Your company has an Active Directory forest.
Not all domain controllersin the forest are configured as Global Catalog Servers.
Your domain structure contains one root domainand one child domain.
You modify the folder permissions on a file server thatis in the child domain.
You discover that some Access Control entries start with S-1-5-21 and that no account name is listed.
You need to list the account names.
What should you do?
A.
Move the RID master role in the child domain to adomain controller that holds the Global Catalog.
B.
Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.
C.
Move the RID master role in the child domain to adomain controller that does not hold the Global Catalog.
D.
Move the infrastructure master role in the child domain to a domain controller that does not hold the Global
Catalog.
Explanation:
????
http://technet.microsoft.com/en-us/library/cc780850%28v=ws.10%29.aspx
Security identifiers
Security identifiers (SIDs) are numeric values thatidentify a user or group. For each access control entry
(ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited.
Well-known security identifiers (special identities):
Network (S-1-5-2)
Includes all users who are logged on through a network connection. Access tokens for interactive users do
not contain the Network SID.
http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx
Operations master roles
Active Directory supports multimaster replication of the directory data store between all domain controllers (DC)
in the domain, so all domain controllers in a domain are essentially peers. However, some changes are
impractical to perform in using multimaster replication, so, for each of these types of changes, one domain
controller, called the operations master, accepts requests for such changes.
In every forest, there are at least five operationsmaster roles that are assigned to one or more domain
controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide
operations master roles must appear once in every domain in the forest.
..
Domain-wide operations master roles
Every domain in the forest must have the following roles:
Relative ID (RID) master
Primary domain controller (PDC) emulator master
Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only oneRID
master, PDC emulator master, and infrastructure master.
…
Infrastructure master
At any time, there can be only one domain controller acting as the infrastructure master in each domain.
The infrastructure master is responsible for updating references from objects in its domain to objectsin other
domains.The infrastructure master compares its data with that of a global catalog. Global catalogs
receive regular updates for objects in all domains through replication, so the global catalog data will always be
up to date. If the infrastructure master finds datathat is out of date, it requests the updated data from a global
catalog. The infrastructure master then replicates that updated data to the other domain controllers in the
domain.
Important
Unless there is only one domain controller in the domain, the infrastructure master role should not be
assigned to the domain controller that is hosting the global catalog. If the infrastructure master andglobal
catalog are on the same domain controller, the infrastructure master will not function. The infrastructure
master will never find data that is out of date, soit will never replicate any changes to the other domain
controllers in the domain.
In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the
domain controllers will have the current data and it does not matter which domain controller holds the
infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever the members
of groups are renamed or changed. When you rename or move a member of a group (and that member
resides in a different domain from the group), the group may temporarily appear not to contain that member.
The infrastructure master of the group’s domain is responsible for updating the group so it knows the new name
or location of the member. This prevents the loss of group memberships associated with a user account when
the user account is renamed or moved. The infrastructure master distributes the update via multimaster
replication.
There is no compromise to security during the time between the member rename and the group update. Only
an administrator looking at that particular group membership would notice the temporary inconsistency.