 Hello, Windows Server hybrid administrators. Welcome to this Microsoft Learn Training module, Manage Domain Controllers and FSMO Roles. This module provides an introduction to how to manage Active Directory domain controllers, as well as how to understand and manage the flexible single master operations or FSMO roles in an ADDS environment. In addition to learning about these technical topics, this module also functions as preparation for objective Domain 1. Deploy and manage ADDS in on-premises and cloud environments of the first Windows Server. Hybrid Administrator Associate Exam AZ800. This module is adapted from a module that you can take on Microsoft Learn. The module itself provides more detail and includes knowledge checks to test your understanding. You can follow along with the contents of this module on Microsoft Learn at the address shown on the screen or listed in the video description. The Windows Server Hybrid Administrator Associate Certification is Microsoft's successor to the Windows Server MCSE. Certification has always been important for Windows Server administrators, and the Windows Server Hybrid Administrator Associate brings many of the skills required to obtain the MCSE into the 2020s. To earn the new certification, you need to pass two exams, AZ800 and AZ801. Being successful on the exams requires that you not only understand how to do common administrative tasks such as manage active directory storage, networking, security disaster recovery, monitoring and virtualization on-premises, just like you would have had to for the last few years of Windows Server, but also know how you can integrate and extend Windows Server with relevant services available in Azure. In this module, you're going to learn about the following topics, deploying ADDS domain controllers, maintaining ADDS domain controllers, understanding the ADDS global catalog role and its placement considerations, understanding ADDS operations, master roles, their placement considerations, and related management tasks. And describe ADDS schema, how to manage the schema and its role in an ADDS environment. Domain controllers authenticate all users and computers in a domain. Therefore, it's critical to ensure the optimal number and placement of domain controllers in any ADDS environment, especially in larger distributed environments. The domain controller deployment process has two steps. First, you install the binaries necessary to implement the domain controller role. For this purpose, you can use Windows Admin Center, PowerShell, or Server Manager. At the end of the initial installation process, you have installed the ADDS files, but not yet configured ADDS on the server. The second step is to configure ADDS role. The simplest way to perform this configuration is by using the Active Directory Domain Services Configuration Wizard. You start the wizard by selecting the ADDS link in Server Manager. You can also configure ADDS for a domain controller using PowerShell, but most people just use the wizard because it's easier than getting all the PowerShell right. As part of ADDS role configuration, you need to provide answers to the following questions. Are you installing a new forest, a new tree, or an additional domain controller for an existing domain? What is the domain name system? DNS name for the ADDS domain. Which level will you choose for the forest functional level? Which level will you choose for the domain functional level? Will the domain controller be a DNS server? Will the domain controller host the global catalog? Will the domain controller be a read-only domain controller, RODC? What will be the Directory Services Restore Mode, DSRM password? What is the NetBioS name for the ADDS domain? Where will the database, log files, and sysvol folders be created? You should know the answer to all these questions before deploying a domain controller. Especially important is the DSRM password, which should be unique for each domain controller and stored somewhere safe. For the most part, the default settings are fine, though make sure you get the domain names correct from the beginning. Also note that the highest forest and domain functional level available is Windows Server 2016, even though you should be deploying domain controllers running Windows Server 2022. Domain controllers should always run the most recent version of the Windows Server operating system. A Windows Server computer that is running a server core installation doesn't have the server manager graphical user interface, GUI. Therefore you must use alternative methods to install the files for the domain controller role and to install the domain controller role itself. You can use Windows Admin Center, server manager, Windows PowerShell, or remote server administration tools, RSAT, installed on any supported version of Windows Server that has the desktop experience feature or any supported Windows client, such as Windows 11. You manage a server core DC remotely using PowerShell, the RSAT tools, or Windows Admin Center. Microsoft recommends deploying all domain controllers using server core as this reduces the server's attack surface. You should not install other roles on a domain controller such as the file server role or internet information services, as this would increase the attack surface. In later modules, you'll learn about how to harden a domain controller by limiting administrative access, limiting which software can run on the domain controller, and using technologies such as Windows Defender. If you have a network connection between sites that is slow, unreliable, or costly, you might find it beneficial to add another domain controller at a remote location or branch office. In this scenario, to significantly reduce the amount of traffic moving over the wide area network link, you can create an ADDS backup, perhaps to a USB drive, and take this backup to the remote location. When you're at the remote location and run server manager to install ADDS, you can select the install from media option. Most of the copying occurs locally. In this scenario, the DYN link transfers only security related traffic and ADDS changes following the backup. The WAN link also helps ensure that the new domain controller receives any changes made to the central ADDS after you created the install from media backup. If you see an exam question about installing a domain controller in Antarctica and someone being concerned about replicating the entire Active Directory database over satellite link, then you should think about the install from media option. When you deploy a domain controller in a branch office that can't guarantee physical security, you can use additional measures to reduce the impact of a security breach. One option is to deploy an RODC. The RODC contains a read-only copy of the ADDS database, and by default, it doesn't cache any user passwords. However, you can configure the RODC to cache the passwords for users in the branch office. If an RODC is compromised, the potential loss of information risk is much lower than with a full read-write domain controller. In the real world, you wouldn't deploy a server in an insecure location. If you come across an exam question suggesting that you have no choice but to deploy a domain controller in an insecure location, such as on top of the refrigerator in the staff break room, your least bad option is to deploy that server as an RODC. The process for upgrading a domain controller is the same for any version of Windows Server starting with Windows Server. 2012 R2 through Windows Server 2022. You can upgrade to a Windows Server 2022 domain controller using either the following methods. Upgrade the OS on existing domain controllers that are running Windows Server 2012 R2 or later. Add servers running Windows Server 2022. She has domain controllers in a domain that already has domain controllers running earlier Windows Server versions. We recommend the latter method because when you finish, you'll have a clean installation of both the Windows Server 2022 OS and the AD-DS database. Whenever you add a new domain controller, Windows Server automatically updates the domain DNS records so clients will be able to locate and use this domain controller. When thinking about in-place upgrades, remember which versions you can upgrade to. For example, your in-place upgrade options are different for Windows Server 2012 as opposed to Windows Server 2016. Also, if you are adding new domain controllers and then demoting and removing existing ones, remember that whilst new domain controllers might have DNS installed on them, clients might be getting the old domain controller's IP address from DHCP when looking for their DNS server. You will learn more about FSMO roles and domain controllers later in this module and domain controller migration is an entire section of the OZ801 exam. Azure provides infrastructure as a service, which is a cloud-based virtualization platform. When deploying AD-DS on Azure infrastructure as a service, you're installing the domain controller on a virtual machine. So all the rules that apply to virtualizing a domain controller apply to deploying AD-DS in Azure. When you implement AD-DS in Azure, consider the following, network topology. To meet AD-DS requirements, you must create an Azure virtual network and attach your VMs to it. If you intend to join an existing on-premises AD-DS infrastructure, you can extend network connectivity to your on-premises environment. You can achieve this through hybrid connectivity methods, such as a virtual private network connection or an Azure Express Route Circuit, depending on the speed, reliability, and security that your organization requires. Site topology. As with a physical site, you should define and configure an AD-DS site that corresponds to the IP address space of your Azure virtual network, IP addressing. All Azure VMs receive dynamic host configuration protocol addresses by default, but you can configure static addresses that will persist across restarts and shutdowns. DNS. Azure's built-in DNS does not meet the requirements of AD-DS, such as dynamic DNS and service resource records. To provide DNS functionality for an AD-DS environment in Azure, you can use the Windows Server DNS server role or other DNS solutions available in Azure, such as Azure Private DNS Zones. Most organizations just deploy a Windows Server DNS server virtual machine. Discs. You have control of caching Azure VM disk configurations. When you install AD-DS to an Azure virtual machine, you should place the ntds.dit and sysvol files on one of its data disks and set the host cache preference setting of that disk to none. There are operational aspects applicable to every AD-DS environment that focus on maintaining business continuity of the authentication services. This includes backup and recovery of domain controllers and the AD-DS objects they host. Domain controllers use a multi-master replication process to copy data from one domain controller to another. As a best practice, an AD-DS domain should have at least two domain controllers per AD-DS site. This makes the AD-DS database more available and spreads the authentication load during peak sign-in times. For most enterprises, consider two domain controllers per geographical region as the absolute minimum to help ensure high availability and performance. Maintaining the reliability of the Active Directory data is important. Performing regular backups can play a part in this process, but knowing how to restore or recover data after a failure is vital. To backup AD-DS on a domain controller, ensure that you backup the server system state data. To restore AD-DS, a backup must explicitly include system state data. System state is a collection of critical OS and server role files that include the AD-DS database and the registry. To perform an AD-DS restore, you must have full access to the files on the domain controller. This requires restarting the domain controller in DSRM. If you're restarting a domain controller locally, open the advanced startup options and choose the DSRM from the menu. When you start a domain controller in DSRM, you will sign in as administrator with the DSRM password. You then can use Windows Server backup to restore the directory database. After completing the restore process, you must restart the server you are recovering. The domain controller will ensure that its database is consistent with the rest of the domain by pulling from its replication partners the changes to the directory that have occurred since the date of the backup. There are two types of restoration of AD-DS data, authoritative and non-authoritative restores. An authoritative restore allows you to restore a known good copy of AD-DS objects which replaces the current version of these objects in the AD-DS database. In an authoritative restore, you start with the same sequence of steps as the non-authoritative restore. However, before you restart the domain controller, you mark the restored objects that you want to persist as authoritative, so they will replicate from the restored domain controller outbound to its replication partners. A non-authoritative restore rolls the domain controller back in time. When AD-DS restarts on the domain controller, the domain controller contacts its replication partners and requests all subsequent updates. In other words, the domain controller catches up with the rest of the domain by using standard replication mechanisms. Non-authoritative restore is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain controllers. However, in some scenarios, this approach is not suitable, and for example, this will not enable you to recover an object you deleted after the backup took place if that deletion has replicated to other domain controllers. If you restore a known good version of AD-DS and restart the domain controller, the deletion that happened after the backup took place will simply replicate back to the domain controller. Restoring a deleted item requires an authoritative restore or using the active directory recycle bin. Because restoring objects deleted from AD-DS by using traditional backup methods involves temporary OS downtime, Windows Server offers the active directory recycle bin feature, which provides a straightforward method to restore deleted objects with no AD-DS downtime. After you enable active directory recycle bin, the deleted objects container displays an active directory administrative center. Deleted objects persist in this container until their deleted object lifetime expires. For new AD-DS deployments, that lifetime is set to 180 days, but you have the option to change it. You can choose to restore the objects either to their original location or to an alternate location within AD-DS. As part of planning for domain controller deployments, it's important to identify the optimal number and placement of the global catalog role. This becomes relevant when expanding AD-DS environment to other locations. The global catalog is a partial, red-only searchable copy of all the objects in a forest. The global catalog can help speed up searches for objects that might be stored on domain controllers in a different domain in the forest. Within a single domain, the AD-DS database on each domain controller contains all the information about every object in that domain. However, only a subset of this information replicates to the global catalog servers and other domains in the forest. Within a domain, a query for an object is directed to one of the domain controllers in that domain. However, that query does not return results about objects in other domains within the forest. For a query to include results from other forest domains, you must query a domain controller that is also a global catalog server. The global catalog doesn't contain all the attributes for each object. Instead, it maintains the subset of attributes that are most likely to be useful in cross-domain searches. These attributes include, for example, given name, display name, and mail. You can change the set of attributes replicated to the global catalog by modifying the AD-DS schema. In a multiple-domain forest, searching the global catalog can be useful in many situations. For example, when a server that's running Microsoft Exchange server receives an incoming email, it must search for the recipient's account so it can decide how to route the message. By automatically querying the global catalog, the server can find the recipient in a multiple domain environment. Additionally, when users sign into their Active Directory accounts, the domain controller that performs the authentication must contact the global catalog to check for universal group memberships before authenticating the users. In a single domain, you should configure all the domain controllers to have a copy of the global catalog. In multiple domain and multiple site forest, it might sometimes make sense to limit the number of domain controllers hosting the global catalog role to reduce the volume of replication traffic, although this is an uncommon scenario. Note, however, that this will introduce dependency on connectivity to other sites when performing global catalog queries. ADDS uses a multiple master process to copy data between domain controllers and automatically implements a conflict resolution algorithm that remediates simultaneous conflicting updates. These provisions allow for a distributed management model where multiple users and applications can concurrently apply changes to ADDS objects on different domain controllers. ADDS operation master roles are responsible for performing operations that are not suitable for a multiple master model. A domain controller that has one of these roles is an operations master. An operations master role is also known as a flexible single master operation, FSMO role. There are five operations master roles schema master domain naming master infrastructure master ID master and PDC emulator master. By default, the first domain controller installed in a forest hosts all five roles. However, you can transfer these roles after deploying additional domain controllers. When performing operations master specific changes, you must connect to the domain controller with the role. The five operations master roles have the following distribution. Each forest has one schema master and one domain naming master. Each ADDS domain has one relative ID rid master one infrastructure master and one primary domain controller PDC emulator. These roles have the following functionality domain naming master. This is the domain controller that you must contact when you add or remove a domain or make domain name changes. If the domain naming master is unavailable, you will not be able to add domains to the forest schema master. This is the domain controller in which you make all schema changes. If the schema master is unavailable, you will not be able to make changes to the schema or rid master whenever you create a security principle such as a user computer or group in ADDS. The domain controller where you created the object assigns the object a unique identifying number known as a security SID. To ensure that no two domain controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each domain controller within the domain to use when building SIDs. If the RID master is unavailable, you might experience difficulties adding security principles to the domain. Also, as domain controllers use their existing RIDs, they eventually run out of them and are unable to create new objects. Infrastructure master, this role maintains inner domain object references such as when a group in one domain has a member from another domain. In this situation, the infrastructure master manages maintaining the integrity of this reference. For example, when you review an object's security tab, the system references the listed SIDs and translates them into names. In a multiple domain forest, the infrastructure master updates references to SIDs from other domains with the corresponding security principle names. If the infrastructure master is unavailable, domain controllers that are not global catalogs will not be able to perform translation of SIDs security principle names. The infrastructure master role should not reside on the domain controller that's hosting the global catalog role unless every domain controller in the forest is configured to serve as a global catalog. In this case, the infrastructure master role is not necessary because every domain controller knows about every object in the forest, PDC emulator master. The domain controller that is the PDC emulator master serves as the time source for the domain. The PDC emulator master in each domain in a forest synchronizes their time with the PDC emulator master in the forest root domain. You set the PDC emulator master in the forest root domain to synchronize with a reliable external time source. Additionally, by default, changes to group policy objects are by default written to the PDC emulator master. The PDC emulator master is also the domain controller that receives urgent password changes. If a user's password changes, the domain controller with the PDC emulator master role receives this information immediately. This means that if the user tries to sign in, the domain controller and the user's current location will contact the domain controller with the PDC emulator master role to check for recent changes. This will occur even if a domain controller in a different location that had not yet received the new password information authenticated the user. If the PDC emulator master is unavailable, users might have trouble signing in until their password changes have replicated to all the domain controllers. You can place all five on a single domain controller or distribute them across several domain controllers. Best practice is to separate them across domain controllers rather than having them all placed on a single domain controller. In an ADDS environment where you distribute operations master roles among domain controllers, you might need to move a role from one domain controller to another. When you perform a move in a planned manner between two online domain controllers, the move is known as transferring the role. You use the following consoles or PowerShell to manage FSMO roles. The schema master is managed by the active directory schema console. The domain naming master is managed by active directory domains and trusts. The infrastructure master is managed by active directory users and computers. The RID master is managed by active directory users and computers. The PDC emulator master is managed by active directory users and computers. When thinking about exam questions, make sure you remember which consoles can be used to transfer FSMO roles and what the symptoms of an unavailable FSMO role are. Also review which PowerShell commands are used to manage roles. You can learn more about those commands by reviewing the learn module that this video is based upon. In emergencies, if the current role holder is not available, the move is known as seizing the role. When you transfer a role, the latest data from the domain controller in that role replicates to the target server. You should seize a role only as a last resort when there is no chance for recovering the current role holder. An ADDS schema is the component that defines all of the object classes and attributes that ADDS uses to store data. All domains in a forest contain a copy of the schema that applies to that forest. Any change in the schema replicates to every domain controller in the forest via their replication partners. However, changes originate at the schema master. ADDS uses objects as units of storage. The schema defines all object types. Each time the directory manages data, the directory queries the schema for an appropriate object definition. Based on the object definition in the schema, the directory creates the object and stores the data. Object definitions specify both the types of data that the objects can store and the data syntax. You can only create objects that the schema defines because objects store data in a rigidly defined format, ADDS can store, retrieve, and validate the data that it manages, regardless of which application supplies it. ADDS schema objects consist of attributes which are grouped together into classes. Each class has rules that define which attributes are mandatory and which are optional. For example, the user class consists of more than 400 possible attributes, including CN, the common name attribute, given name, display name, objects ID, and manager. Of these attributes, the CN and objects ID attributes are mandatory. You can modify the schema only if you are a member of the schema admins group in the root domain of the ADDS forest. You should change the schema only when necessary because the schema controls the storage of information. Additionally, any changes made to the schema affect every domain controller. Before you change the schema, you should review the changes and implement them only after you've performed testing. This will help ensure that the changes won't adversely affect the rest of the forest or any applications that use ADDS. You use the Active Directory Schema Snap-in to edit the schema. This add-in is not available to the Microsoft Management Console unless you run the command Regisvr32. Once you have registered the appropriate DLL, open the Microsoft Management Console and on the file menu, click Add, Remove Snap-in. In the available Snap-ins list, click Active Directory Schema and then click Add. In the Console Tree, right-click Active Directory Schema and then click Load the schema. To modify the schema, do the following. In the Console Tree, click the attribute or class that you want to modify. On the Action Menu, click Properties, modify the attributes or class information as necessary. Click OK. In this module, you learned about the following topics. Deploying ADDS domain controllers, maintaining ADDS domain controllers, understanding the ADDS global catalog role and its placement considerations, understanding ADDS operations master roles, their placement considerations and related management tasks, and describe ADDS schema, how to manage the schema and its role in an ADDS environment. If you want to learn more, you can take this module on Microsoft Learn or read the official AZ800 exam prep guide from Microsoft Press. Links available at aka.ms-az-800-study-guide. We publish new content regularly on this channel on topics related to Windows Server, Hybrid Cloud and Azure Infrastructure and the certifications related to these topics. Look forward to seeing you in future videos.