Step B4: Determine Operations Master Role Placement

  • Article

Published: February 25, 2008

 

The next step is to decide the placement of the operations master roles (also known as FSMOs) for the forest and each domain. Although each domain controller within Active Directory can authenticate accounts and write to the directory database, some functions are dedicated to a single domain controller. FSMO roles exist on designated domain controllers and control specific functions of the domain and forest.

There are three FSMO roles for each domain:

  • PDC emulator operations master. This role processes all replication requests from Windows NT 4.0 backup domain controllers (BDCs) and processes all password updates for clients that are not running Active Directory client software. This is also the default domain controller used for updating Group Policy.
  • Relative ID (RID) operations master. This role allocates RIDs to all domain controllers in order to ensure that all security principals have a unique security ID (SID).
  • Infrastructure operations master. This role maintains a list of the security principals from other domains that have membership in groups within the operations master’s domain.

There are also two operations master roles for each forest:

  • Schema operations master. This role allows changes to the schema.
  • Domain naming operations master. This role is responsible for additions and removal of domains, sites, and domain-based DFS configurations to and from the forest.

As a general guideline, keep the operations roles on as few domain controllers as possible to simplify tracking the role locations. If the load on the operation master justifies a move, place the RID and PDC emulator roles on separate domain controllers in the same site. The domain controllers should be direct replication partners.

In general, the infrastructure master should never be placed on a global catalog server. If an infrastructure master is placed on a global catalog server, it will not correctly identify outdated security principals from other domains. The exception is in domains in which all domain controllers are global catalog servers or in a single-domain forest. In these cases, the infrastructure master has all the information it needs.

The schema and domain naming masters are rarely used and should be tightly controlled; keep them together on the same domain controller that hosts the global catalog. Certain operations, such as creating grand-child domains, use the domain naming master and will fail if the role is not on a global catalog server.

Place these domain controllers in a location that has the most users for that domain and that has a highly reliable network. Operations master role placement can be modified easily.

All FSMO roles should be placed on domain controllers that are readily available to all other domain controllers in the environment. Domain controllers that are unable to communicate with the domain controllers hosting the FSMOs can experience failures.

Task 1: FSMO Placement

In a single domain forest, leave the five roles on a single server. There is no benefit to separating the roles

In the forest root domain of multi-domain forests, leave all the operations master roles on the same domain controller, provided that all domain controllers in the forest root domain are also global catalog servers. There is no benefit to separating the roles.

If some of the forest root domain controllers are not configured as global catalog servers, then move the infrastructure master role to a domain controller that is not a global catalog server and ensure that the server is never configured as such. The infrastructure master role should not reside on a global catalog server unless all domain controllers in the domain are global catalog servers.

In all other domains, the three domain-specific operations master roles can reside on the first domain controller for that domain. Do not place the infrastructure master role on a domain controller that is also a global catalog server.

Decision Summary

FSMOs should be placed strategically to ensure the complete and proper functioning of all directory services, from both an authentication and a management standpoint. FSMO server placement must be decided for five roles in the root domain and three roles for all other domains in the forest. This process must be completed for every forest.

Tasks and Considerations

For each operations master role, designate a domain controller that can host the operations master roles. The standby operations master domain controller should be a direct replication partner of the actual operations master role holder in case the standby can assume the role in the event the actual role holder fails. The new FSMO role holder will then have the most up-to-date information regarding Active Directory.

Additional Reading

“FSMO placement and optimization on Active Directory domain controllers” at https://support.microsoft.com/kb/223346

“Windows 2000 Active Directory FSMO roles” at https://support.microsoft.com/kb/197132

“How to view and transfer FSMO roles in Windows Server 2003” at https://support.microsoft.com/kb/324801

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
Download

Get the IPD Active Directory Domain Services
Solution Accelerators Notifications

Sign up to learn about updates and new releases
Feedback

Send us your comments or suggestions