Best practices for FSMO roles placement

Yes they are ALL important! Whether you have a huge enterprise with enormous amount of users and computers or a small network which consist around 50 clients, you have to keep them up and running. Provided that information optimizing the placement of FSMO roles is crucial for their availability. However some of the following FSMO roles are more important than the others but keep it mind that you have to balance them in your environment. 


When the first domain controller is installed in your environment, all five roles are established in that domain controller and also that domain controller will be flagged as global catalog server. It is quite clear if the following DC which holds all the roles fails, there will be no logons. There are some reasons to place FSMO roles in different places like: Availability and Load on the server.

These five roles which we are going to cover best practices for their placement are:

  1. Schema master
  2. Domain naming
  3. PDC emulator
  4. RID
  5. Infrastructure Master


Schema master and Domain naming

These two roles are rarely used. Domain naming is only used when we are planning to add a new domain to our forest. Schema master is used on rare conditions also. Deploying Exchange server in your organization is a case in point. So you see if these two roles fail in your organization, domain controllers and environment will carry on servicing to the clients unless there is a need to change the Schema or create a child domain. Provided that this information Microsoft recommends keeping these two roles on a single server. Since every time we want to add a child domain to the forest, Domain naming query the Global Catalog to check the naming, it is also highly recommend to place Global Catalog on the server which holds Domain naming and Schema master roles.


Primary Domain Controller (PDC Emulator)

One of the responsibilities of PDC is handling Password requests. It is highly recommend to place PDC emulator on a segment where has more users. The reason behind this recommendation is that with more users there will be more logon requests and as a result the password requests will be increased. So it is considered a wise move to keep PDC on segment which has more password requests.


Relative Identifier Role (RID)

Relative identifier allocates pools consisting RID’s to domain controllers. Since PDC uses more RID’s, in most cases administrators prefer to place RID and PDC in a single server.


Infrastructure Master Role

Due to creation of phantom objects, it is recommended by Microsoft to place Infrastructure Master role on a server where is not a global catalog server. Keep in mind that if all domain controllers in your environment are Global Catalog or your network is not a multi-domain structure there is no need to obey this rule, Because there will be no phantom objects in such scenarios.


Global Catalog

If you are insisting on not making all the domain controllers a global catalog, placement of global catalog should be considered. As a recommendation place the global catalog on a segment where is near to the application which needs global catalog direct contact. It is also recommended to keep a global catalog where more than hundred user accounts exist or there are plenty of Roaming Profiles.



About Mahdi

Post Archive

Sticky RIS settings in 'Default Domain Policies'?

Written By Mahdi Tehrani on Friday, 19 January 2018 08:56

Limit Active Directory user login to 1 session

Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

The auditor of auditors: 'LepideAuditor Suite'

Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

Protect your domain against WannaCry malware

Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

‘List Object Mode’ in Active Directory, a myth or future settings?

Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47