How to place FSMO and Global Catalog roles in Active Directory

During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on the first server. But Best Practice dictates to move some of theese Flexible Single Master of Operation (FSMO) roles to seperate servers.

If you only have one domain controller (not recommended), there is nothing to do since all roles must be on this server, but if you have multiple servers you should move some of theese roles on to more servers. It is also important to be aware of what servers are Global Catalog servers, especially if you have more than one domain and even if only one domain, they will be prefered by applications like Exchange server.

It is recommended to place the forest roles on one Domain Controller (DC) and the domain roles on another server. If not all Domain Controllers are Global Catalog servers, it is also important to place the infrastructure master on a server that is NOT a Global Catalog server.

Recommended Best Practice setup of FSMO roles.

Domain Controller #1

Place the two forest roles on this server.

  • Schema Master
  • Domain Master

Domain Controller #2
Place the domain roles on this server.

  • RID Master
  • Infrastructure Master
  • PDC Emulator

If more domains exist in the forest, place the domain roles on a server in theese domains like Domain Controller #2

Global Catalog configuration.

In Windows 2008 Active Directory all Domain Controllers are by default Global Catalog servers, personally I would recommend using the same configuration in most Active Directory Setups, unless special needs and loads with multiple domains and quite a few Domain Controllers exist.

Remember do not place the Infrastructure Master FSMO role on a server with Global Catalog enabled, unless ALL Domain Controllers is Global Catalog enabled!

Global Catalog servers have information about their own domain and a subset of often used information from all domains in the forest. This allows a Global Catalog Domain Controller to give information about other domains in the forest much faster to the client. It also means the server will use more ressources (mostly memory) in a multiple domain configuration.

Tools to administrate FSMO roles.

FSMO roles can be administrated from a GUI in the Active Directory tools or from command line with the NTDSUTIL command. If a Domain Controller is down and unable to be restored, only NTDSUTIL can be used to Seize the role on to a new server.

Microsoft have a guide to doing this here: http://support.microsoft.com/kb/324801

Global Catalog settings can be administrated with the Active Directory Sites & Services GUI, by selecting Sites/SiteName/Servers/ServerName, right click NTDS Settings and select Properties, on the General Tab click to enable or disable Global Catalog.

Microsoft have a guide to doing this here: http://support.microsoft.com/kb/313994

29 Responses to “How to place FSMO and Global Catalog roles in Active Directory”

  • Steve Schwalm:

    Sole — I really appreciate your clear and concise explication of the Windows world from an administrators viewpoint. Your explanations are much more direct and comprehensible than most of what is found in most technical manuals. Right now I’m reviewing your AD section for several projects I have, including rebuilding a domain with new domain controllers and splitting up their fsmo roles and virtualizing them — so I have “favorited” your blog. Keep writing!

    Thanks,

    Steve

  • Sole:

    Hi Steve,
    Thanks for the nice words, much appreciated :)

  • Tony Zahler:

    Sole,

    I also appreciate you getting the exact information that I needed, quickly.
    It is nice to get short, straight easy to use info… for a change.

    Thank you,

    Tony

  • Johan Cordice:

    Thanks for the clear explanation; I really appreciate your clear and concise explanation. However, I have read elsewhere that it’s best to have the infrastructure roles on one server and all ther FSMO roles on the PDC..What’s your take on this compared to your 3-2 separation. I had gone ahead and use the 4 – 1 and it has worked quite well soo far. I don’t write off any particular solution..Thanks for your assistance..

  • Good day Sir!

    I have followed your instruction here on your blog. I have two domain controllers DC1 and DC2. the DC1 has these roles Schema Master and Domain Naming Master while the DC2 has these roles Infra Master, PDC Master and RID Master. My question is, do i need to check the Global Catalog Master in DC2 while remain unchecked the Global Catalog in DC1? When to check the Global Catalog under Active Directory Sites and Services?

    Thanking you in advance for helping me to understand this question.

    Regards,
    Bong

  • Sole:

    As long as all DC’s have the Global Catalog checked you’re fine :)

  • Even in the DC2 has the infrastructure master role? I thought that GC should not be checked when the Infrastructure Role is present there in DC2.

  • Sole:

    Hi Bong,

    The problem with Global Catalog being enabled on the same Domain Controller as the holder of the infrastructore role, is only relevant if another Domain Controller in the domain is not Global Catalog enabled.

    In other words…
    If ALL Domain Controllers have Global Catalog enabled = no problems.
    If any one or more Domain Controllers does NOT have Global Catalog enabled = the Domain Controller with the Infrastructure Role, should NOT have Global Catalog enabled to avoid problems.

  • AH i see… But one thing i noticed. When i transferred these three roles to DC2 (PDC, RID and Infrastructure), my synchronization between the two Domain Controllers becomes slow. Opening of Active Directory Users and Computers becomes slow both DC1 and DC2. What is the cause of this slow? I have been enabled the Global Catalog on two DC’s. I only experience this when the time i transferred the three roles to DC2.

    Appreciate once again your advise,

    Many Thanks,
    Bong

  • Sole:

    Hi Bong,

    I am sorry but I can’t explain that for you. You could try moving all roles to a single DC (and move to the other to see if it changes), it should not realy be a problem with a small setup with 2 DC’s to have all roles on a single DC.

  • Bong:

    Hi Sir,

    I have error of 4004 and 4521. the 2nd DC have no replication with DC1. It says in dcdiag /test:dns that there was a missing Cname record or SRV Record but i don’t remember that i deleted those. How can replicate again these two DC’s?

    Please help me Sir

    Thanks,
    Bong

  • Sole:

    Hi Bong,

    I am sorry but thoose errors are beyond what I can help you with remotely.

    -Sole

  • Ok Sir. Can check it via teamviewer? Do you have skype account so that i can talk to you sir.

    Thanks.

  • Sole:

    Hi Bong,

    I am sorry but I am not able to assist you remotely with that problem. I believe you should contact a local consultant who can help you onsite.

    -Sole

  • Anonymous:

    why can’t we have two schema masters ?

  • Philip:

    Hi Sole,

    I have questions, i am newly hired in one of this company here in our country then i found out offcourse that all fsmo roles are installed on the first server dc 1. The name of our forest is primerstar.com and the domain name is also primerstar.com, is this what they called “single domain forest” is it ok if i will assign the RID Master, Infrastructure Master, PDC Emulator to DC2 which is GC enabled? and make the DC 3 as standby master?

  • Sole:

    As the name master suggest, there is only one :) I will not go deeper into this, as it is way outside the idea and contents of this blog.

  • Sole:

    Sounds right, make sure all DC’s are GC enabled for this setup.

  • Erik K.:

    I clipped an excerpt from a Active Directory training video which illustrates exactly why the GC needs to be separate from the infrastructure master. Basically, you would notice the issue occurs when you have more than one domain.

    http://sdrv.ms/ZCDcTU

    What the video doesn’t mention, and what I found helpful from this blog, is that you can simply put the GC on all servers to get around this.

  • Kiran:

    Thanks for the Clear explanation. I will bookmark this website

  • RAther:

    I am planned to transfer PDC emulatero role to another DC.
    Waht about the Time sync. How can i move it to ther DC as well. What needs to be done.

  • JOE:

    Actually I need your advice for disaster plan between server 2008 r2. My question is that if we have two Domains DC1 and DC2, DC1 Primary domain controller and DC2 only (Global Catalog / Active directory )and both of them are stander edition servers, no clustering. So let say DC1 fails or crash down . Do we have to install the FSMO Role and assign the DHCP on the other DC2 to have it active as DC1. By the way the DC1 on physical machine and DC2 on virtual machine. So what do you advise me to Start with? It’s really argent matter for me please. I look forward to hearing from you as soon as you can, Thank you very much.

    Best Regard,

  • JOE:

    Actually I need your advice for disaster plan between server 2008 r2. My question is that if we have two Domains DC1 and DC2, DC1 Primary domain controller and DC2 only (Global Catalog / Active directory )and both of them are stander edition servers, no clustering. So let say DC1 fails or crash down . Do we have to install the FSMO Role and assign the DHCP on the other DC2 to have it active as DC1. By the way the DC1 on physical machine and DC2 on virtual machine. So what do you advise me to Start with? It’s really argent matter for me please. I look forward to hearing from you as soon as you can, Thank you very much

  • Jim Beam:

    According to MS:

    http://support.microsoft.com/kb/223346

    “General recommendations for FSMO placement

    Place the schema master on the PDC of the forest root domain.
    Place the domain naming master on the forest root PDC.”

    So you say put the PDC role on DC2, MS states put it on DC1!

  • manoj:

    I am getting this error on transfering the RID Master Role
    error “the transfer of the operation master role cannot be performed because: the requested information failed. then current FSMO holder not be contacted.”
    can you please help me to resolve this issue.
    RID Master should be for every member DC, but due to some issue i am not able to create new DC as i am getting error that DC holding RID Master is offline as that server is now crashed. so probably help me to Seize this role as connect to server “xxx” is failing with rpc error.

  • Hanz:

    Hi,

    I have three ADs on three different location. Two of them are enabled GC.

    AD1 & AD2

    I want to demote the AD2 and point the GC to AD3. currently, Schema master and operation master are on AD1.

    Can i demote the AD2 ? is there anything to consider? please advise.

  • Sole:

    Make sure you have all 5 FSMO roles placed on 1&3

  • Sharvari Patil:

    Simple and short AD FSMO and GC.Much Appriciated….

  • Garcie:

    Thank you sole very informative

Leave a Reply