To split the FSMO roles or not

Unless you have a very large environment you have nothing to gain by splitting them between servers, assuming all DCs are also Global Catalog.

If you do have a very large domain you should refer to this KB article, it discusses where FSMO roles should and shouldn't be placed:

http://support.microsoft.com/kb/223346

If this is the case you should pay special attention to placement of the Infrastructure Master, it must not run on a GC unless you only have one domain in your forest or all DCs are GC.

HTH

Chris

While assigning fsmon roles to DCs we can follow few simple rules which can keep the domain easy to manage.

1. The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

2. The Infrastructure Master should not be placed on a GC.
It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

3. For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

The way this is set up it my infrastructure master is not one site.  It resides at a corporate office.  We are separate domains (many domain) in one forest.  Right now I have both dc01 and dc02 as GL's.

Ultimately what I want to accomplish is to have sore of if one dc is being rebooted the other will take over the role of authenticating users.

How many objects in your own domain? 0 - 100 / 100 - 1000 / 1000 - 10000 / 10000+?

The smaller you are the less important placement is because the less work each of the roles has to do.

If you're 10000+ then placement should be managed across the forest rather than within individual domains.

Chris

> Ultimately what I want to accomplish is to have sore of if one dc is being rebooted the other will
> take over the role of authenticating users.

FSMO roles have no impact on this.

You need to ensure these services are available to clients:

DNS
Global Catalog
AD (of course)

Which is a pretty small set, and your two DCs already cover the last two. Make sure DNS is available and you're done.

Chris

About 4000. This is a hospital

Have one DC to have the Global catlog role enabled which will be fine for you on the DC other than the Infra master

How many DCs service that domain? Just the two? Or are those two within your own site and others for the same domain exist on a different site? Is your site all of that domain?

Sorry for all the questions, but I don't want to come out with "you should do x", it may not be appropriate.

Chris

There are 2 DC's in the domain on site.  The infrastructor master off site.

Do you manage the other site?

For your site I would make the two DCs Global Catalogs and DNS servers. That will provide fault tolerance between DCs should you be rebooting one of them.

FSMO roles don't impact on authentication, they're background services for the most part. PDCe is about the most obvious, account lockout checks and time server, but no one will notice if that's not around for a few minutes.

We can't think about FSMO role placement only in the context of your site, we'd need to know about the structure of the forest and what other DCs run within your domain. But perhaps you don't have to if all you want is fault-tolerance for user authentication.

Chris

I have no access to the Corporate site.  I have set up right now both DC's as DNS and GC's.  So I should move the roles to one server DC01?  That would be the best senario?

Thanks everyone for your input.