70-294 Concept: FSMO > Infrastructure Master

graduationHere are the design considerations surrounding the FSMO Role: Infrastructure Master:

  • This FSMO is responsible for tracking object changes in Active Directory
  • Like to be with the RID (since you place the RID where most changes occur)
  • Should not be on a GC Server, unless GC is installed on all DCs

Exam Alert: In general FSMO Roles should never be placed “anywhere”, they should always be placed somewhere intentionally; yet there are sometimes the “best answer” is “any other domain controller”.

70-294 Concepts: Where to place Global Catalogs

graduationWhen designing a multi-site environment, here are the considerations you should take when deciding which sites require a Global Catalog:

  • Use a Global Catalog instead of Universal Group Membership when AD information is required by an application at another site
  • Uses more bandwidth compared to Universal Group Memberships
  • Requires greater computer resources compared to Universal Group Memberships
  • When you want to control Global Catalog replication, use the Preferred Bridgehead Server setting
  • IgnoreGCFailures registry key; apply to all DC to prevent GC failures from preventing logon

Wireless computers on a Active Directory domain

keep the antenna highOn an Active Directory domain it can be risky to implement consumer grade wireless networks, not necessarily because of the week security (since some support great authentication mechanism) but because they do not typically establish their network connection until after you disconnect from the network. In an environment where you have shared workstations or rely upon group policies for application installation, these tasks will not take place.

In this environment, the user will logon to the network using cached credentials (if they exist) before the network is established wirelessly. Password policies, or non caches credentials pose an obvious problem. If the user does logon with an old cached credential (because the password was changed on another machine) it will not be able to access network resources until you first lock and then unlock the workstation so it can refresh the local credentials to match active directory.

From a software installation standpoint, distributed through group policies, these settings will never be noticed in time. Sure, the machine policies will be updated in the background every 90 minutes, but when the computer restarted, it will try to install the software, but be unable to find the network resources.

What are the options around this… Basically, you can either fight with this process (as most people unknowingly do, and simply chalk it up to a Microsoft problem)… or you can purchase an enterprise grade wireless network card which supports boot time networking. This setting is typically an advanced or manual setting which needs to be selected. But once this is enabled, all of these wireless woes disappear.

[Edit: 05/2010 – in searching for another post I realized that I neglected to mention in this article 802.1x which not only supports boot time authentication, but machine and/or certificate based authentication. I’ll write a follow-on article to this later on, but is works great, and even many consumer grade wireless devices support this option, as do most wireless adapters.]

Powered by WordPress.com.

Up ↑