1
00:00:06,420 --> 00:00:10,200
And this lesson will talk about managing faith morals.

2
00:00:10,210 --> 00:00:16,660
There are five flexible single master operations roles in Windows domain.

3
00:00:16,720 --> 00:00:26,230
Each role plays an important part in the ongoing maintains of the domain and each resides on only a

4
00:00:26,230 --> 00:00:28,140
single domain controller.

5
00:00:28,150 --> 00:00:35,350
When a new forest and domain are created all the fees Morales relied on a single domain controller the

6
00:00:35,350 --> 00:00:43,510
first domain controller in the forest the five roles are schema master the schema master is a forest.

7
00:00:43,510 --> 00:00:51,700
Why do role are responsible for all updates to the ADT a schema the schema master is the only domain

8
00:00:51,700 --> 00:00:56,770
controller that can write to the directories schema by default.

9
00:00:56,770 --> 00:01:05,400
Only members of the schema Edmunds group have the right to transfer or seize the schema master role.

10
00:01:05,410 --> 00:01:13,300
The second rule is domain name and master the domain name and master is the forest wide role responsible

11
00:01:13,300 --> 00:01:19,570
for both the addition and removal of domains and directory partitions.

12
00:01:19,570 --> 00:01:27,340
By default only members of the enterprise admins group have the right to transfer or seize the domain

13
00:01:27,340 --> 00:01:36,970
name and master or all the surface morale of LEP flexible single master operations role is our right.

14
00:01:37,150 --> 00:01:46,900
Master there already master is a domain wide a role responsible for allocating blocks of relative identifiers

15
00:01:46,960 --> 00:01:51,890
or our ideas to each domain controller in the domain.

16
00:01:51,940 --> 00:02:00,130
When a domain controller creates and use security principles such as group user or computer object the

17
00:02:00,250 --> 00:02:09,160
object is assigned and you globally unique security identifier or cede this suit is a combination of

18
00:02:09,160 --> 00:02:17,550
the domain said plus and our idea assigned to the object by the already master by default.

19
00:02:17,590 --> 00:02:25,840
Only members of domain Edmonds the group have the right to transfer seize the already master role PDC

20
00:02:25,840 --> 00:02:35,380
emulator the PDC emulator is a definite source of password information and the PDC emulator in the forest

21
00:02:35,380 --> 00:02:42,730
through domain in the windows time service source for the entire forest the PDC emulator role is an

22
00:02:43,000 --> 00:02:51,220
domain wide role by default only members of domain Edmund's group have the right to transfer or seize

23
00:02:51,460 --> 00:03:00,220
the PDC emulator role and the last role for his morale is infrastructure master the infrastructure master

24
00:03:00,220 --> 00:03:09,970
is the domain wide role responsible for updating references to objects in other domains and for replicating

25
00:03:10,000 --> 00:03:14,010
those changes to other domain controllers in domain.

26
00:03:14,260 --> 00:03:23,080
And now fast recap of fears Morales once again schema master is a forest white roll domain name and

27
00:03:23,080 --> 00:03:32,770
master is a forest wide roll already master is the domain wide roll PDC emulator is also a domain wide

28
00:03:32,770 --> 00:03:38,040
role and infrastructure master is domain wide role as well.

29
00:03:38,050 --> 00:03:45,970
Now let's move on to transfer in fears Morales when a new forest is created all five feeds Morales reside

30
00:03:46,000 --> 00:03:53,380
on the first domain controller in a small domain that's perfectly accessible but it's not appropriate

31
00:03:53,380 --> 00:04:01,450
for a large enterprise distributing their fees morals across multiple domain controllers provides a

32
00:04:01,450 --> 00:04:11,560
more balanced allocation of resources typically the PDC emulator and the already master roles for each

33
00:04:11,560 --> 00:04:20,440
domain reside on a single domain controller and the two forest wide roles schema master and domain name

34
00:04:20,440 --> 00:04:28,030
and master reside on a single domain controller you can transfer their fears Morales from one domain

35
00:04:28,030 --> 00:04:35,770
controller to another by using the move Ada directories server operation master role command let one

36
00:04:35,770 --> 00:04:43,810
big advantage to use in Windows power shall for this operation is that you can move more than one role

37
00:04:43,900 --> 00:04:52,750
at a time so for example if you wanted to move the three domain wide roles from their current location

38
00:04:52,960 --> 00:05:00,820
to lab DC 2 for example you might start by looking to find out where they currently reside if you didn't

39
00:05:00,820 --> 00:05:06,810
know that the roles are on lab DC one was that we get AIDS.

40
00:05:06,810 --> 00:05:08,820
The main command left.

41
00:05:08,840 --> 00:05:13,730
Which also gives you quite a bit of other information about the domain.

42
00:05:13,730 --> 00:05:22,520
Let's run this command lad get the shady domain with identity parameter for Qantas or dot com and it

43
00:05:22,520 --> 00:05:27,980
reveals lots of information regarding Qantas or dot com domain.

44
00:05:27,980 --> 00:05:32,800
Now to move the three domain wide rules we can use the following command.

45
00:05:32,900 --> 00:05:40,520
Move dash ADR directories thorough preparation master Royal Command led with Operation master parameter

46
00:05:40,640 --> 00:05:49,250
and identity parameter for Operation master parameter will use the following PDC emulator read Master

47
00:05:49,250 --> 00:05:56,360
and infrastructure master and we'll do that for control so dot com domain after a prompt to confirm

48
00:05:56,360 --> 00:06:03,980
that we really want to move the roles it's down again let's use get a D domain controller to view the

49
00:06:03,980 --> 00:06:12,200
result to find out where the forest white Rolls are used they get a DeForest command let this show that

50
00:06:12,260 --> 00:06:21,320
both the schema master and domain name in master roles currently reside on lap DC 1 to move them to

51
00:06:21,560 --> 00:06:30,260
lap DC 3 for example we can use the following move a d directories sorrow reparation must to roll again

52
00:06:30,530 --> 00:06:38,960
identity lab this is 3 and Operation master role will be schema master around the main name in Master

53
00:06:39,170 --> 00:06:46,070
again to make sure that the roles have transferred successfully use either get a forest command let

54
00:06:46,160 --> 00:06:53,180
or get aided the main com controller command led of course the preferred method to move roles between

55
00:06:53,180 --> 00:07:01,190
the main controller that is to politely transfer them as we've described before but sometimes that's

56
00:07:01,190 --> 00:07:08,570
simply not possible the cause could be some something planned like a domain immigration or something

57
00:07:08,660 --> 00:07:16,760
unplanned like a major disaster recovery scenario as long as there is still one domain controller in

58
00:07:16,760 --> 00:07:24,800
the domain you can seize the roles to that domain controller you should not do this if there is any

59
00:07:24,800 --> 00:07:33,650
chance that the original domain controller host the role your season might ever come back online so

60
00:07:33,740 --> 00:07:41,240
it's important to remember that after office morale has been seized from a domain controller that domain

61
00:07:41,240 --> 00:07:49,730
controller should not ever be allowed to connect to the domain ever so if your office morale hold isn't

62
00:07:49,730 --> 00:07:58,280
currently available but you expect it to be restored and available soon you should to wait for it or

63
00:07:58,280 --> 00:08:06,530
seize the roles and the decommission the server seizing their operations master roles uses the same

64
00:08:06,710 --> 00:08:15,320
command as transfer in the roles except that season uses the force parameter even when you use the force

65
00:08:15,320 --> 00:08:22,850
parameter however aided yes attempts to transfer the role if it can reach the current holder of the

66
00:08:22,850 --> 00:08:32,830
role only if that fails will HDD allow you to seize the role to seize the domain wide rolls back to

67
00:08:32,830 --> 00:08:41,300
a lab DC one to use the following command move Ada direct through server operation Master roll operation

68
00:08:41,300 --> 00:08:50,900
master PTC emulator read Master infrastructure master identity lab the C1 and forest parameter again

69
00:08:50,900 --> 00:08:58,760
you are prompted to confirm which seizure and then the roles are seized the process takes somewhat longer

70
00:08:58,940 --> 00:09:06,350
because an attempt is made to contact the current role Holder third term to transfer operation first

71
00:09:06,840 --> 00:09:13,760
I want to see the role now because I need this domain controller in the future but if I have seized

72
00:09:13,880 --> 00:09:22,100
the role from left this it too I'd have to remove that lab GC to server from my environment.