twinstead
asked on
FSMO rolls in small domain
Quick question:
I have read a lot about best practices in the distribution of FSMO rolls in a windows domain forest, but they all describe more complicate structures than I have. My question is, in a small forest with only one domain and two DCs, what is the best way to distribute the FSMO rolls? Do I just pick a schema master and split the rest, or is there a 'best practice' even for tiny domains like I have? Right now, I have a mixed environment with one 2003 DC and one 2000 DC, but eventually I plan on having both my DCs be 2003 and raising my functional level to 2003.
Thanks
I have read a lot about best practices in the distribution of FSMO rolls in a windows domain forest, but they all describe more complicate structures than I have. My question is, in a small forest with only one domain and two DCs, what is the best way to distribute the FSMO rolls? Do I just pick a schema master and split the rest, or is there a 'best practice' even for tiny domains like I have? Right now, I have a mixed environment with one 2003 DC and one 2000 DC, but eventually I plan on having both my DCs be 2003 and raising my functional level to 2003.
Thanks
These are the best practices from Windows Dev Center, i usually follow them and never have problems
http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
* Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
* Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
* Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
* Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
* Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
* Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
* Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
* Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
* Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
* Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
KCTS, so in a nutshell in a simple domain like mine, one DC should hold all the roles, both DCs should be global catalog servers, and both should be DNS servers (each one pointing to themselves as primary and the other as secondary, and each client pointing to the main DC as primary and the other DC as secondary)?
I used to have my domain set up similar when it was 2000 only, and still one of the DCs is indeed the primary DNS server for the domain, but the other DNS server is a 2000 box that used to be a DC before I prepared my network for a 2003 DC, promoted a 2003 server to DC, and demoted the 2000 server. Should I also move the DNS server from the old DC to the new 2003 DC?
1. Yes exactly
2. You should be using AD integrated DNS - in which case both DNS servers are in effect "Primary", If its not AD integrated DNS chnage it to AD integrated and just install DNS on the other machine - it will replicate automatically.
2. You should be using AD integrated DNS - in which case both DNS servers are in effect "Primary", If its not AD integrated DNS chnage it to AD integrated and just install DNS on the other machine - it will replicate automatically.
ASKER
Cool, thanks.
One last question if you don't mind: I'm pretty sure my dns is AD integrated, but can you remind me how to quickly tell if this is the case just so I know for sure?
One last question if you don't mind: I'm pretty sure my dns is AD integrated, but can you remind me how to quickly tell if this is the case just so I know for sure?
Go to the DNS console. select your domain's forward lookup zone, right click and select properties.
ASKER
Thanks for your help
i disagree, splitting your roles is a wise move when you have more than one DC in your environment
Some reading from MS
http://support.microsoft.com/kb/223346
Some reading from MS
http://support.microsoft.com/kb/223346
ASKER
That's the whole gist of my question in the first place.. That article by microsoft describes a MUCH more complex environment than I have, as do every other article I have read. In my situation, that article is useless.
Its not often I disagree with Jay_Jay70 but I have to on this occasion.
There is nothing at all to be gained in splitting FSMO roles in a single comain environment, the best option is to leave to FSMO roles where they are and to make all DCs Global catalogs. There is no overhead in this, no issues with Infrastructure masters and it makes the domain more resiliant and improves performance.
There is nothing at all to be gained in splitting FSMO roles in a single comain environment, the best option is to leave to FSMO roles where they are and to make all DCs Global catalogs. There is no overhead in this, no issues with Infrastructure masters and it makes the domain more resiliant and improves performance.
fair call, i dont really have much justification on why i like to split them so i will reserve my opinion to myself - guess it comes down to personal preference and working in larger environments from day one.....ill bow out as your are in good hands
James
James
As we say over here "there is more than one way to skin a rabbit"...
well said :) and as we say on the other side of the world when you boys are waking up - gnite!
fair dinkum (or something like that!)
hehe right you are Govna! *sigh* what the rest of the world thinks of us....:)
Make both machines DNS servers and Global Catalog servers though - that will give you and element of redundancy