Saturday, 25 April 2015

Flexible Single Master Operation (FSMO) Role Placement

It is not the goal of this article to explain the FSMO roles, rather just to provide information on where they should be located.

In Windows Server Active Directory, there are 5 FSMO roles which can be hosted on any Domain Controller.  Each role sits on just one DC, and theoretically you can have all five roles on one DC, or one role on five DCs, however neither of these scenarios is considered best practice.

In small organisations, where cost is an issue, it is common to find only a single domain controller.
There is nothing wrong with this, except from a redundancy point of view.  If the DC fails, there is no standby DC to take over, therefore all domain tasks stop (possibly even the ability to log on depending on how the security is configured) until the DC is recovered from a backup.  Note: In this scenario, it is imperative that the DC is backed up.

Microsoft Best Practice is to split the roles as follows:

Forest Wide Roles:
Schema Master
Domain Naming Master

Domain Wide Roles:
Relative ID (RID) Master
PDC Emulator
Infrastructure Master*

The PDC emulator and the RID master should be on the same DC, if possible.
The Schema Master and Domain Naming Master should also be on the same DC.

*Infrastructure Master

The Infrastructure Master (IM) role is an interesting one, since depending on the complexity of the set-up, it may not be needed at all. General guidance (for legacy NT 4.0 related reasons) is to place the IM role on a non-global catalog server.  However, there are two things to consider before choosing the location of this role:

  1. Single Domain Forest:
    If a Forest has a single Active Directory domain, there are no phantoms.  As such, the Infrastructure Master has nothing to do, and can therefore be placed on any DC, regardless of whether or not it hosts the Global Catalog.

  2. Multi-Domain Forest:
    a) If a Forest has multiple domains, but EVERY DC hosts the Global Catalog, there are no phantoms, and again the Infrastructure Master has nothing to do.

    b) If a Forest has multiple domains, and only SOME Of the DCs host the Global Catalog, then the Infrastructure Master MUST reside on a DC that does NOT host the Global Catalogue. 


In my experience, the vast majority of set-ups fall into category 1 or 2a, and therefore the Infrastructure Master can sit wherever you want.

If you are not sure on which DC each of the 5 FSMO roles currently reside, run the following command on any Domain Controller: NetDOM /query FSMO
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)