Friday, June 12, 2009

Changes to Active Directory FSMO Roles

I have started moving Active Directory FSMO roles from cvusd-do-dc1 to some of the newer servers, for 2 reasons:

  1. To separate the FSMO roles on different servers
  2. cvusd-do-dc1 is getting quite old, and can’t risk putting our eggs in one basket.

In order to do this some changes had to be made on existing domain controllers to accommodate some of the roles.

  • DO-DC1: removed it from being a Global Catalog (GC), so that I can place the Infrastructure Master role on it:
    • The DC that has the infrastructure master gets updates to its “stale data” from the GC, which, in turn, is continuously receiving updated data. If the Infrastructure Master resides on the same server as a GC, it will always think that it’s up to date, and will never perform any updates on the infrastructure. In the case of one domain, the Infrastructure Master does not matter as it would have nothing to do. In the case where every domain controller is a Global Catalogue, the Infrastructure Master also doesn’t have anything to do, as all DC are always up to date due to their being a GC.
  • DO-DC1: Changed the Infrastructure Master role from cvusd-do-dc1 to do-dc1
  • CVUSD-DO-DC3: Moved PDC Emulator role from cvusd-do-dc1 to do-dc2. This is a role that advertises it self as a domain controller for operating systems and member objects that are older than Windows XP and Windows 2000. This will become less and less important as we upgrade more of our Operating Systems.
  • DO-DC2: Moved Relative ID (RID) Master from cvusd-do-dc1 to do-dc2. This role is responsible for assigning pools of SIDs to objects that join the domain. These pools are dispersed 512 at a time, and a new pool of 512 is created, when the number of available SIDs is depleted down to 100.
  • DO-DC2: Moved the Domain Naming Master from cvusd-do-dc1. This role will allow the joining of machines to the domain, and keeping track of object IDs across machines the different domains. This should be on a DC that is a Global Catalog. It is also recommended that the Domain Naming Master, and the Schema Master reside on the same server.
  • DO-DC2: Moved Schema Master Role from cvusd-do-dc2 to do-dc2. This role controls all updates and changes to the schema in the AD Infrastructure.

References:
FSMO Role Placement Best Practices: http://support.microsoft.com/kb/223346

How to View and Transfer FSMO Roles:
http://support.microsoft.com/kb/324801

  • These changes were made on 06/12/2009 @ 10:15am
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Please make your comment. (GMK)

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)