Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

FSMO rolls in small domain

Posted on 2008-06-11
16
Medium Priority
?
942 Views
Last Modified: 2010-04-21
Quick question:

I have read a lot about best practices in the distribution of FSMO rolls in a windows domain forest, but they all describe more complicate structures than I have. My question is, in a small forest with only one domain and two DCs, what is the best way to distribute the FSMO rolls? Do I just pick a schema master and split the rest, or is there a 'best practice' even for tiny domains like I have? Right now, I have a mixed environment with one 2003 DC and one 2000 DC, but eventually I plan on having both my DCs be 2003 and raising my functional level to 2003.

Thanks
0
Comment
Question by:twinstead
  • 7
  • 4
  • 4
  • +1
16 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21759210
You best option is to leave the FSMO roles where they are. In a single domain there is notning to be gained by having some roles on one machine and some on another - indeed preformance will decrease.

Make both machines DNS servers and Global Catalog servers though - that will give you and element of redundancy
0
 
LVL 9

Expert Comment

by:mystics7
ID: 21759213
These are the best practices from Windows Dev Center, i usually follow them and never have problems
http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html


Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

    * Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

    * Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
    * Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
    * Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

    * Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.


0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 21759266
Sorry but that advice is for a multi-domain enviroment. As any one with any actual experience of this will tell you DO NOT MOVE ANY FSMO ROLES.

The infrastructure master and Global catalog on the same machine is only an issue if you have multiple domains in which not all machines are global catalog servers so you can ignore this.

As I said keep them on the same machine. Also (as I said) make both machines DNS servers and Global Catalog servers

To make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

To install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

All the clients (and the domain controllers themselves) need to have their Preferred DNS server set one server (in the case of the DC to themselves), and the alternate DNS server to the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:twinstead
ID: 21759405

KCTS,  so in a nutshell in a simple domain like mine, one DC should hold all the roles, both DCs should be global catalog servers, and both should be DNS servers (each one pointing to themselves as primary and the other as secondary, and each client pointing to the main DC as primary and the other DC as secondary)?

I used to have my domain set up similar when it was 2000 only, and still one of the DCs is indeed the primary DNS server for the domain, but the other DNS server is a 2000 box that used to be a DC before I prepared my network for a 2003 DC, promoted a 2003 server to DC, and demoted the 2000 server. Should I also move the DNS server from the old DC to the new 2003 DC?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21759440
1. Yes exactly

2. You should be using AD integrated DNS - in which case both DNS servers are in effect "Primary", If its not AD integrated DNS chnage it to AD integrated and just install DNS on the other machine - it will replicate automatically.
0
 

Author Comment

by:twinstead
ID: 21759464
Cool, thanks.

One last question if you don't mind: I'm pretty sure my dns is AD integrated, but can you remind me how to quickly tell if this is the case just so I know for sure?

0
 
LVL 70

Expert Comment

by:KCTS
ID: 21759508
Go to the DNS console. select your domain's forward lookup zone, right click and select properties.
0
 

Author Closing Comment

by:twinstead
ID: 31466108
Thanks for your help
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21764706
i disagree, splitting your roles is a wise move when you have more than one DC in your environment

Some reading from MS

http://support.microsoft.com/kb/223346
0
 

Author Comment

by:twinstead
ID: 21768030
That's the whole gist of my question in the first place.. That article by microsoft describes a MUCH more complex environment than I have, as do every other article I have read. In my situation, that article is useless.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21768076
Its not often I disagree with Jay_Jay70 but I have to on this occasion.

There is nothing at all to be gained in splitting FSMO roles in a single comain environment, the best option is to leave to FSMO roles where they are and to make all DCs Global catalogs. There is no overhead in this, no issues with Infrastructure masters and it makes the domain more resiliant and improves performance.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21768188
fair call, i dont really have much justification on why i like to split them so i will reserve my opinion to myself - guess it comes down to personal preference and working in larger environments from day one.....ill bow out as your are in good hands

James
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21768207
As we say over here "there is more than one way to skin a rabbit"...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21768219
well said :) and as we say on the other side of the world when you boys are waking up - gnite!
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21768227
fair dinkum (or something like that!)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21768318
hehe right you are Govna! *sigh* what the rest of the world thinks of us....:)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question