Manage Operations Master Roles
The "Manage Operations Master Roles" module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises: Install Additional Domain Controllers, Transfer Operations Master Roles, Seize Operations Master Roles.
The Manage Operations Master Roles module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:
- Install Additional Domain Controllers
- Transfer Operations Master Roles
- Seize Operations Master Roles
Lab Time: It will take approximately 1 hour to complete the exercises in this lab.
The following exam objectives are covered in this lab:
- Transfer and seize operations master roles
Exercise 1 - Install Additional Domain Controllers
Windows Server running the Active Directory Domain Services assume the role of a domain controller that authenticates user logins in the organization’s network. Active Directory allows changes to be made to any domain controller in the domain called multi-master replication. However, with multi-master replication, it introduces the possibility of a conflict or version clash when changes are concurrently introduced in more than one domain controller in the enterprise. This error is typically resolved as Active Directory Domain Service will accept the changes that were written last in the directory services database.
This exercise will begin with the creation of two additional domain controllers in the existing lab domain that will later be used to demonstrate how flexible single master operations (FSMO) work to perform updates in Active Directory.
Exercise 2 - Transfer Operations Master Roles
Active Directory Domain Services in Windows Server follows the multi-master replication model as changes in the directory database can be performed on any domain controller in the enterprise.
There are updates however in the Active Directory that can only occur one domain controller only and this happens in a single-master fashion. To prevent conflicts on this type of updates, Windows Server use Flexible Single Master Operations or FSMO.
Updates such as schema modification when an Active Directory (AD) aware program like Exchange Server is introduced in the network. Schema modification calls for a server running the Schema Master role. This role is found in the first domain controller installed in the forest root domain.
When a new child domain is installed or removed in the domain tree, this call for a change to be made in the Domain Naming Master role. This role is found in the first domain controller installed in the forest root domain.
In a multi-domain environment, an Infrastructure Master tracks the reference of another object in a different domain where group nesting is enabled. This role is found in the first domain controller installed in each domain.
The Relative ID master is responsible for processing RID pool requests from a domain controller when a new AD object is created such as a user or group. RID associates a security identifier (SID) to uniquely identify the object within the domain. This role is found in the first domain controller installed in each domain.
The Primary Domain Controller (PDC) emulator is used for synchronizing the time in a domain enterprise. The authentication protocol Kerberos relies on synchronization and the first domain controller installed in the domain holds this fsmo role.
This exercise will demonstrate how to transfer a fsmo role to another domain controller server in the same domain.
Exercise 3 - Seize Operations Master Roles
In the event of hardware failure on the domain controller, administrators can use the ntdsutil.exe tool to seize the fsmo role from the failed domain controller.
It’s not a mandatory requirement to seize the role from the failed directory server assuming that the server will be restored from a layer of backups. If a major change is expected to be introduced in the domain like a schema update or a new child domain is about to be added and the domain controller holding the fsmo role couldn’t be successfully restored then seizing the fsmo role from the failed server is an option.
This exercise will demonstrate how to seize an fsmo role from a failed domain controller.
IT & Cybersecurity certification hands on practice labs and practice exams for certifications and skill development.
See the full benefits of our immersive learning experience with interactive courses and guided career paths.