FSMO Placement and Optimization on Windows 2000 Domain Controllers

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

SUMMARY

Windows 2000 domain controllers support multi-master updates for the replication of objects (such as user and computer accounts) in the Active Directory. In a multi-master model, objects and their properties can originate on any domain controller in the domain and become "authoritative" with replication.

This article describes the placement of Active Directory Flexible Single-Master (FSMO) roles in the domain and forest.

MORE INFORMATION

Certain domain and enterprise-wide operations not well suited to multi-master placement reside on a single domain controller in the domain or forest. The advantage of single-master operation is to prevent the introduction of conflicts while an operation master is offline, rather than introducing potential conflicts and having to resolve them later. Having a single-operation master means, however, that the FSMO role owner must be available when dependent activities in the domain or enterprise take place, or to make directory changes associated with that role.

The Active Directory defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles. The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

A forest with one domain has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2).

A domain with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

1 Schema master - forest-wide A.COM
1 Domain naming master - forest-wide A.COM
3 PDC emulators (A.com, B.A.com, and C.B.A.com)
3 RID masters (A.com, B.A.com, and C.B.A.com)
3 Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

When you create the first Windows 2000 domain controller (DC) of a forest, the system assigns all five roles to it. When you create the first Windows 2000 DC of a new domain in an existing forest, the system assigns all three domain roles to it. Only Windows 2000 DCs in a mixed-mode domain that contains both Windows NT 4.0 and Windows 2000 domain controllers can hold FSMO roles.

FSMO Availability and Placement

• If a domain has only one domain controller, that DC holds all the per-domain roles.



• If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent, "well-connected" links.



• The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.



• Where the standby DC is in a remote site, ensure that the connection is configured for continuous replication over a persistent link.

General Recommendations for FSMO Placement

• Place the RID and PDC emulator roles on the same primary FSMO DC. If the load on the primary FSMO load justifies a move, place the RID and PDC emulator roles on separate primary DCs that have direct connection objects to the standby RID and RDC emulator.



• The infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.



• At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled.

Additional query words: kbfaqw2kds

Keywords : kbenv ntdomain
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo