In an Active Directory environment, some of your domain controllers (DCs) must be assigned certain special roles for your network to function properly. These special roles are called flexible single master operations (FSMO) roles, and DCs that hold such roles are called FSMO role holders. If you don't assign these roles properly, bad things can happen, so the focus of this article is on rules for proper placement of FSMO roles on AD-based networks. But before we proceed, please refer my blog session on FSMO roles.
Symptoms of FSMO Problems:
If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly.
- PDC Emulator
- Users can't log on - If system clocks become unsynchronized, Kerberos may fail.
- Can't change passwords - Password changes need this role holder.
- Account lockout not working - Account lockout enforcement needs this role holder.
- Can't raise the functional level for a domain - This role holder must be available when the raising the domain functional level.
- RID Master
- Can't create new users or groups - RID pool has been depleted.
- Infrastructure Master
- Problems with universal group memberships - Cross-domain object references need this role holder.
- Domain Naming Master
- Can't add or remove a domain - Changes to the namespace need this role holder.
- Can't promote or demote a DC - Changes to the namespace need this role holder.
- Schema Master
- Can't modify the schema - Changes to the schema need this role holder.
- Can't raise the functional level for the forest - This role holder must be available when the raising the forest functional level.
Rules for FSMO Role Placement
Since FSMO roles are crucial for the proper functioning of an AD-based network, it's a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, this FSMO role must be placed.
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.
Hope the above is informative.
Please feel free to contact me for any questions.