Tuesday, March 4, 2008

FSMO ROLES AND BEST PRACTICES

FSMO roles always been one of the hottest subject in pretty much in any interview and the functionality is curtail for any network administrator to understand. Before we even mentioned about FSMO roles, let's ask these questions and try to understand the concept and see the need for FSMO roles (Operation Masters)Single master replication model, compare to multi master replication model. In single master replication model the active directory .DIT databases is read and write for the PDC (Primary domain Controller). The BDC (Backup domain controller) has only read copy of .DIT database (Active directory data base)

Now MultiMate replication model is, all domain controllers have read and write copy of the .DIT database. Client can register its own records to any available DC/GC in multi-master replication model. So obviously there is redundancy available to the clients. If you remember the concept of DNS and its integration with AD (Active directory).Multi master replication model is good. However some certain task still needed to be handled by specific DC's, therefore the Operations Masters (FSMO) was born.

First DC called sometimes root DC will inherit all FSMO roles.

Forest Wide

  • DNS (Domain naming master)
  • Schema Master

Domain Wide

  • PDC Emulator
  • RID master
  • Infrastructure master

Now, if we have 12 domains how many FSMO roles we have (Consider one forest). The answers is going to be 38FSMO roles, 36 (each domain) + two of the forest wide roles.

Now we have following DC's and we will distribute the FSMO roles.

  • DC1.smtp25.org
  • DC2.smtp25.org
  • DC3.smtp25.org
  • DC4.smtp25.org
  • DC5.smtp25.org

FQDN Server

ROLE

FOREST FSMO

DC1.smtp25.org

Schema Master

GC

Keep Schema master and Domain naming master on the same DC (easy administration). We could keep them separate as well; I don't see a reason doing it. We will make sure the DC has both roles is a Global catalog server as well.

DC1.smtp25.org

DNS Master

GC

DOMAINFSMO

DC2.smtp25.org

PDC

offload the

GC

PDC Emulator and RID Master are being kept on the same domain controller. We need to offload the GC role from this domain controller, (GC are being used heavily)

DC2.smtp25.org

RID

offload the

GC

DC3.smtp25.org

Inf Master

Note:

Infrastructure Master Role can be held by a domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest or when every single domain controller in your forest also hosts the Global Catalog.

Best,

Oz ozugurlu

Systems Engineer
MCITP (EMA), MCITP (SA),
MCSE 2003 M+ S+ MCDST
Security Project+ Server+
oz@SMTp25.org
http://smtp25.blogspot.com (Blog)

8 comments:

Sarita said...

I need to transfer roles at my company. If I understand correctly, you are saying to keep the PDC emulator and RID Master together but you can offload the Infrasturture master to another DC.

Please advise.
Sarita.

Oz Ozugurlu said...

yes
1.Keep Schema master and Domain naming master on the same DC (easy administration). We could keep them separate as well; I don’t see a reason doing it

2.PDC Emulator and RID Master are being kept on the same domain controller. We need to offload the GC role from this domain controller, (GC are being used heavily


rules are

 Forest root domain - Schema Master and Domain Naming Master on the same machine, which should also host the Global Catalog.
 Every domain - PDC Emulator and RID Master on the same machine, which should have beefy hardware to handle the load.
 Every domain - Never place the Infrastructure Master on a machine that hosts the Global Catalog, unless your forest has only one domain or unless every domain controller in your forest hosts the Global Catalog.
oz

Sarita said...

Can role transfer be done while in production?

Oz Ozugurlu said...

Yes, many people wont fell comfortable doing this, but it is pretty safe to do.

I have done millions of time and never had sigle issue.

Moving Roles are pretty easy and safe in my opinion

best
oz

DoubleD said...

I have a single forest single domain set up with one PDC and one BDC. Can I run DHCP, DNS and all FSMO roles on the PDC?

Could you suggest something else?

Oz Ozugurlu said...

Are you still running NT 4.0 (since you mentioned BDC, PDC). I hope you are not, I do understand bugged constraints but in my opinion NT 4.0 should not be the server OS for any decent network these days.
Can I run DHCP, DNS and all FSMO roles on the PDC--- Sure why not? Technically, there is no reason why you cannot achieve this. As I said earlier if you place all eggs into same basket, and if the basket one day falls down and all eggs gets broken, you won’t have much right to complain about it (-:
If your server who id PDC is not being utilized because you have 10 users, and you have backup every day, if mice eats your server, and you can replace it with another one and restore everything from your most current backup and the business has time and tolerance to wait, I would not go for it, if not you may want to think about the best way of taking the MS best practices and integrating to your own existing environment in case if something goes wrong.
Good luck
Oz

F0one said...

what would be best practics if we have only two domains controllers available. In most companies I have seen (small to medium), they usally have only 2 DCs?

I would do:

DC1 - Schema Master, Domain naming, Infrastructure Master, GC
DC2 - PDC, RID, GC

what do you think ?

Oz Ozugurlu said...

That would be exactly my way of doing it, if I had 2 DC to implement
--oz