Solved

FSMO roles how to advice needed

Posted on 2010-08-19
6
241 Views
Last Modified: 2012-05-10
I have two DC with FSMO roles assigned as follows

Server "ads00" knows about 5 roles
Schema - CN=NTDS Settings,CN=ADS02,CN=Servers,
Domain - CN=NTDS Settings,CN=ADS00,CN=Servers,
PDC - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
RID - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
Infrastructure - CN=NTDS Settings,CN=ADS00,CN=
select operation target:

As you can see the Schema role is assigned to a different DC than the rest.  Is this a good or bad thing.  I can only assume that if ADS00 went down I would go to ADS02 and sieze the ads00 roles and vice versa is ads02 went down.  Or should I just move the Schema role over to ADS00 as well.  Some AD/DC gurus who could provide me with pro's con's would be nice.
0
Comment
Question by:ronmerr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 33480811
If you only have one site, then I see no reason to separate the roles.  I also see no problem in separating them... other than the obvious that if a DC fails there is a 100% chance of having to seize at least one role vs. a 50% chance of having to seize all roles.
0
 
LVL 2

Assisted Solution

by:Henry_DunnIII
Henry_DunnIII earned 125 total points
ID: 33480953
Generals recomendations for FSMO roles;

Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.  There are two exceptions to this rule; 1. in a single domain forest or 2. when every DC (which in a single domain forest, this should be the case) is a global catalog.  

Last, At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.

With those general recomendations said, with your setup, as simple as it sounds, I would stick to placing them all on 1 server.  The effect of that one server dying would not be immediately detrimental.  There are things that you would not be able to do, but there would be nothing that would be debilitating.  As long as you seized the roles (which should be last ditch), you would be fine.  So my recomendation is to place them all on 1 server.
0
 
LVL 11

Expert Comment

by:sighar
ID: 33480984
You need 1 Schema master and 1 Domain Naming master in each forest. Then you need 1 of the other three (PDC, RID, Infrastructure) in each domain. It doesn't matter where you place them really. I'd guess that your ADS00 is your first DC and then for some reason you've moved the Schema master role to another one. Normally, you'd have the main roles in a DC in Headquarters but if you only have one domain, it really doesn't matter.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33483534
PDC gets most load: deals with password changes, account lockouts, all AD changes by legacy/NT systems, etc.
So if your server is overloaded it might be worth moving that role.

If you have multiple sites I'd put it where most of the users are ( or behind a quick WAN link ).
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689894
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question