How to place FSMO and Global Catalog roles in Active Directory


During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers.

If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server.

It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server.

Recommended Best Practice setup of FSMO roles.

Domain Controller #1

Place the two forest roles on this server.

  • Schema Master
  • Domain Master

Domain Controller #2
Place the domain roles on this server.

  • RID Master
  • Infrastructure Master
  • PDC Emulator

If more domains exist in the forest, place the domain roles on a server in theese domains like Domain Controller #2

Global Catalog configuration.

In Windows 2008 Active Directory all Domain Controllers are by default Global Catalog servers, personally I would recommend using the same configuration in most Active Directory Setups, unless special needs and loads with multiple domains and quite a few Domain Controllers exist.

Remember do not place the Infrastructure Master FSMO role on a server with Global Catalog enabled, unless ALL Domain Controllers is Global Catalog enabled!

Global Catalog servers have information about their own domain and a subset of often used information from all domains in the forest. This allows a Global Catalog Domain Controller to give information about other domains in the forest much faster to the client. It also means the server will use more ressources (mostly memory) in a multiple domain configuration.

Tools to administrate FSMO roles.

FSMO roles can be administrated from a GUI in the Active Directory tools or from command line with the NTDSUTIL command. If a Domain Controller is down and unable to be restored, only NTDSUTIL can be used to Seize the role on to a new server.

Microsoft have a guide to doing this here: http://support.microsoft.com/kb/324801

Global Catalog settings can be administrated with the Active Directory Sites & Services GUI, by selecting Sites/SiteName/Servers/ServerName, right click NTDS Settings and select Properties, on the General Tab click to enable or disable Global Catalog.

Microsoft have a guide to doing this here: http://support.microsoft.com/kb/313994

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: