1
00:00:06,420 --> 00:00:14,960
And this lesson will talk about operations masters certain operations can be performed only by a specific

2
00:00:14,960 --> 00:00:23,600
role on a specific domain controller a domain controller that holds one of these roles is an operations

3
00:00:23,600 --> 00:00:32,930
master an operations master role is also known as a flexible single master operations or fills moral

4
00:00:33,110 --> 00:00:36,320
fire operation master roles exist.

5
00:00:36,410 --> 00:00:44,390
You can locate all five on a single domain controller or spread them across several domain controls

6
00:00:44,510 --> 00:00:52,050
by default the first domain controller installed in a forest contain all five roles.

7
00:00:52,070 --> 00:01:00,350
However you can move these roles after building more domain controller by allowing changes only on a

8
00:01:00,440 --> 00:01:02,550
single domain controller.

9
00:01:02,570 --> 00:01:11,480
The operations master rules help to prevent conflicts and aided is due to replication latency when making

10
00:01:11,480 --> 00:01:19,310
changes to data on an operation master you must connect to the domain controller that holds the role

11
00:01:19,580 --> 00:01:24,710
the fire operations master roles are distributed as follows.

12
00:01:24,770 --> 00:01:34,130
Each forest has one schema master and one domain name in master each details the man has one read master

13
00:01:34,430 --> 00:01:41,720
one infrastructure master and one primary domain controller or PDC emulator.

14
00:01:41,720 --> 00:01:48,790
Some words about forest operations Masters a forest contains the following single master roles.

15
00:01:48,800 --> 00:01:50,580
As I've mentioned tolerate it.

16
00:01:50,690 --> 00:01:59,180
These are domain name and master which is a domain controller that you must contact wound out when you

17
00:01:59,240 --> 00:02:03,520
add or remove a domain or make domain name changes.

18
00:02:03,800 --> 00:02:11,060
If the domain name in Master is unavailable it will not be able to add domains to the forest schema

19
00:02:11,060 --> 00:02:11,950
master.

20
00:02:12,020 --> 00:02:19,060
This is the domain controller in which you make all schema changes to make changes you typically sign

21
00:02:19,220 --> 00:02:27,590
into the schema master as a member of both the schema Edmonds and the enterprise admins group.

22
00:02:27,590 --> 00:02:35,420
A user who is a member of both groups and who has the appropriate permissions can also added the schema

23
00:02:35,450 --> 00:02:37,410
by using a script.

24
00:02:37,580 --> 00:02:43,700
If the schema master is unavailable you will not be able to make changes to the schema.

25
00:02:43,700 --> 00:02:50,510
This prevents the installation of applications that require changes such as exchange server.

26
00:02:50,510 --> 00:02:58,160
You can always check the forest properties with a Windows power shall command which is get a DeForest

27
00:02:58,580 --> 00:03:03,230
from the active directory module for Windows power shell.

28
00:03:03,250 --> 00:03:10,080
It will show the forest properties including the current domain name in master and schema master.

29
00:03:10,340 --> 00:03:17,930
Now some words about domain operations masters at domain contains the following single master roles.

30
00:03:17,960 --> 00:03:25,970
Read master whenever you create an object in 80 Days The Domain Controller where you created the object

31
00:03:26,240 --> 00:03:35,690
is signs the object a unique identifier number known as a seed to ensure that no two domain controller

32
00:03:35,690 --> 00:03:39,770
is assigned the same seed to two different objects.

33
00:03:39,770 --> 00:03:48,290
The read Master allocates blocks of reeds to each domain controller within the domain to use when building

34
00:03:48,310 --> 00:03:49,060
seeds.

35
00:03:49,070 --> 00:03:56,000
If the reed master is unavailable you might experience difficulties adding new objects to the domain

36
00:03:56,300 --> 00:04:00,020
as domain controllers use their existing reads.

37
00:04:00,050 --> 00:04:06,860
They eventually run out of them and Tara are unable to create new objects.

38
00:04:06,860 --> 00:04:09,680
Next stop is infrastructure must.

39
00:04:09,710 --> 00:04:19,340
This role maintains inter domain object references such as when a group in one domain contains a member

40
00:04:19,550 --> 00:04:20,970
from another domain.

41
00:04:21,020 --> 00:04:28,670
In this situation the infrastructure master is responsible for maintaining the integrity of this reference.

42
00:04:28,670 --> 00:04:36,380
For example when you look at the Security tap or an object the system looks opposite listed seats and

43
00:04:36,680 --> 00:04:41,570
translates them into names in a multiple domain forest.

44
00:04:41,570 --> 00:04:46,040
The infrastructure master looks up seats from other domains.

45
00:04:46,040 --> 00:04:53,570
If the infrastructure master is unavailable domain controllers that are not global catalogs will not

46
00:04:53,570 --> 00:04:58,990
be able to check universal group memberships or authenticate to users.

47
00:04:59,020 --> 00:05:03,600
The infrastructure all should not reside on a global catalogue server.

48
00:05:03,620 --> 00:05:08,270
Please remember this unless you have a single domain for us.

49
00:05:08,270 --> 00:05:15,910
The exception is when you follow best practices and make every domain controller a global catalog.

50
00:05:15,920 --> 00:05:23,720
In that case the infrastructure all is not necessary because every domain controller knows about every

51
00:05:23,810 --> 00:05:32,300
object in the forest and the lost operations master for domain is PDC emulator master the domain controller

52
00:05:32,340 --> 00:05:38,220
that called the PDC emulator master is a time source for the domain.

53
00:05:38,220 --> 00:05:47,870
The PDC emulator masters in each domain in a forest synchronize their time with the PDC emulator master

54
00:05:47,870 --> 00:05:50,290
in the forest through domain.

55
00:05:50,330 --> 00:05:58,100
You said the PD simulator master in the forest through domain to a synchronize with a reliable external

56
00:05:58,100 --> 00:06:06,470
time source the PDC emulator master is also the domain controller that receives urgent pass for changes

57
00:06:06,680 --> 00:06:14,780
if a user response for a change is the domain controller home holding the PDC emulator master role receives

58
00:06:14,870 --> 00:06:17,090
this information immediately.

59
00:06:17,090 --> 00:06:24,200
This means that if the user tries to assign in the domain controller in the user's current location

60
00:06:24,500 --> 00:06:33,320
will contact the domain controller Holden the PDC emulator master role to check the recent changes.

61
00:06:33,350 --> 00:06:41,030
This is a cure even if the user has been authenticated by a domain controller in a different location

62
00:06:41,270 --> 00:06:49,520
that had not yet received the new password information if the PTC emulator master is unavailable.

63
00:06:49,540 --> 00:06:58,700
Users might have trouble signing in until their password changes have replicated to all the domain controller

64
00:06:58,930 --> 00:07:08,090
their PDC emulator monster also plays a role in editing GP shows when you open a GPO other than a local

65
00:07:08,190 --> 00:07:13,130
GPO for Reddit and the PDC emulator Masters stores.

66
00:07:13,220 --> 00:07:14,730
The edited copy.

67
00:07:14,900 --> 00:07:24,320
This prevents conflicts if two administrators attempt to edit the same GPO at the same time on different

68
00:07:24,380 --> 00:07:25,640
domain controllers.

69
00:07:25,760 --> 00:07:32,590
However you can choose to use a specific domain controller to added the GPO.

70
00:07:32,630 --> 00:07:41,410
This is especially useful when added in GP is in a remote office with a slow connection to the B emulator.

71
00:07:41,480 --> 00:07:49,910
And again there is a Windows power shall command which is get a D domain from the active directory module

72
00:07:49,910 --> 00:07:57,890
for Windows power shell which will show the domain properties including the current read monster infrastructure

73
00:07:57,890 --> 00:08:00,890
master and PDC emulator must.

74
00:08:00,890 --> 00:08:06,640
Please note that global catalog is not one of the operations master role.