locked
2 questions I have RRS feed

  • Question

  • 1.      If I need to create 500 new User Objects and 500 new Computer Objects, which FSMO Role Server is critical for me to complete the task?

    2.    If I have to create a Forest Trust, which version of AD will be needed and which functional level?


    Wednesday, March 11, 2009 9:44 PM

Answers

  • Hi Rshirale,
     
    1. If I need to create 500 new User Objects and 500 new Computer Objects, which FSMO Role Server is critical for me to complete the task?
     
    A: if you need to create 500 new user object and 500 new computer objects, RID Master FSMO Role is critical to complete the task.
     
    The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.
    When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
    Each Windows 2003 DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.
    Besides, the PDC Emulator FSMO role is also needed to be available for the AD to create and change password for computer accounts and users accounts.
     
    For more information, please refer to:
     
    Windows 2000 Active Directory FSMO roles
    http://support.microsoft.com/kb/197132
    (This article should be also applied to Windows Server 2003)
     
    2. If I have to create a Forest Trust, which version of AD will be needed and which functional level?
     
    A: To create a forest trust, we may need a forest functional level at least with "Windows Server 2003", thus the domain controller should at least a Windows Server 2003 based-computer.
     
    For more reference, please check the following TechNet online documents.
     
     
     
    Hope it helps.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Monday, March 16, 2009 2:36 AM
    Friday, March 13, 2009 10:25 AM