From LedHed's Wiki
Jump to: navigation, search

Overview

FSMO Roles are critical components of Active Directory.
They can only exist on a single Domain Controller at any given time.
This makes them a 'Single Point of Failure' in many administrators eyes.

So the question often arises "Where should we place the FSMO's".
The answers vary from admin to admin.

In my experience there are only 2 feasible answers to this question.

  1. Place all the FSMO's on a single DC. (Single Forest/Domain)
  2. Place the Schema Master and Domain Naming Master roles on one DC, and the remaining roles, on another. (Single Forest/Multi Domain)


All your eggs in one basket

This approach makes sense in most environments. You may be asking yourself "Why wouldn't you want to distribute these critical roles?"
The answer is simple: It creates unnecessary complexity. FSMO roles are critical but they can be seized in the event of a catastrophe.


Split between 2 Domain Controllers

This approach can makes sense in larger environments where you have multiple domains within your forest. For example, If you do have a catastrophic failure of a FSMO role holder, then you only have to seize a small portion of the roles. I consider this a valid reason, but not very practical as the time savings is probably measured in seconds.

Another example is for load distribution. The PDC Emulator role is probably the most CPU intensive role, so the argument could be made that placing it on its own DC could improve performance.

Keep in mind that each domain has its own set of RID Master, PDC Emulator, and Infrastructure Master Roles. So if you have multiple domains in your forest, you will have more than one PDC, IM, RID. These roles are automatically placed on the first DC in that domain. So distribution of these roles is more or less handled for you.

Example:

Forset:       Humans
Sub Domain:   Males
Sub Domain:   Females

Humans FSMO:  SM, DNM, IM, RID, PDC
Males FSMO:            IM, RID, PDC
Females FSMO:          IM, RID, PDC

What about ...

Some of you may be thinking, "What if you have more than 5 DC's, why not place a role on each DC, that way if you loose one, you only ever have to transfer one role."
While I like the logic in this approach, it really isn't that simple. Microsoft recommends placing the Schema Master and Domain Naming Master on the forest root PDC. Microsoft also recommends placing the RID Master on the Domain PDC. In a Single Forest/Domain environment you would be placing 4 of your 5 roles on the same DC.

In a Single Forest/Domain the Infrastructure Master has little to do because there are no phantoms (external references) so its placement may as well be on the same DC as the rest of the FSMO roles.

Also note that Microsoft recommends a Single Forest/Domain environment, so if you're going for best practices, you may as well go with the All your eggs in one basket approach.


References

http://support.microsoft.com/kb/223346

http://blogs.technet.com/b/bpuhl/archive/2005/12/07/415761.aspx