惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cyber Attacks, Cyber Crime and Cyber Security
The Last Watchdog
The Last Watchdog
Forbes - Security
Forbes - Security
S
Security @ Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Hacker News: Front Page
W
WeLiveSecurity
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News | PayPal Newsroom
D
DataBreaches.Net
博客园_首页
Y
Y Combinator Blog
F
Fortinet All Blogs
罗磊的独立博客
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Hugging Face - Blog
Hugging Face - Blog
The GitHub Blog
The GitHub Blog
B
Blog RSS Feed
C
CERT Recently Published Vulnerability Notes
P
Privacy & Cybersecurity Law Blog
Help Net Security
Help Net Security
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
N
News and Events Feed by Topic
Schneier on Security
Schneier on Security
V
Vulnerabilities – Threatpost
A
About on SuperTechFans
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
LangChain Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
GbyAI
GbyAI
L
LINUX DO - 热门话题
Simon Willison's Weblog
Simon Willison's Weblog
雷峰网
雷峰网
G
Google Developers Blog
Cyberwarzone
Cyberwarzone
I
Intezer
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
C
Check Point Blog
AI
AI
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
博客园 - 司徒正美

博客园 - enjoy .net

visual basic video series:Forms over data 无功倒送问题 变压器高低压侧的电流计算 爬电、爬距(泄漏距离)、爬电比距 使用BackgroundWorker进行Thread编程 VS2005的初体验 地板选购指南 IT服务管理时代已经到来 IT服务管理的效果分析 How to use the Install from Media feature to promote Windows Server 2003-based domain controllers 70-294读书笔记 TechED上海 术语: Tombstone/Tombstone Lifetime Windows 2003故障恢复 几乎没有管理的国企! ASP.Net 2.0中的Membership,Role和Profile 关于ASP.Net 2.0中的Theme ntdsutil的功能 体验了一次DNS的动态更新功能
Flexible Single Master Operations (FSMO)
enjoy .net · 2005-07-23 · via 博客园 - enjoy .net

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.
虽然AD中的DC支持Multi-master,但是有些角色需要由单独的DC承担,这些角色有5种类型,其中两种针对Forest,其余针对Domain。

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /forestprep command.
Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
PDC emulator - The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
Infrastructure master - The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.


Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

注意Seize翻译成占用,Transfer翻译为传输