Solved

Active Directory Schema Master FSMO Role Question

Posted on 2008-09-30
7
712 Views
Last Modified: 2013-12-05
Here's the situation...
Background Info:
- We have an Active Directory Forest that is operating at the Windows 2000 functional level.
- The Forest Root Domain, DOMAIN1.COM, is operating at the Windows 2000 mixed functional level.
- DOMAIN2.COM, is part of the same forest, and is operation at the Windows 2000 native functional level.
- The trust between the domains is a Tree Root transitive trust.
- All the Domain Controllers of DOMAIN1.COM reside in SiteA, and all of the Domain Controllers of DOMAIN2.COM reside in SiteB which are linked.

Requirement:
- Because the administrators of DOMAIN2.COM are migrating to Exchange Server 2007, they require the Schema Master FSMO role to reside on a domain controller that is running Windows Server 2003 SP1.

Problem:
- Currently, the Schema Master FSMO role resides on a Domain Controller in the DOMAIN1.COM domain which happens to be a Windows 2000 Server.
- Currently, there are no Windows 2003 Server Domain Controllers in the DOMAIN1.COM domain.

Question:
- Is there any problem/issue with transferring the Schema Master FSMO role to a Domain Controller in DOMAIN2.COM (obviously running Windows Server 2003), even though DOMAIN1.COM is the Forest Root Domain?
- OR Is there any problem/issue with building a new Windows 2003 Server as a Domain Controller for DOMAIN1.COM in SiteB (Where there are all DOMAIN2.COM Domain Controllers and no DOMAIN1.COM Domain Controllers currently), and transferring the Schema Master FSMO role to that new Domain Controller?
- OR any better suggestions?

Thank you in advance for your help. Please let me know if I'm leaving anything out of the picture, or if you have any other questions.
0
Comment
Question by:magyarka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22609855

> Is there any problem/issue with transferring the Schema Master FSMO role to a Domain
> Controller in DOMAIN2.COM (obviously running Windows Server 2003), even though DOMAIN1.COM
> is the Forest Root Domain?

That's fine, but remember the schema master is perhaps the most important of all your DCs.

> Is there any problem/issue with building a new Windows 2003 Server as a Domain
> Controller for DOMAIN1.COM in SiteB

I would prefer to keep the Schema master in the root domain, so I would personally prefer that. It's not really necessary though.

Incidentally, you need to raise your forest functional level to at least Windows 2000 as well, mixed mode is not high enough.

Chris
0
 

Author Comment

by:magyarka
ID: 22615490
Chris,

So, it sounds like you would recommend going with bringing up another DC on DOMAIN1.COM  in SiteB and transfering the Schema Master role to that. There would be no other "gotchas" with that? Why would the forest functional levle need to be at Windows 2000?

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22615541

Personally, yes, I would rather that. I assume your root domain is moderately empty except for that? Otherwise there's no real problem moving the Schema master around like this.

For the functional level of the forest... It's in the list of requirements for installation of Exchange 2007 :)

http://technet.microsoft.com/en-us/library/aa996719.aspx

Mixed mode is only going to be necessary if you have Windows NT Backup Domain Controllers operating on the network (on any of your domains).

Chris
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:magyarka
ID: 22615781
Well, the root domain, DOMAIN1.COM, has many users, computers, etc. DOMAIN2.COM also has a fair amount of objects.

Thanks for pointing out the Forest Functional Level requirement!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22615801

Hmm then it probably makes little difference where you host the master role. As long as the system hosting it is reliable and frequently backed up.

Chris
0
 

Author Comment

by:magyarka
ID: 22615976
Our forest functional level is already windows 2000. Is there actually a "windows 2000 server" forest functional level?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22616016

Might be 2000 Native, I can't check the list unfortunately, it removes the options once you pass it. Mine is running "Windows Server 2003" level and won't give me any options until I introduce DCs running 2008.

Chris
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question