FSMO Placement questions


D

Dan

One of my customers has a Windows 2000 domain. Approx. 3500-4000 users
through 25 locations. Currently, the schema master sits on the root dc:

"dc1.ads.company.com"

The remaining FSMO roles sit on another dc:

"dc1.hq.ads.company.com"

*** There are about 15 DCs. All domain controllers are Global Cat. Servers
***

??We read KB223346 page 2. As long as all DCs hosts GCs is there a need to
move any of the FSMO roles from the dc - dc1.hq.ads.company.com??

??Whould there be any performance issues with keeping all the FSMO roles on
the same DC once all 4000 users are brought into the domain??

Other info...

Here is the report of where the FSMO roles sit:

Schema owner adsdedc01.ads.company.com

Domain role owner btsdedc01.hq.ads.company.com

PDC role btsdedc01.hq.ads.company.com

RID pool manager btsdedc01.hq.ads.company.com

Infrastructure owner btsdedc01.hq.ads.company.com

??Should we follow the information below or keep the FSMOs where they are
at??

W2K AD domain controllers split up the master operations roles. This is
usually transparent to most administrators. Active Directory will manage
which domain controller ( DC ) has which master operations role. The key is
normally. There are five master controller roles. By default, they are on
the first domain controller in the domain. For performance issues, you
probably want to split the roles apart. Microsoft recommends in kb article
Q223346 and my own study confirms:

Place the RID and PDC FSMO emulator roles on the same DC.
Place the infrastructure FSMO master on a non-global catalog server.
Place the domain naming FSMO master on a Global Catalog Server.


Security upgrade:

Microsoft recommends placing the schema master and domain naming master on
same server. From a performance perspective it makes some sense but not from
a security perspective. I would place the schema master role on a dedicated
DC and I would keep it shutdown except when schema changes need to be made.
 
Ad

Advertisements

U

Ulf B. Simon-Weidner

One of my customers has a Windows 2000 domain. Approx. 3500-4000 users
through 25 locations. Currently, the schema master sits on the root dc:

"dc1.ads.company.com"

The remaining FSMO roles sit on another dc:

"dc1.hq.ads.company.com"

*** There are about 15 DCs. All domain controllers are Global Cat. Servers
***

??We read KB223346 page 2. As long as all DCs hosts GCs is there a need to
move any of the FSMO roles from the dc - dc1.hq.ads.company.com??

??Whould there be any performance issues with keeping all the FSMO roles on
the same DC once all 4000 users are brought into the domain??

Other info...

Here is the report of where the FSMO roles sit:

Schema owner adsdedc01.ads.company.com

Domain role owner btsdedc01.hq.ads.company.com

PDC role btsdedc01.hq.ads.company.com

RID pool manager btsdedc01.hq.ads.company.com

Infrastructure owner btsdedc01.hq.ads.company.com

??Should we follow the information below or keep the FSMOs where they are
at??

W2K AD domain controllers split up the master operations roles. This is
usually transparent to most administrators. Active Directory will manage
which domain controller ( DC ) has which master operations role. The key is
normally. There are five master controller roles. By default, they are on
the first domain controller in the domain. For performance issues, you
probably want to split the roles apart. Microsoft recommends in kb article
Q223346 and my own study confirms:

Place the RID and PDC FSMO emulator roles on the same DC.
Place the infrastructure FSMO master on a non-global catalog server.
Place the domain naming FSMO master on a Global Catalog Server.


Security upgrade:

Microsoft recommends placing the schema master and domain naming master on
same server. From a performance perspective it makes some sense but not from
a security perspective. I would place the schema master role on a dedicated
DC and I would keep it shutdown except when schema changes need to be made.
Hi Dan,

I'd split up the FSMOs as described. You won't have any issues with the
infrastructure master as long as all DCs are also configured as GC.

For your securtiy upgrade: You need to control membership in the schema
administrator group. Its recommended to have no one in there except for times
when upgrading the schema is necessary.
I would not recommend having the schema master offline for two reasons:
1. replication of AD is necessary, and if you have a server offline for more
than 60 days you can reinstall it but you're not supposed to bring it back
online.
2. If you don't control group membership of the administrative groups, and/or
don't trust members of those - fire them.
For example a enterprise admin would be able to seize the Schema Master role on
another DC - so you didn't gain anything by having it offline.
There are a few people in the company you have to trust, and to avoid errors
remove the members of the schema admin group.

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FSMO Placement 2
FSMO Placement 1
Transfer FSMO to another DC 3
seizing FSMO roles 10
Placement of FSMO Roles 2
FSMO Placement 1
FSMO question 3
Issues with transfering FSMO roles? 3

Top