In last post, we have discussed about the last domain level FSMO role – the PDC Emulator. Hope you are now clear about all FSMO roles and their functions. In this part, I am going to cover the recommended FSMO roles placement.
How to find current FSMO roles holders? If we have large number of domain controllers in our environment, it’s quite difficult to find the FSMO role holders manually. We have a very simple in-built tool for this, called “netdom”. Just run following commands to get list of all FSMO roles holders:
netdom query fsmo
You can also do it by PowerShell, however you have to run two different commands there. To get forest wide roles, run following command:
Get-ADForest yourdomain | Format-Table SchemaMaster,DomainNamingMaster
To get domain wide roles, run following command:
Get-ADDomain yourdomain | format-table PDCEmulator,RIDMaster,InfrastructureMaster
As we know that minimum 1 and maximum 5 domain controllers can hold different FSMO roles. Assigning all roles to single DC is not at all a good idea as it will create a huge disaster in case that DC goes down. We should always distribute the roles in multiple DCs in order to create redundancy. There is no hard and fact rules but there are few recommended ways to place them:
- Never place an Infrastructure Master with a Global Catalog server until all of your domain controllers are Global Catalogs. Global Catalog server is a domain controller which keeps all records of its own domain and partial records of all other domains part of that forest or external trust. This function is very much similar to IM role as Infrastructure Master also keeps records for all domains in cross domains. If you are placing IM with a GC, Global Catalog server will take precedence over IM and you will face issue identifying cross domain objects. If all of your DCs are GC, there will not be any issue.
- Place the Schema Master and Domain Naming Master with the PDC of forest root domain.
- Place the PDC on the best hardware available as it’s the most critical role among all FSMO roles.
- Place the RID Master with PDC of the same domain.
- You can also place Schema Master and Domain Naming Master together in forest root domain on a Global Catalog server for easy management during raising the domain and forest functional level.
How to recover if any of the FSMO role holder is down? We can’t let it be, right? In that case we have to either Transfer or Seize the role to any other working domain controller. There is is a difference between transferring and seizing the roles, which we will cover in next post.