Flexible single master operation

Roles should be assigned to ensure the best recoverability and operation of your Domain Controllers. Some of the questions that should be asked when you are determining the FSMO roles and the Global Catalogue (GC) placement are: 1. How many Domain Controllers are in your environment? If there is only one DC in your environment (Not recommended) then all the roles will be on the same server and I would recommend that there should be no more than 20 users. If you have more than 20 users you should have at least two DCs. Two domain controllers are recommended for environments of up to 200 users. It is important to not have the Domain Naming Master on the same server as the RID Master or the PDC Master, because if it stopped working it would be difficult to create a new DC to replace the failed DC as the Domain Naming Master must be live to use promote/create a new DC. The PDC (Primary Domain Controller) Master and RID (Relative Identifier) Master are the roles that have the biggest initial impact on the environment if lost to both users and Systems Administrators. 2. What servers/server are global catalog servers? All domain controllers can be a global catalog.

When every domain controllers is a global catalog it does increase the replication work load, but this has minimal impact and speeds up the performance of AD. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, and it stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. 3. Do you have a single or multiple domain forest? In a single domain forest I would recommend that we leave all the FSMO roles on the first controller in the forest and I would make all of the domain controllers global catalog servers. In a multiple domain forest I would use the following guidelines: In the forest root domain: If all domain controllers are also global catalog servers, I would leave all of the FSMO roles on the first DC in the forest.

If the domain controllers are not global catalog servers, I would move all of the FSMO roles to a domain controller that is not a global catalog server. In each child domain, I will leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server unless the child domain only contains one DC. 4. Do you have any sites in remote regions? Sites with slow connections will hinder the effectiveness of replication. 5. Where are you going to place the domain controllers that have these roles installed on them? I need to know this because we are going to have to put the domain controllers hosting these operations master roles in areas where network reliability is high, and ensure that the PDC emulator and the RID master are consistently available. Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles, schema master and domain naming master, are assigned to the first domain controller created in a forest and the three domain-level roles, RID master, infrastructure master, and PDC emulator are assigned to the first domain controller created in a domain. Forest-Wide Operations Master Roles

Every forest must have the following roles: Schema master and Domain naming master. The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. These roles must be unique in the forest which means that in the entire forest there can be only one schema master and one domain naming master. The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. Domain-wide operations master roles

Every domain in the forest must have the following roles, relative ID (RID) master, primary domain controller (PDC) emulator master, and Infrastructure master These roles must be unique in each domain which means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.

The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object. The PDC emulator master processes password changes from client computers and replicates these updates to all domain controllers throughout the domain. At any time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

The PDC emulator role is used in the following ways: To provide consistent password experience for users across sites, the PDC emulator is used as a reference DC to double-check incorrect passwords and it receives new password changes. When the PDC is reachable, users can use a new password immediately and consistently across the environment and as a point of contact for applications hard-coded to the PDC. It can also be used as a default time server for all other DCs in the domain – The time server configuration of a PDC requires manual consideration and should be reviewed when you change the owner of the PDC role.

At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group’s domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

References
Al-Beruni, R. (2014). MicrosoftGURU. Retrieved from MicrosoftGURU web site: http://microsoftguru.com.au/2012/07/29/microsoft-active-directory-best-practice-part-ii/ kiransawant. (2012, July 16). Best Practices for Assigning FSMO Roles. Retrieved from Fellowme: http://kiransawant.wordpress.com/2012/07/16/best-practices-for-assigning-fsmo-roles/ Microsoft. (2012, April 26, 2012 26). Planning Operations Master Role Placement. Retrieved from Technet.microsoft: http://technet.microsoft.com/en-us/library/cc754889(v=WS.10).aspx Petri, D. (2009). Whale Web Inc. Retrieved from Whale Web Inc web site: http://www.petri.co.il/planning_fsmo_roles_in_ad.htm Tulloch, M. (2004, June 15). Best Practices for Assigning FSMO Roles. Retrieved from Windows Devcenter: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html Wiley, J. (2012). Windows Server 2008 Active Directory Configuration. Hoboken: John Wiley and Sons, Inc.