds. Typically, the data is stored in a buffer as it is retrieved from an input device (such as a mouse) or just before it is sent to an output device (such as speakers). However, the buffer may also be used when moving data between processes within a computer.

So, the computer writes the data up into a buffer, from where the device can access the data, as its own speed. This allows the computer to be able to focus on other matters after it writes up the data in the buffer; as oppose to constantly focus on the data, until the device is done.

Buffers can be implemented in a fixed memory location in hardware or by using a virtual data buffer in software, which points to a data buffer are stored on a physical storage medium. Majority of the buffers are utilized in the software. These buffers typically use the faster RAM to store temporary data, as RAM has a much faster access time than hard disk drives. A buffer often adjusts timing by implementing a queue or FIFO algorithm in memory. Hence, it is often writing data into the queue at one rate and reading it at another rate.

A common example of this is streaming videos online, such as YouTube. While, watching a video on YouTube, one may notice that a gray bar tends to load before the red bar of the video stream can play. The gray bar is the buffer. It downloads the data of the video and saves it so that the video may play at an uninterrupted rate. As you might have noticed that when the red bar catches up to the gray bar, the video stops, in order to load the rest of the video.

Buffers are also often used with I/O to hardware, such as disk drives, sending or receiving data to or from a network, or playing sound on a speaker. Buffers are used for many purposes, such as interconnecting two digital circuits operating at different rates, holding data for use at a later time, allowing timing corrections to be made on a data stream, collecting binary data bits into groups that can then be operated on as a unit, and delaying the transit time of a signal in order to allow other operations to occur.

However, a buffer cannot be used to instantaneously move your location in the data stream, unless the new part has already been moved to the buffer. Similar to the YouTube video, which cannot be forwarded to a part that is not covered by the gray bar.  If you do, the buffer will relocate and restart from the new location.

Still, the functions of a cache and buffer are not mutually exclusive and are often combined for an ideal performance. 

Sunday, April 13, 2014

Red Hat Enterprise Server 6 @ Nasa lab