1
00:00:01,040 --> 00:00:03,820
Last part of this module is on troubleshooting flexible

2
00:00:03,820 --> 00:00:06,840
single master operation or FSMO roles.

3
00:00:06,840 --> 00:00:10,970
What FSMO roles are, are special capabilities of Active Directory domain

4
00:00:10,970 --> 00:00:14,330
controllers. There are two forest‑wide ones where there's one domain

5
00:00:14,330 --> 00:00:17,440
controller in the whole forest who holds that role, and then there are

6
00:00:17,440 --> 00:00:19,850
three that are deployed per domain.

7
00:00:19,850 --> 00:00:23,570
The Schema Master is the domain controller that's allowed to

8
00:00:23,570 --> 00:00:26,540
perform updates to the Active Directory Schema.

9
00:00:26,540 --> 00:00:31,270
All of these roles are initially placed on the first domain controller.

10
00:00:31,270 --> 00:00:32,480
Now, this function,

11
00:00:32,480 --> 00:00:36,890
the last bullet point on the right says generally placed on the forest root PDC.

12
00:00:36,890 --> 00:00:41,360
PDC is an old historical reference to Primary Domain Controller.

13
00:00:41,360 --> 00:00:44,780
It's going to be your first domain controller in that forest.

14
00:00:44,780 --> 00:00:49,840
But the idea is that you can move Active Directory FSMO roles around for optimal

15
00:00:49,840 --> 00:00:53,850
placement. Schema Master DC role holder, of course, you want to put extra

16
00:00:53,850 --> 00:00:56,980
protection on because if you can modify the AD Schema,

17
00:00:56,980 --> 00:01:00,530
you potentially could do great damage to your entire forest environment.

18
00:01:00,530 --> 00:01:03,540
The other forest role is Domain Naming Master. Again,

19
00:01:03,540 --> 00:01:07,510
this is one role holder for the whole forest, adds and removes domains and

20
00:01:07,510 --> 00:01:11,770
application partitions, has to be online whenever you're doing work with

21
00:01:11,770 --> 00:01:16,140
partitions or when you're working with domains. Domain‑specific FSMO

22
00:01:16,140 --> 00:01:20,760
roles, PDC Emulator, the idea is that back in the Windows NT days, there

23
00:01:20,760 --> 00:01:25,130
was only one read‑write domain controller, it was called the PDC or

24
00:01:25,130 --> 00:01:26,730
Primary Domain Controller.

25
00:01:26,730 --> 00:01:32,500
So the PDC Emulator role was originally created to support hybrid environments.

26
00:01:32,500 --> 00:01:37,650
This is way back when in 2000/2001 when businesses were moving or migrating

27
00:01:37,650 --> 00:01:41,510
from Windows NT domains to Windows Active Directory domains.

28
00:01:41,510 --> 00:01:45,620
But nowadays, PDC Emulator still lives, it handles password changes,

29
00:01:45,620 --> 00:01:48,940
that's the main one, and it's also responsible for group policy.

30
00:01:48,940 --> 00:01:52,950
So the PDC Emulator absolutely has a critical role to play today.

31
00:01:52,950 --> 00:01:58,210
The RID or RID Master, RID stands for Relative ID, this is what allows your

32
00:01:58,210 --> 00:02:04,040
domain controllers to allocate security IDs. Every object that's created in a

33
00:02:04,040 --> 00:02:09,040
domain needs to have a globally unique Security ID or SID. To avoid a domain

34
00:02:09,040 --> 00:02:12,560
controller, if you have multiple domain controllers and you're creating

35
00:02:12,560 --> 00:02:14,570
objects on those domain controllers,

36
00:02:14,570 --> 00:02:18,440
you don't want them to hand out the same SID value, so we've got the

37
00:02:18,440 --> 00:02:21,440
RID Master involved in partitioning the RID pool.

38
00:02:21,440 --> 00:02:24,740
And lastly, we have Infrastructure Master, and this is just

39
00:02:24,740 --> 00:02:29,670
looking at any references among domains and looking for references

40
00:02:29,670 --> 00:02:33,060
to resources that span different domains.

41
00:02:33,060 --> 00:02:35,900
So we've got connectivity between the Infrastructure

42
00:02:35,900 --> 00:02:37,410
Master and the global catalog.

43
00:02:37,410 --> 00:02:40,650
You absolutely never want to host the Global catalog and the

44
00:02:40,650 --> 00:02:43,830
Infrastructure Master on the same box because you'll wind up

45
00:02:43,830 --> 00:02:45,240
with kind of a routing loop.

46
00:02:45,240 --> 00:02:49,000
The Infrastructure Master needs the global catalog for its updates and

47
00:02:49,000 --> 00:02:52,760
the global catalog needs the Infrastructure Master for its updates, so

48
00:02:52,760 --> 00:02:55,270
you want those on separate machines for sure.

49
00:02:55,270 --> 00:02:59,320
Now the AZ‑800 objectives deal not with understanding what each

50
00:02:59,320 --> 00:03:03,650
role is, that's kind of presumed. Like I say, this AZ‑800/AZ‑801

51
00:03:03,650 --> 00:03:05,480
is not a beginner certification.

52
00:03:05,480 --> 00:03:08,500
I'm not treating you as if you're brand new to Active Directory,

53
00:03:08,500 --> 00:03:10,660
you have to come in with some existing skills.

54
00:03:10,660 --> 00:03:15,930
The AZ‑800 asks specifically about how to transfer these roles for optimal

55
00:03:15,930 --> 00:03:23,000
placement and/or for troubleshooting. In fact, troubleshooting, I think is specifically mentioned on the exam objective.