[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

FSMO roles how to advice needed

Posted on 2010-08-19
6
Medium Priority
?
249 Views
Last Modified: 2012-05-10
I have two DC with FSMO roles assigned as follows

Server "ads00" knows about 5 roles
Schema - CN=NTDS Settings,CN=ADS02,CN=Servers,
Domain - CN=NTDS Settings,CN=ADS00,CN=Servers,
PDC - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
RID - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
Infrastructure - CN=NTDS Settings,CN=ADS00,CN=
select operation target:

As you can see the Schema role is assigned to a different DC than the rest.  Is this a good or bad thing.  I can only assume that if ADS00 went down I would go to ADS02 and sieze the ads00 roles and vice versa is ads02 went down.  Or should I just move the Schema role over to ADS00 as well.  Some AD/DC gurus who could provide me with pro's con's would be nice.
0
Comment
Question by:ronmerr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 33480811
If you only have one site, then I see no reason to separate the roles.  I also see no problem in separating them... other than the obvious that if a DC fails there is a 100% chance of having to seize at least one role vs. a 50% chance of having to seize all roles.
0
 
LVL 2

Assisted Solution

by:Henry_DunnIII
Henry_DunnIII earned 500 total points
ID: 33480953
Generals recomendations for FSMO roles;

Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.  There are two exceptions to this rule; 1. in a single domain forest or 2. when every DC (which in a single domain forest, this should be the case) is a global catalog.  

Last, At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.

With those general recomendations said, with your setup, as simple as it sounds, I would stick to placing them all on 1 server.  The effect of that one server dying would not be immediately detrimental.  There are things that you would not be able to do, but there would be nothing that would be debilitating.  As long as you seized the roles (which should be last ditch), you would be fine.  So my recomendation is to place them all on 1 server.
0
 
LVL 11

Expert Comment

by:Sigurdur Haraldsson
ID: 33480984
You need 1 Schema master and 1 Domain Naming master in each forest. Then you need 1 of the other three (PDC, RID, Infrastructure) in each domain. It doesn't matter where you place them really. I'd guess that your ADS00 is your first DC and then for some reason you've moved the Schema master role to another one. Normally, you'd have the main roles in a DC in Headquarters but if you only have one domain, it really doesn't matter.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33483534
PDC gets most load: deals with password changes, account lockouts, all AD changes by legacy/NT systems, etc.
So if your server is overloaded it might be worth moving that role.

If you have multiple sites I'd put it where most of the users are ( or behind a quick WAN link ).
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689894
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question