参考:http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Replication-Guide
http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Security-Guide
5种FSMO.
森林范围:
Domain范围:
RID Master – allocates relative identifiers (RIDs) to each DC in a forest to ensure that all objects created within the domain possess a unique SID
如果一个森林有2个domain,那么就有8个FSMO,2个森林的,3个domain范围的各一套。
By default, the first domain controller installed in a forest holds all five forest- and domain-wide FSMOs, and the first DC installed in any additional domains will hold all three domain-wide FSMOs for the newly-created domain. For optimum placement, you should ensure that the PDC Emulator and the RID Master are housed on the same physical DC, and that the Domain Naming Master resides on a Global Catalog. However, you should place the Infrastructure Master on a DC that is not a Global Catalog, since the information stored in the Global Catalog will interfere with how the Infrastructure Master functions. You can safely ignore this recommendation in either of the following situations:
You only have a single domain in your environment, or You are working in a multi-domain environment and every DC is a GC.
一个森林至少有一个GC,每个domain至少一个GC.布置GC要考虑1,流量,2.FSMO的位置
GC之间会相互复制,独立于活动目录的复制。DC之间的复制有三种类型the domain partition replica, the global catalog and the schema.
布置更多的GC将减少查询流量,但是会增加复制流量。
布置少的GC将减少复制流量,但是会增加查询流量。
复制流量也可以通过站点来管理
每个站点至少一个GC.每个域最好2个GC
最好将GC和FSMO主机分隔- why?看下面:
A very important infrastructure design issue to consider is where the infrastructure FSMO role is assigned. Whenever possible, the global catalog server and the infrastructure FSMO server should be separate domain controllers. By default, the first domain controller installed into a forest has all of the possible server roles assigned to it. Thus, the first domain controller in a forest hosts both the infrastructure FSMO role and the global catalog. Immediately after installing a second domain controller in the forest, move one of these roles to the new DC. The reason for this is that the infrastructure FSMO server is responsible for cleaning up stale references in between objects in the forest. Objects that have been moved, renamed or deleted often leave stale (i.e., invalid) references. Stale references are located by checking each object against the global catalog server. If these two DC roles are on the same box, the verification process fails to recognize invalid references, and thus cleanup doesn't take place.
监视活动目录复制:
Monitor the AD. Once you get it in place, monitor it. One of the easiest ways to monitor it, outside of using Microsoft or third-party tools, is using the Repadmin tool and its "Replsum" option:Repadmin /replsum /bydest /bysrc /sort:delta. This will provide a nice, neat table of all DCs in all domains in the forest, telling you how long it has been for outbound and inbound replication (i.e. where each DC appears as a source and destination). Watching this over several days will give you a chance to find any holes in the topology.
The REPAdmin tool from the Windows Support Tools and Resource Kit can be used to check the topology. The command "repadmin /showreps" runs on a domain controller and produces a list of replication partners as designated by the KCC. To check the topology, verify that every DC lists at least two replication partners and that all named partners see each other as partners. For example, if Server A lists Server B and C as partners, then both Server B and C should list Server A in return as a partner. If you discover a problem or inconsistency in the topology, use the KCC to regenerate the topology.