Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Windows Server Hacks

Best Practices for Assigning FSMO Roles

by Mitch Tulloch, author of Windows Server 2003 in a Nutshell and Windows Server Hacks
06/15/2004

In an Active Directory environment, some of your domain controllers (DCs) must be assigned certain special roles for your network to function properly. These special roles are called flexible single master operations (FSMO) roles, and DCs that hold such roles are called FSMO role holders. If you don't assign these roles properly, bad things can happen, so the focus of this article is on rules for proper placement of FSMO roles on AD-based networks. But before we summarize the rules, let's briefly review what the different roles are and the consequences when a role fails or isn't placed properly.

FSMO Roles

Each domain in an AD-based network has three FSMO roles that must be assigned to domain controllers within the domain:

The forest root domain also has two additional FSMO roles that must be assigned to domain controllers in that domain:

There are a number of ways you can determine which DCs are FSMO roles holders on your network, but the simplest is to install the Support Tools from the \Support\Tools folder on your product CD and type netdom query fsmo at a command prompt:

Command Prompt

From the results above we can see that in this example the Infrastructure Master for the testtwo.local domain is held by TEST230 while all other roles are held by TEST220. Other ways of determining FSMO role holders are outlined in KB 234790. The Script Center on Microsoft TechNet has a handy script for this purpose, too.

Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly.

Symptom Possible Role Involved Reason
Users can't log on. PDC Emulator If system clocks become unsynchronized, Kerberos may fail.
Can't change passwords. PDC Emulator Password changes need this role holder.
Account lockout not working. PDC Emulator Account lockout enforcement needs this role holder.
Can't raise the functional level for a domain. PDC Emulator This role holder must be available when the raising the domain functional level.
Can't create new users or groups. RID Master RID pool has been depleted.
Problems with universal group memberships. Infrastructure Master Cross-domain object references need this role holder.
Can't add or remove a domain. Domain Naming Master Changes to the namespace need this role holder.
Can't promote or demote a DC. Domain Naming Master Changes to the namespace need this role holder.
Can't modify the schema. Schema Master Changes to the schema need this role holder.
Can't raise the functional level for the forest. Schema Master This role holder must be available when the raising the forest functional level.

Rules for FSMO Role Placement

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

Since FSMO roles are crucial for the proper functioning of an AD-based network, it's a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, however, this default roles assignment may not be appropriate, so you need to transfer some of your roles to a different machine to achieve optimal FSMO-role placement on your network. See KB 223787 and KB 255504 for how to transfer roles. KB 321469 also has information on how to transfer roles using scripts.

Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

Rule 2: The Infrastructure Master should not be placed on a GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to WindowsDevCenter.com.

Copyright © 2009 O'Reilly Media, Inc.