Solved

FSMO rolls in small domain

Posted on 2008-06-11
16
924 Views
Last Modified: 2010-04-21
Quick question:

I have read a lot about best practices in the distribution of FSMO rolls in a windows domain forest, but they all describe more complicate structures than I have. My question is, in a small forest with only one domain and two DCs, what is the best way to distribute the FSMO rolls? Do I just pick a schema master and split the rest, or is there a 'best practice' even for tiny domains like I have? Right now, I have a mixed environment with one 2003 DC and one 2000 DC, but eventually I plan on having both my DCs be 2003 and raising my functional level to 2003.

Thanks
0
Comment
Question by:twinstead
  • 7
  • 4
  • 4
  • +1
16 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
You best option is to leave the FSMO roles where they are. In a single domain there is notning to be gained by having some roles on one machine and some on another - indeed preformance will decrease.

Make both machines DNS servers and Global Catalog servers though - that will give you and element of redundancy
0
 
LVL 9

Expert Comment

by:mystics7
Comment Utility
These are the best practices from Windows Dev Center, i usually follow them and never have problems
http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html


Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

    * Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

    * Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
    * Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
    * Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

    * Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.


0
 
LVL 70

Accepted Solution

by:
KCTS earned 125 total points
Comment Utility
Sorry but that advice is for a multi-domain enviroment. As any one with any actual experience of this will tell you DO NOT MOVE ANY FSMO ROLES.

The infrastructure master and Global catalog on the same machine is only an issue if you have multiple domains in which not all machines are global catalog servers so you can ignore this.

As I said keep them on the same machine. Also (as I said) make both machines DNS servers and Global Catalog servers

To make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

To install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

All the clients (and the domain controllers themselves) need to have their Preferred DNS server set one server (in the case of the DC to themselves), and the alternate DNS server to the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.
0
 

Author Comment

by:twinstead
Comment Utility

KCTS,  so in a nutshell in a simple domain like mine, one DC should hold all the roles, both DCs should be global catalog servers, and both should be DNS servers (each one pointing to themselves as primary and the other as secondary, and each client pointing to the main DC as primary and the other DC as secondary)?

I used to have my domain set up similar when it was 2000 only, and still one of the DCs is indeed the primary DNS server for the domain, but the other DNS server is a 2000 box that used to be a DC before I prepared my network for a 2003 DC, promoted a 2003 server to DC, and demoted the 2000 server. Should I also move the DNS server from the old DC to the new 2003 DC?
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
1. Yes exactly

2. You should be using AD integrated DNS - in which case both DNS servers are in effect "Primary", If its not AD integrated DNS chnage it to AD integrated and just install DNS on the other machine - it will replicate automatically.
0
 

Author Comment

by:twinstead
Comment Utility
Cool, thanks.

One last question if you don't mind: I'm pretty sure my dns is AD integrated, but can you remind me how to quickly tell if this is the case just so I know for sure?

0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Go to the DNS console. select your domain's forward lookup zone, right click and select properties.
0
 

Author Closing Comment

by:twinstead
Comment Utility
Thanks for your help
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
i disagree, splitting your roles is a wise move when you have more than one DC in your environment

Some reading from MS

http://support.microsoft.com/kb/223346
0
 

Author Comment

by:twinstead
Comment Utility
That's the whole gist of my question in the first place.. That article by microsoft describes a MUCH more complex environment than I have, as do every other article I have read. In my situation, that article is useless.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Its not often I disagree with Jay_Jay70 but I have to on this occasion.

There is nothing at all to be gained in splitting FSMO roles in a single comain environment, the best option is to leave to FSMO roles where they are and to make all DCs Global catalogs. There is no overhead in this, no issues with Infrastructure masters and it makes the domain more resiliant and improves performance.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
fair call, i dont really have much justification on why i like to split them so i will reserve my opinion to myself - guess it comes down to personal preference and working in larger environments from day one.....ill bow out as your are in good hands

James
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
As we say over here "there is more than one way to skin a rabbit"...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
well said :) and as we say on the other side of the world when you boys are waking up - gnite!
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
fair dinkum (or something like that!)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
hehe right you are Govna! *sigh* what the rest of the world thinks of us....:)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now