Getting details of FSMO roles placement and General recommendation for FSMO placement

When the Active Directory Installation Wizard (Dcpromo.exe) creates the first domain in a new forest, the wizard adds five FSMO roles. A forest with one domain has five roles. The Active Directory Installation Wizard adds three domain-wide roles on the first domain controller in each additional domain in the forest. In addition, infrastructure master roles exist for each application partition. This includes the default domain and the forest-wide DNS application partitions that are created on Windows Server 2003 and on later domain controllers.

Run the following command from command prompt

netdom query /domain:<parent domain name> fsmo

The operations masters and their scope are shown in the following table.

FSMO Role

Scope

Function and   availability requirements

Schema Master Enterprise
  •   Used to introduce   manual and programmatic schema updates, and this includes those updates that   are added by Windows ADPREP /FORESTPREP, by Microsoft Exchange, and by other   applications that use Active Directory Domain Services (AD DS).
  •   Must be online when   schema updates are performed.
Domain Naming Master Enterprise
  •   Used to add and to   remove domains and application partitions to and from the forest.
  •   Must be online when   domains and application partitions in a forest are added or removed.
Primary Domain Controller Domain
  •   Receives password   updates when passwords are changed for the computer and for user accounts   that are on replica domain controllers.
  •   Consulted by replica   domain controllers that service authentication requests that have mismatched   passwords.
  •   Default target domain   controller for Group Policy updates.
  •   Target domain   controller for legacy applications that perform writable operations and for   some admin tools.
  •   Must be online and   accessible 24 hours a day, seven days a week.
RID Domain
  •   Allocates active and   standby RID pools to replica domain controllers in the same domain.
  •   Must be online for   newly promoted domain controllers to obtain a local RID pool that is required   to advertise or when existing domain controllers have to update their current   or standby RID pool allocation.
Infrastructure Master DomainApplication partition
  •   Updates cross-domain   references and phantoms from the global catalog.
  •   A separate   infrastructure master is created for each application partition including the   default forest-wide and domain-wide application partitions created by Windows   Server 2003 and later domain controllers.
  •   The Windows Server   2008 R2 ADPREP /RODCPREP command targets the infrastructure master role for   default DNS application in the forest root domain.

General recommendations for FSMO placement

  1. Place the schema master on the PDC of the forest root domain.
  2. Place the domain naming master on the forest root PDC.
  3. Place the PDC on your best hardware in a reliable hub site that contains replica domain controllers in the same Active Directory site and domain.
  4. Place the RID master on the domain PDC in the same domain.

Legacy guidance suggests placing the infrastructure master on a non-global catalog server. There are two rules to consider:

  1. Single domain forest:
    In a forest that contains a single Active Directory domain, the infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
  2. Multidomain forest:
    If every domain controller in a given domain that is located in a multidomain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.

 Where these roles are configured in 2008 Server?

  1. Domain wide roles are configured      in Active Directory users and computers. Right click and select domain and      here option is operations master.
  2. Forest roles Domain Naming master      is configured in active directory domain and trust right click and select      operations master. It will let you know the roles.
  3. (c)Forest roles Schema Master is      not accessible from any tool as they want to prevent this. Editing schema      can create serious problem in active directory environment. To gain access      you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.

Seizing of Roles

In case of failures of any server you need to seize the roles. This is how it can be done:

Go to cmd prompt and type ntdsutil

  1. Ntdsutil: prompt type roles to enter fsmo maintenance.
  2. Fsmo maintenance: prompt type connections to enter      server connections.
  3. Server connections: prompt, type      connect to server domain controller, where
    Domain controller is the name of the domain controller to which you are      going to transfer the role
  4. Server connections: prompt, type quit to enter fsmo      maintenance.
  5. Fsmo maintenance: prompt, type seize <name of the role>

After you have Seize the role, type quit to exit NTDSUtil.

Advertisements

About Jayachandran PK
My passion is for Microsoft technologies and how if properly implemented, they can provide actual value for an organization especially in the field of infrastructure, virtualization and system monitoring. I work for the biggest Microsoft partner in Kuwait, specialized in project consultation and implementation services for enterprise clients. When I'm not at work, I try to contribute back through a charitable organization dedicated to prompting cultural values of Kerala. In my free time, I dabble in gardening and am also an avid solar power aficionado.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: