規劃作業角色位置Planning Operations Master Role Placement

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Active Directory Domain Services (AD DS) 支援多主機複寫 directory 資料,這表示任何網域控制站能接受 directory 變更及其他網域控制站複製所做的變更。Active Directory Domain Services (AD DS) supports multimaster replication of directory data, which means any domain controller can accept directory changes and replicate the changes to all other domain controllers. 不過,特定的變更,架構修改,例如一些實用多重的方式執行。However, certain changes, such as schema modifications, are impractical to perform in a multimaster fashion. 基於這個原因稱為操作主機,某些網域控制站按住角色負責接受要求的某些特定的變更。For this reason certain domain controllers, known as operations masters, hold roles responsible for accepting requests for certain specific changes.

注意

操作主角持有必須 Active Directory 資料庫寫入一些資訊。Operations master role holders must be able to write some information to the Active Directory database. 唯讀網域控制站 (RODC) 上的 Active Directory 資料庫唯讀狀態,因為 Rodc 無法做為作業主角位置。Because of the read-only nature of the Active Directory database on a read-only domain controller (RODC), RODCs cannot act as operations master role holders.

每個網域中,有三種操作主要角色(也稱為彈性的單一主機操作或 FSMO):Three operations master roles (also known as flexible single master operations or FSMO) exist in each domain:

  • 主要網域控制站 (PDC) 模擬器操作主機處理密碼的所有更新。The primary domain controller (PDC) emulator operations master processes all password updates.

  • 相對 ID (RID) 操作主機全球 RID 集區的網域和配置的區域以確保擁有的唯一建立網域中的所有安全性原則的所有網域控制站 Rid 集區。The relative ID (RID) operations master maintains the global RID pool for the domain and allocates local RIDs pools to all domain controllers to ensure that all security principals created in the domain have a unique identifier.

  • 指定網域的基礎結構作業主機維護來自其他成員的其網域中的群組網域的安全性原則的清單。The infrastructure operations master for a given domain maintains a list of the security principals from other domains that are members of groups within its domain.

三個網域層級操作主機角色,除了每個森林中有兩項作業主要的角色:In addition to the three domain-level operations master roles, two operations master roles exist in each forest:

  • 架構操作主機管理變更結構描述。The schema operations master governs changes to the schema.

  • 網域命名操作主機新增並的樹系移除網域和其他 directory 磁碟分割(例如網域名稱系統」(DNS) 應用程式的磁碟分割)。The domain naming operations master adds and removes domains and other directory partitions (for example, Domain Name System (DNS) application partitions) to and from the forest.

放置裝載網路可靠性不高] 區域中的這些操作主機角色網域控制站和確保肯定和 RID 主機一致的可用。Place the domain controllers hosting these operations master roles in areas where network reliability is high, and ensure that the PDC emulator and the RID master are consistently available.

建立特定的網域中的第一個網域控制站時,會自動指定作業主角位置。Operations master role holders are assigned automatically when the first domain controller in a given domain is created. 建立森林中的第一個網域控制站指派兩種層級的樹系角色(架構主機和網域命名主機)。The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. 此外,以建立網域中的第一個網域控制站指派三個網域層級角色(RID 主機、的基礎結構主機和肯定)。In addition, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain.

注意

自動作業主角擁有者設定的進行只會建立新的網域和時降級目前的角色擁有者。Automatic operations master role holder assignments are made only when a new domain is created and when a current role holder is demoted. 所有其他角色擁有者變更必須系統管理員的身分由車載機起始。All other changes to role owners have to be initiated by an administrator.

非常高 CPU 使用率可能造成這些自動作業主角指派樹系或網域中建立的第一個網域控制站。These automatic operations master role assignments can cause very high CPU usage on the first domain controller created in the forest or the domain. 若要避免這個問題,您的樹系或網域中的各種網域控制站主機角色指派(傳輸)作業。To avoid this, assign (transfer) operations master roles to various domain controllers in your forest or domain. 放置主機作業主機的網路不可靠區域中的角色網域控制站和位置操作主機可以存取所有其他網域控制站樹系。Place the domain controllers that host operations master roles in areas where the network is reliable and where the operations masters can be accessed by all other domain controllers in the forest.

您也應該指定待命(替代)操作所有作業的主機主要角色。You should also designate standby (alternate) operations masters for all operations master roles. 待命操作主機的網域控制站的您可能會傳送操作主機角色以防原始的角色持有失敗。The standby operations masters are domain controllers to which you could transfer the operations master roles in case the original role holders fail. 確定已複寫直接合作夥伴的實際操作主機待命操作主機。Ensure that the standby operations masters are direct replication partners of the actual operations masters.

規劃 PDC 模擬器位置Planning the PDC emulator placement

肯定處理 client 變更密碼。The PDC emulator processes client password changes. 只有一個網域控制站做為每個網域中的樹系肯定。Only one domain controller acts as the PDC emulator in each domain in the forest.

即使網域控制站升級至 Windows 2000、Windows Server 2003 及 Windows Server 2008、Windows 2000 的原生功能層級操作網域,肯定接收執行其他網域中的網域控制站密碼變更的優先複寫。Even if all the domain controllers are upgraded to Windows 2000, Windows Server 2003, and Windows Server 2008 , and the domain is operating at the Windows 2000 native functional level, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. 如果您最近變更密碼,這項變更花一些時間複寫網域中的每個網域控制站。If a password was recently changed, that change takes time to replicate to every domain controller in the domain. 如果登入驗證失敗,在另一部網域控制站因為不正確密碼,該網域控制站轉送給肯定驗證要求之前決定接受或拒絕嘗試登入。If logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before deciding whether to accept or reject the logon attempt.

將肯定中有很多的使用者該網域視轉寄作業密碼的位置。Place the PDC emulator in a location that contains a large number of users from that domain for password forwarding operations if needed. 此外,確定位置也連接到最小化複寫延遲其他位置。In addition, ensure that the location is well connected to other locations to minimize replication latency.

試算表中列出您想要放置 PDC 模擬器和使用者的每個網域在每個位置的相關資訊來協助您,會看到工作協助工具的 Windows Server 2003 部署套件 (http://go.microsoft.com/fwlink/?LinkID=102558),下載 Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip,並左網域控制站位置 (DSSTOPO_4.doc)。For a worksheet to assist you in documenting the information about where you plan to place PDC emulators and the number of users for each domain that is represented in each location, see Job Aids for Windows Server 2003 Deployment Kit (http://go.microsoft.com/fwlink/?LinkID=102558), download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open Domain Controller Placement (DSSTOPO_4.doc).

您需要將您要部署區域網域時,將 PDC 模擬器位置的相關資訊。You need to refer to the information about locations in which you need to place PDC emulators when you deploy regional domains. 如需部署網域區域的相關資訊,請查看部署 Windows Server 2008 地區網域For more information about deploying regional domains, see Deploying Windows Server 2008 Regional Domains.

適用於基礎結構主要位置的需求Requirements for infrastructure master placement

基礎結構主機更新安全性原則從其他群組自己網域中加入的網域的名稱。The infrastructure master updates the names of security principals from other domains that are added to groups in its own domain. 例如,如果使用者網域中的第二個網域中的群組成員,以及變更的第一個網域中的使用者名稱,第二個網域不會告知必須更新群組成員資格清單中的使用者名稱。For example, if a user from one domain is a member of a group in a second domain and the user's name is changed in the first domain, the second domain is not notified that the user's name must be updated in the group's membership list. 因為一個網域中的網域控制站不到另一個網域中的網域控制站複寫安全性原則,第二個網域永遠不會變得注意到的基礎結構主機缺少的變更。Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change in the absence of the infrastructure master.

基礎結構主顯示器持續群組成員資格,尋找其他網域的安全性原則。The infrastructure master constantly monitors group memberships, looking for security principals from other domains. 如果找到它,它就會檢查與驗證的資訊更新的安全性原則的網域。If it finds one, it checks with the security principal's domain to verify that the information is updated. 如果是最新的資訊,請基礎結構主機執行更新,並再複製到其他網域控制站其網域中的 [變更。If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain.

此規則適用於兩個例外。Two exceptions apply to this rule. 首先,如果所有網域控制站伺服器通用,裝載基礎結構主角網域控制站是不重要因為全球目錄複寫更新無論及其所屬的網域資訊。First, if all domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs replicate the updated information regardless of the domain to which they belong. 第二,如果樹系只有一個網域,裝載基礎結構主角網域控制站是不重要因為來自其他網域的安全性原則不存在。Second, if the forest has only one domain, the domain controller that hosts the infrastructure master role is insignificant because security principals from other domains do not exist.

不要將基礎結構主機放網域控制站也是一個通用伺服器上。Do not place the infrastructure master on a domain controller that is also a global catalog server. 如果通用與基礎結構主機上相同的網域控制站,基礎結構主機將無法運作。If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. 基礎結構主機一律不會尋找資料已過期。因此,它會網域中的其他網域控制站不會複寫的任何變更。The infrastructure master will never find data that is out of date; therefore, it will never replicate any changes to the other domain controllers in the domain.

操作有限連接的主要網路位置Operations master placement for networks with limited connectivity

請注意,如果您的環境確實中央位置或中樞中,就可以作業主角持有的網站,這些作業的可用性而定某些網域控制站作業主要持有可能會受到影響的角色。Be aware that if your environment does have a central location or hub site in which you can place operations master role holders, certain domain controller operations that depend on the availability of those operations master role holders might be affected.

例如,假設公司所建立的網站,B C,並 D.網站連結存在之間和 B B 和 C,以及之間 C 和 D.網路連接完全鏡射網路連接的網站連結。For example, suppose that an organization creates sites A, B, C, and D. Site links exist between A and B, between B and C, and between C and D. Network connectivity exactly mirrors the network connectivity of the sites links. 在此範例中,所有作業主機角色位於都網站和選項所有都網站的連結,ios 都橋接器取消選取。In this example, all operations master roles are placed in site A and the option to Bridge all site links is not selected.

此設定會導致之間所有網站的成功複寫,雖然作業主角功能有以下限制:Although this configuration results in successful replication between all of the sites, the operations master role functions have the following limitations:

  • 在 [網站 C 和 D 網域控制站無法存取肯定 A 網站來更新密碼,或是來檢查有最近已更新的密碼。Domain controllers in sites C and D cannot access the PDC emulator in site A to update a password or to check it for a password that has been recently updated.

  • 在 [網站 C 和 D 網域控制站無法存取 RID 主機網站 A 安裝 Active Directory 之後,取得初始 RID 集區,並為他們成為耗盡重新整理 RID 集區中。Domain controllers in sites C and D cannot access the RID master in site A to obtain an initial RID pool after the Active Directory installation and to refresh RID pools as they become depleted.

  • 在網站 C 和 D 網域控制站無法新增或移除 directory、DNS 或自訂應用程式的磁碟分割。Domain controllers in sites C and D cannot add or remove directory, DNS, or custom application partitions.

  • 在 [網站 C 和 D 網域控制站無法變更結構描述。Domain controllers in sites C and D cannot make schema changes.

試算表來協助您計畫作業主角位置,會看到輔助適用於Windows Server 2003 部署套件、下載 Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip,並左網域控制站位置 (DSSTOPO_4.doc)。For a worksheet to assist you in planning operations master role placement, see Job Aids for Windows Server 2003 Deployment Kit, download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip, and open Domain Controller Placement (DSSTOPO_4.doc).

您將需要當您建立的樹系根網域和區域網域參考這項資訊。You will need to refer to this information when you create the forest root domain and regional domains. 如需有關部署森林根網域中,查看部署部署 Windows Server 2008 森林根網域For more information about deploying the forest root domain, see Deploying a Deploying a Windows Server 2008 Forest Root Domain. 如需部署網域區域的相關資訊,請查看部署 Windows Server 2008 地區網域For more information about deploying regional domains, see Deploying Windows Server 2008 Regional Domains.