?
Solved

FSMO roles how to advice needed

Posted on 2010-08-19
6
Medium Priority
?
250 Views
Last Modified: 2012-05-10
I have two DC with FSMO roles assigned as follows

Server "ads00" knows about 5 roles
Schema - CN=NTDS Settings,CN=ADS02,CN=Servers,
Domain - CN=NTDS Settings,CN=ADS00,CN=Servers,
PDC - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
RID - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
Infrastructure - CN=NTDS Settings,CN=ADS00,CN=
select operation target:

As you can see the Schema role is assigned to a different DC than the rest.  Is this a good or bad thing.  I can only assume that if ADS00 went down I would go to ADS02 and sieze the ads00 roles and vice versa is ads02 went down.  Or should I just move the Schema role over to ADS00 as well.  Some AD/DC gurus who could provide me with pro's con's would be nice.
0
Comment
Question by:ronmerr
5 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 33480811
If you only have one site, then I see no reason to separate the roles.  I also see no problem in separating them... other than the obvious that if a DC fails there is a 100% chance of having to seize at least one role vs. a 50% chance of having to seize all roles.
0
 
LVL 2

Assisted Solution

by:Henry_DunnIII
Henry_DunnIII earned 500 total points
ID: 33480953
Generals recomendations for FSMO roles;

Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.  There are two exceptions to this rule; 1. in a single domain forest or 2. when every DC (which in a single domain forest, this should be the case) is a global catalog.  

Last, At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.

With those general recomendations said, with your setup, as simple as it sounds, I would stick to placing them all on 1 server.  The effect of that one server dying would not be immediately detrimental.  There are things that you would not be able to do, but there would be nothing that would be debilitating.  As long as you seized the roles (which should be last ditch), you would be fine.  So my recomendation is to place them all on 1 server.
0
 
LVL 11

Expert Comment

by:Sigurdur Haraldsson
ID: 33480984
You need 1 Schema master and 1 Domain Naming master in each forest. Then you need 1 of the other three (PDC, RID, Infrastructure) in each domain. It doesn't matter where you place them really. I'd guess that your ADS00 is your first DC and then for some reason you've moved the Schema master role to another one. Normally, you'd have the main roles in a DC in Headquarters but if you only have one domain, it really doesn't matter.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33483534
PDC gets most load: deals with password changes, account lockouts, all AD changes by legacy/NT systems, etc.
So if your server is overloaded it might be worth moving that role.

If you have multiple sites I'd put it where most of the users are ( or behind a quick WAN link ).
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689894
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question