FSMO placement and optimization on Active Directory domain controllers (223346)
The information in this article applies to:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q223346 SUMMARYActive Directory domain controllers support multi-master
updates for the replication of objects (such as user and computer accounts) in
the Active Directory. In a multi-master model, objects and their properties can
originate on any domain controller in the domain and become "authoritative"
with replication.
This article describes the placement of Active
Directory Flexible Single-Master (FSMO) roles in the domain and forest.
MORE INFORMATION Certain domain and enterprise-wide operations not well
suited to multi-master placement reside on a single domain controller in the
domain or forest. The advantage of single-master operation is to prevent the
introduction of conflicts while an operation master is offline, rather than
introducing potential conflicts and having to resolve them later. Having a
single-operation master means, however, that the FSMO role owner must be
available when dependent activities in the domain or enterprise take place, or
to make directory changes associated with that role. The Active
Directory Installation Wizard (Dcpromo.exe) defines five FSMO roles: schema master, domain master, RID master,
PDC emulator, and infrastructure. The schema master and domain naming master
are per-forest roles. The remaining three, RID master, PDC emulator, and
infrastructure master, are per-domain roles. A forest with one
domain has five roles. Every additional domain in the forest adds three
domain-wide roles. The number of FSMO roles in a forest and potential FSMO role
owners can be determined using the formula ((Number of domains *
3)+2). A forest with three domains (A.com, with child and grandchild
domains of B.A.com and C.B.A.com) has eleven FSMO roles: 1 Schema
master - forest-wide A.COM 1 Domain naming master - forest-wide A.COM
3 PDC emulators (A.com, B.A.com, and C.B.A.com) 3 RID masters (A.com,
B.A.com, and C.B.A.com) 3 Infrastructure masters for each respective
domain. (A.com, B.A.com, and C.B.A.com) When you create the first
Active Directory domain controller of a forest, Dcpromo.exe assigns all five roles
to it. When you create the first Active Directory domain controller of a new domain
in an existing forest, the system assigns all three domain roles to it. In a
mixed mode domain containing Microsoft Windows NT 4.0 domain
controllers, only the domain controllers that are running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server can hold any of the
domain or forest wide FSMO roles. FSMO availability and placementDcpromo.exe performs the initial placement of roles on domain
controllers. This placement is often correct for directories with few domain
controllers. In a directory with many domain controllers the default placement
is unlikely to be the best match to your network. On a per-domain
basis, select local primary and standby FSMO domain controllers in case a
failure occurs on the primary FSMO owner. Additionally, you may want to select
off-site standby owners in the event of a site-specific disaster scenario.
Consider the following in your selection criteria:
- If a domain has only one domain controller, that domain
controller holds all the per-domain roles.
- If a domain has more than one domain controller, use Active
Directory Sites and Services Manager to select direct replication partners with
persistent, "well-connected" links.
- The standby server may be in the same site as the primary
FSMO server for faster replication convergence consistency over a large group
of computers, or in a remote site in the event of a site-specific disaster at
the primary location.
- Where the standby domain controller is in a remote site,
ensure that the connection is configured for continuous replication over a
persistent link.
General recommendations for FSMO placement- Place the RID and PDC emulator roles on the same domain
controller. Good communication from the PDC to the RID master is desirable as
downlevel clients and applications target the PDC, making it a large consumer
of RIDs. It is also easier to keep track of FSMO roles if you cluster them on
fewer machines.
If the load on the primary FSMO load justifies a
move, place the RID and primary domain controller emulator roles on separate domain
controllers in the same domain and active directory site that are direct
replication partners of each other. - As a general rule, the infrastructure master should be
located on a nonglobal catalog server that has a direct connection object to
some global catalog in the forest, preferably in the same Active Directory
site. Because the global catalog server holds a partial replica of every object
in the forest, the infrastructure master, if placed on a global catalog server,
will never update anything, because it does not contain any references to
objects that it does not hold. Two exceptions to the "do not place the
infrastructure master on a global catalog server" rule are:
- Single domain forest:
In a forest that
contains a single Active Directory domain, there are no phantoms, and so the
infrastructure master has no work to do. The infrastructure master may be
placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not. - Multidomain forest where every domain controller in a domain holds the global catalog:
If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
- At the forest level, the schema master and domain naming
master roles should be placed on the same domain controller as they are rarely
used and should be tightly controlled. Additionally, the domain naming master
FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.
Most importantly, confirm that all FSMO roles are available
using one of the management consoles (such as Dsa.msc or Ntdsutil.exe).
REFERENCES
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
281662
Windows 2000 and Windows Server 2003 cluster nodes as domain controllers
Modification Type: | Minor | Last Reviewed: | 4/11/2005 |
---|
Keywords: | kbenv kbinfo KB223346 |
---|
|