Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
Introduction
Domain controllers are servers that host an Active Directory domain and provide authentication and directory services to clients. A domain controller (DC) can only be authoritative (i.e., it can only process authentication requests) for a single domain, but it can store partial read-only copies of objects in other domains in the forest if it is enabled as a global catalog server. All domain controllers in a forest also host a copy of the Configuration and Schema naming contexts (NCs), which are replicated to all domain controllers in a forest.
Active Directory domain controllers are fully multimaster in nature, meaning that updates to the directory (with a few exceptions, which we’ll discuss next) can originate on any domain controller in a forest. However, some tasks are sufficiently sensitive in nature that they cannot be distributed to all DCs, due to the potential of significant issues arising from more than one DC performing the same update simultaneously. For example, if two different domain controllers made conflicting updates to the schema, the impact could be severe and could result in data loss or an unusable directory. For this reason, Active Directory uses Flexible Single Master Operation (FSMO, pronounced “fiz-mo”) roles. For each FSMO role, only one domain controller acts as the role owner and performs the tasks associated with the role. These roles are termed “single master” because only a single ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access