Volume 1: FSMO Roles, Domain Controllers, and Syncing

Q: What do the FSMO roles do?

A: In general, all domain controllers in an Active Directory domain are created equal. That is, they all have the ability to both read from and write to the Active Directory database and are essentially interchangeable. However, certain operations within a domain and forest must be centrally coordinated from a single authoritative source. These operations are handled by only one domain controller within the domain and are divided into five distinct operational categories. These categories are referred to as Flexible Single Master Operations (FSMOs).

The term flexible refers to the fact that no particular domain controller must handle these operations. Instead, the five FSMO roles can be held by any one domain controller; in fact, all five roles can be held by a single domain controller if you desire. When you install the first Active Directory domain in a new forest, the first domain controller you create automatically holds all five roles, and will continue to do so unless you manually move one or more of the roles to another domain controller.

Volume 2: Kerberos, Relative Identifiers, and Deleting AD Objects

Q: How does Kerberos work?

A: Kerberos is an industry-standard authentication protocol and part of the TCP/IP suite of internetworking protocols. Originally developed at MIT, Kerberos is now up to version 5, which is primarily defined in Internet Request for Comments (RFC) 1510.

You can find RFC 1510 at http://www.ietf.org/rfc/rfc1510.txt. Microsoft has proposed several extensions to Kerberos that are used in Windows 2000 (Win2K) and later; review RFCs 3244 and 1964 at the same site for more information about Kerberos specifics and Microsoft extensions.

Kerberos provides a number of advantages over Microsoft's older authentication protocols:

• The burden of authentication is placed on the client. Older protocols placed the burden on the server, creating a less distributed and less scalable architecture.
• Authentication between clients and servers is mutual, meaning both are assured of the other's identity. Older protocols focused primarily on the server being assured of the client's identity.
• Kerberos uses strong encryption technologies and timestamps, making it very difficult to compromise. Older protocols relied primarily on well-known encryption hashes and simple obfuscation for protection, which resulted in the success of cracking utilities such as L0phtCrack.

Volume 3: Replication

Q: How does Active Directory replication work?

A: Active Directory (AD) is a multi-master directory, meaning each directory services server— referred to as a domain controller—contains a fully readable and writable copy of the directory services database. Because all domain controllers can accept changes to the database, some method is needed to replicate those changes to other domain controllers, ensuring a consistent database across all domain controllers. This scheme is referred to as AD replication. AD replication can be broken down into four basic operational components:

• Who, which is a list of servers that participate in replication and the servers with which they replicate. Referred to as a replication topology, this list is generated by a special AD component called the Knowledge Consistency Checker (KCC).
• What, which is the information that is being replicated. AD uses attribute-based replication and versioning to determine which information has changed and requires replication.
• When, which is a schedule that determines when replication will occur. Separate schedules exist for replication within an AD site and for each link connecting different sites.
• How, which defines how the replicated data is physically transported across the network.

Volume 4: DNS and Trusts

Q: How does DNS work?

A: The Domain Name System (or Service, depending on who you listen to—DNS) is one of the most important components of modern networks, including the global Internet. Without it, you couldn't type www.Microsoft.com into your Web browser; you'd have to type a difficult-toremember IP address instead. DNS saves the day by translating human-friendly names into computer-friendly IP addresses. It actually does much more than that—providing computers with critical information about network services such as the locations of mail servers, domain controllers, and more.

Volume 5: FRS and AD Permissions

Q: How does the File Replication Service work?

A: Windows' File Replication Service (FRS) is present on all Windows 2000 (Win2K) and Windows Server 2003 servers. On member servers, the service is configured to start manually; on domain controllers, it starts automatically. FRS doesn't have a console for management and is largely self-maintaining. It is used to replicate both the contents of the SYSVOL share between domain controllers and the contents of Distributed File System (DFS) replicas. For our purposes, it’s the SYSVOL replication that's important, because SYSVOL is in many ways the "other half" of Active Directory (AD) replication.

Volume 6: AD Communication, More DNS, and Group Policy Applications

Q: How does Active Directory communicate?

A: Active Directory (AD) relies on several communications services to communicate with client computers and between domain controllers. The variety of communications protocols used reflects the complex nature both of AD and of the industry-standard protocols that AD implements, such as Kerberos and the Lightweight Directory Access Protocol (LDAP). Understanding how AD communicates can be critical when you're working with domain controllers or clients that are separated from domain controllers by firewalls or other portfiltering devices (such as routers).