FSMO Roles

FSMO placement and optimization on Active Directory domain controllers

Last Updated: May 6, 2023
0 237

FSMO placement and optimization on Active Directory domain controllers

Certain domain and enterprise-wide operations that are not well suited to multi-master updates must be performed on a single domain controller in the domain or in the forest.

The purpose of having a single-master owner is to define a well-known target for critical operations and to prevent the introduction of conflicts or latency that could be created by multi-master updates. Having a single-operation master means that the relevant FSMO role owner must be online, discoverable, and available on the network by computers that have to perform FSMO-dependent operations.

When the Active Directory Installation Wizard (Dcpromo.exe) creates the first domain in a new forest, the wizard adds five FSMO roles. A forest with one domain has five roles.

The Active Directory Installation Wizard adds three domain-wide roles on the first domain controller in each additional domain in the forest. Additionally, infrastructure master roles exist for each application partition. This includes the default domain and the forest-wide DNS application partitions that are created on Windows Server 2003-and-later domain controllers.

The operations masters and their scope are shown in the following table.

FSMO Role Scope Function and availability requirements
Schema Master Enterprise
  • Used to introduce manual and programmatic schema updates, and this includes those updates that are added by Windows ADPREP /FORESTPREP, by Microsoft Exchange, and by other applications that use Active Directory Domain Services (AD DS).
  • Must be online when schema updates are performed.
Domain Naming Master Enterprise
  • Used to add and to remove domains and application partitions to and from the forest.
  • Must be online when domains and application partitions in a forest are added or removed.
Primary Domain Controller Domain
  • Receives password updates when passwords are changed for the computer and for user accounts that are on replica domain controllers.
  • Consulted by replica domain controllers that service authentication requests that have mismatched passwords.
  • Default target domain controller for Group Policy updates.
  • Target domain controller for legacy applications that perform writable operations and for some admin tools.
  • Must be online and accessible 24 hours a day, seven days a week.
RID Domain
  • Allocates active and standby RID pools to replica domain controllers in the same domain.
  • Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.
Infrastructure Master Domain Application partition
  • Updates cross-domain references and phantoms from the global catalog. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    248047 Phantoms, tombstones and the infrastructure master
  • A separate infrastructure master is created for each application partition including the default forest-wide and domain-wide application partitions created by Windows Server 2003 and later domain controllers.The Windows Server 2008 R2 ADPREP /RODCPREP command targets the infrastructure master role for default DNS application in the forest root domain. The DN path for this role holder is CN=Infrastructure,DC=DomainDnsZones,DC=<forest root domain>,DC=<top level domain> and CN=Infrastructure,DC=ForestDnsZones,DC=<forest root domain>,DC=<top level domain>.

FSMO availability and placement

The Active Directory Installation Wizard performs the initial placement of roles on domain controllers. This placement is frequently correct for directories that have just a few domain controllers. In a directory that has many domain controllers, the default placement may not be the best match for your network. Consider the following in your selection criteria:

  • It’s easier to keep track of FSMO roles if you host them on fewer computers.
  • Place roles on domain controllers that are can be accessed by the computers that need access to a given role, especially on networks that are not fully routed. For example, to obtain a current or standby RID pool, or perform pass-through authentication, all DCs need network access to the RID and PDC role holders in their respective domains.
  • If a role has to be moved to a different domain controller, and the current role holder is online and available, you should transfer (not seize) the role to the new domain controller. FSMO roles should only be seized if the current role holder is not available. For more information, go to the following Microsoft website:
    http://technet.microsoft.com/en-us/library/cc816945(WS.10).aspx
  • FSMO roles that are assigned to domain controllers that are offline or in an error state only have to be transferred or seized if role-dependent operations are being performed. If the role holder can be made operational before the role is needed, you may delay seizing the role. If role availability is critical, transfer or seize the role as required. The PDC role in each domain should online at all times.
  • Select a direct intrasite replication partner for existing role holders to act as a standby role holder. If the primary owner goes offline or fails, transfer or seize the role to the designated standby FSMO domain controller as required.

General recommendations for FSMO placement

  • Place the schema master on the PDC of the forest root domain.
  • Place the domain naming master on the forest root PDC.The addition or removal of domains should be a tightly controlled operation. Place this role on the forest root PDC. Certain operations that use the domain naming master, such as creating or removing domains and application partitions, fail if the domain naming master is not available. On a domain controller that runs Microsoft Windows 2000, the domain naming master must also be hosted on a global catalog server. On domain controllers that run Windows Server 2003 or later versions, the domain naming master does not have to be a global catalog server.
  • Place the PDC on your best hardware in a reliable hub site that contains replica domain controllers in the same Active Directory site and domain.In large or busy environments, the PDC frequently has the highest CPU utilization because it handles pass-thru authentication and password updates. If high CPU utilization becomes a problem, identify the source, and this includes applications or computers that may be performing too many operations (transitively) targeting the PDC. Techniques to reduce CPU include the following:
    • Adding more or faster CPUs
    • Adding additional replicas
    • Adding additional memory to cache Active Directory objects
    • Removing the global catalog to avoid global catalog lookups
    • Reducing the number of incoming and outgoing replication partners
    • Increasing the replication schedule
    • Reducing authentication visibility by using LDAPSRVWEIGHT and LDAPPRIORITY, and by using the Randomize1CList feature that’s described in 231305.
    All domain controllers in a particular domain, and computers that run applications and admin tools that target the PDC, must have network connectivity to the domain PDC.
  • Place the RID master on the domain PDC in the same domain.RID master overhead is light, especially in mature domains that have already created the bulk of their users, computers, and groups. The domain PDC typically receives the most attention from administrators. Therefore, co-locating this role on the PDC helps ensure reliable availability. Make sure that existing domain controllers and newly promoted domain controllers, especially those promoted in remote or staging sites, have network connectivity to obtain active and standby RID pools from the RID master.
  • Legacy guidance suggests placing the infrastructure master on a non-global catalog server. There are two rules to consider:
    • Single domain forest:In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
    • Multi domain forest:If every domain controller in a domain that is part of a multi domain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.
    • If every domain controller in a given domain that is located in a multi domain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended contents

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Group Policy Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

What is Netlogon Folder in Active Directory

How to Create Custom Attributes in Active Directory

How Can I Check the Tombstone Lifetime of My Active Directory Forest

How to Determine a Computers AD Site From the Command Line

How to Check the Active Directory Database Integrity

How to Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Disabling and enabling replication on schema master domain controller

How to enable strict replication consistency

How to prevent lingering objects replication in active directory

AD replication process overview

How to force active directory replication

Change notification in replication process

How to check replication partner for a specific domain controller

dcdiag test replications

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo
Tags
Last Updated: May 6, 2023
0 237
Photo of Vipan Kumar

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button