Solved

FSMO roles how to advice needed

Posted on 2010-08-19
6
228 Views
Last Modified: 2012-05-10
I have two DC with FSMO roles assigned as follows

Server "ads00" knows about 5 roles
Schema - CN=NTDS Settings,CN=ADS02,CN=Servers,
Domain - CN=NTDS Settings,CN=ADS00,CN=Servers,
PDC - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
RID - CN=NTDS Settings,CN=ADS00,CN=Servers,CN=
Infrastructure - CN=NTDS Settings,CN=ADS00,CN=
select operation target:

As you can see the Schema role is assigned to a different DC than the rest.  Is this a good or bad thing.  I can only assume that if ADS00 went down I would go to ADS02 and sieze the ads00 roles and vice versa is ads02 went down.  Or should I just move the Schema role over to ADS00 as well.  Some AD/DC gurus who could provide me with pro's con's would be nice.
0
Comment
Question by:ronmerr
6 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 33480811
If you only have one site, then I see no reason to separate the roles.  I also see no problem in separating them... other than the obvious that if a DC fails there is a 100% chance of having to seize at least one role vs. a 50% chance of having to seize all roles.
0
 
LVL 2

Assisted Solution

by:Henry_DunnIII
Henry_DunnIII earned 125 total points
ID: 33480953
Generals recomendations for FSMO roles;

Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.

As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.  There are two exceptions to this rule; 1. in a single domain forest or 2. when every DC (which in a single domain forest, this should be the case) is a global catalog.  

Last, At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.

With those general recomendations said, with your setup, as simple as it sounds, I would stick to placing them all on 1 server.  The effect of that one server dying would not be immediately detrimental.  There are things that you would not be able to do, but there would be nothing that would be debilitating.  As long as you seized the roles (which should be last ditch), you would be fine.  So my recomendation is to place them all on 1 server.
0
 
LVL 11

Expert Comment

by:sighar
ID: 33480984
You need 1 Schema master and 1 Domain Naming master in each forest. Then you need 1 of the other three (PDC, RID, Infrastructure) in each domain. It doesn't matter where you place them really. I'd guess that your ADS00 is your first DC and then for some reason you've moved the Schema master role to another one. Normally, you'd have the main roles in a DC in Headquarters but if you only have one domain, it really doesn't matter.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33483534
PDC gets most load: deals with password changes, account lockouts, all AD changes by legacy/NT systems, etc.
So if your server is overloaded it might be worth moving that role.

If you have multiple sites I'd put it where most of the users are ( or behind a quick WAN link ).
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34689894
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question