FSMO placement and optimization on Active Directory domain controllers

Active Directory domain controllers support multi-master updates for the replication of objects (such as user and computer accounts) in the Active Directory. In a multi-master model, objects and their properties can originate on any domain controller in the domain and become "authoritative" with replication.

This article describes the placement of Active Directory Flexible Single-Master (FSMO) roles in the domain and forest.

Certain domain and enterprise-wide operations not well suited to multi-master placement reside on a single domain controller in the domain or forest. The advantage of single-master operation is to prevent the introduction of conflicts while an operation master is offline, rather than introducing potential conflicts and having to resolve them later. Having a single-operation master means, however, that the FSMO role owner must be available when dependent activities in the domain or enterprise take place, or to make directory changes associated with that role.

The Active Directory Installation Wizard (Dcpromo.exe) defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles. The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

A forest with one domain has five roles. Every additional domain in the forest adds three domain-wide roles. The number of FSMO roles in a forest and potential FSMO role owners can be determined using the formula ((Number of domains * 3)+2).

A forest with three domains (A.com, with child and grandchild domains of B.A.com and C.B.A.com) has eleven FSMO roles:

1 Schema master - forest-wide A.COM
1 Domain naming master - forest-wide A.COM
3 PDC emulators (A.com, B.A.com, and C.B.A.com)
3 RID masters (A.com, B.A.com, and C.B.A.com)
3 Infrastructure masters for each respective domain. (A.com, B.A.com, and C.B.A.com)

When you create the first Active Directory domain controller of a forest, Dcpromo.exe assigns all five roles to it. When you create the first Active Directory domain controller of a new domain in an existing forest, the system assigns all three domain roles to it. In a mixed mode domain containing Microsoft Windows NT 4.0 domain controllers, only the domain controllers that are running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server can hold any of the domain or forest wide FSMO roles.

FSMO availability and placement

Dcpromo.exe performs the initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers. In a directory with many domain controllers the default placement is unlikely to be the best match to your network.

On a per-domain basis, select local primary and standby FSMO domain controllers in case a failure occurs on the primary FSMO owner. Additionally, you may want to select off-site standby owners in the event of a site-specific disaster scenario. Consider the following in your selection criteria:

• If a domain has only one domain controller, that domain controller holds all the per-domain roles.
• If a domain has more than one domain controller, use Active Directory Sites and Services Manager to select direct replication partners with persistent, "well-connected" links.
• The standby server may be in the same site as the primary FSMO server for faster replication convergence consistency over a large group of computers, or in a remote site in the event of a site-specific disaster at the primary location.
• Where the standby domain controller is in a remote site, ensure that the connection is configured for continuous replication over a persistent link.

General recommendations for FSMO placement

• Place the RID and PDC emulator roles on the same domain controller. It is also easier to keep track of FSMO roles if you host them on fewer machines.
  
  If the load on the primary FSMO load justifies a move, place the RID and primary domain controller emulator roles on separate domain controllers in the same domain and active directory site that are direct replication partners of each other.
• As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:
  • Single domain forest:
    
    In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
  • Multidomain forest where every domain controller in a domain holds the global catalog:
    
    If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.
• At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the domain naming master FSMO should also be a global catalog server. Certain operations that use the domain naming master, such as creating grand-child domains, will fail if this is not the case.
  
  In a forest at the Forest Functional Level Windows Server 2003, you do not have to place the domain naming master on a global catalog.

Most importantly, confirm that all FSMO roles are available using one of the management consoles (such as Dsa.msc or Ntdsutil.exe).

For more information, click the following article number to view the article in the Microsoft Knowledge Base: