17th April 2024
Windows / Windows Server / Windows Server 2008 / Windows Server 2012 / Windows Server 2016 / Windows Server 2019

Moving Operations Master(FSMO) Roles and Global Catalog Servers Placement

ÖMER ŞIVKAby ÖMER ŞIVKA

When the first domain controller is installed in the location of Operations Master Roles, all Operations Master Roles are located on this domain controller. Since it is the first domain controller, the Global Catalog server will automatically be this domain controller.

There will likely be more than one domain controller for redundancy in a large enough network. If the first domain controller is inaccessible in the absence of more than one domain controller, no one can log into the network. Operations Master(FSMO) Roles will remain on the first domain controller unless it is moved by an authorized user.

FSMO Roles
FSMO Roles

 

Moving Operations Master (FSMO) Roles

There can be many reasons for moving Operations Master (FSMO) Roles. For these reasons, the priority ones are as follows.

Accessibility: Having Operations Master (FSMO) Roles in different domain controllers provides access to roles that are not hosted on in case the domain controller that contains some of the roles is inaccessible.

Server load: The load status of the server should be considered when determining which domain controller will host which role. If there is a busy domain controller that handles a large number of authentication requests, the roles must be hosted on a different domain controller.

Forest-based Operations Master Roles, Domain Naming Master and Schema Master, are roles that are not often used. When these roles cannot be accessed, new domains cannot be added and the Active Directory schema cannot be changed. These roles may remain inaccessible for a long time if the schema is not changed at all in the environment or if no domains have been added or removed. If the roles cannot be accessed for a long time, an error will appear in the Event Log that these roles are not available. However, this error does not affect the operation of the network. Even in a large network, changes to the schema or adding domains do not happen very often. Therefore, these roles can be found on the same server to facilitate administration. Since the Domain Naming Master communicates with the Global Catalog server when adding a domain, it is good to move these roles to a domain controller with Global Catalog.

LEARN MORE  What is KMS.exe and what does it do?

The other Forest-based role is the Schema Master role that doesn’t need the Global Catalog server. For this reason, the Schema Master role can be found in any domain controller in the organization. Although it is not mandatory for environments with more than one domain, most organizations keep the Schema Master role in a domain controller located in the root domain. Since Domain Naming Master and Schema Master roles affect the whole forest, keeping these roles in the root domain makes sense.

Moving Operations Master (FSMO) Roles
Moving Operations Master (FSMO) Roles

 

Domain-based PDC Emulator, Infrastructure Master and RID Master roles are used more than forest-based roles. Domain-based PDC Emulator, Infrastructure Master and RID Master roles are used more than forest-based roles. When deciding on the place of the PDC Emulator in the environment, the network with the highest number of users should be determined and located in a domain controller in this network. This is because PDC Emulator is the ultimate authority on password-based requests. It doesn’t matter if the domain controller hosting the PDC Emulator role is the Global Catalog server. If the domain controller hosting the PDC Emulator role is too busy, the Global Catalog role can be removed from the domain controller to reduce the density. If the domain controller is not very busy, it can also serve as a Global Catalog server.

Domain-based PDC Emulator, Infrastructure Master and RID Master roles are used more than forest-based roles. Domain-based PDC Emulator, Infrastructure Master and RID Master roles are used more than forest-based roles. When deciding on the place of the PDC Emulator in the environment, the network with the highest number of users should be determined and located in a domain controller in this network. This is because PDC Emulator is the ultimate authority on password-based requests. It doesn’t matter if the domain controller hosting the PDC Emulator role is the Global Catalog server. If the domain controller hosting the PDC Emulator role is too busy, the Global Catalog role can be removed from the domain controller to reduce the density. If the domain controller is not very busy, it can also serve as a Global Catalog server.

LEARN MORE  Docker Installation on Windows 10

The RID Master separates the blocks of RIDs and therefore does not have to be on the fastest network or the fastest server. All Operations Master Roles are important. If you have an environment where few objects are created, it will not be noticeable when the RID Master is not available. However, if you have an environment where many objects are created, the importance of the domain controller hosting the RID Master role increases, and if this role cannot be used for a long time, it may cause object-based operations to fail. Usually used more than RID Master in PDC Emulator domain. Also, this role uses RIDs first and then domain controllers. For this reason, they mostly host the PDC Emulator and RID Master roles in the same domain controller. The RID Master role is not affected by whether the domain controller is a Global Catalog server, just like PDC Emulator.

Infrastructure Master ensures that reference information between different domains is kept up-to-date. If there is only one forest, the location of the Infrastructure Master role is not important unless you switch to multiple domains. The server hosting this role can also be the Global Catalog server. But in a multi-domain structure, the Infrastructure Master role becomes more important.

For ease of management, it is easiest to make sure that all domain controllers are Global Catalog servers. This does not affect any process in the forest, but it has some disadvantages. It requires more bandwidth and hard disk space for all domain controller to be a Global Catalog server.

LEARN MORE  DLL Injection And Process Hollowing Detection in Pest Code Analysis

Global Catalog Servers Placement

If the entire domain controller is not desired to be a Global Catalog server, planning should be made about the placement of the Global Catalog servers. While doing this planning, the following situations can be taken into consideration.

  • Global Catalog server location is recommended by Microsoft for locations with more than 100 users and the variable number of users. The reason roaming users require a Global Catalog server is that when the user logs on to a roaming network, they need a Global Catalog server.
  • Applications such as Exchange Server use Global Catalog servers heavily. If Exchange Server must pass a wide area network (WAN) to access the Global Catalog server, this will adversely affect performance. Therefore, if you are using Exchange Server or similar applications, you must have a Global Catalog server on the same network.
  • Global Catalog servers are also used to determine the membership of users in Universal Groups. Universal group membership cannot be made in multi-domain structures, and the user cannot log in without access to the Global Catalog servers.

 

ÖMER ŞIVKA

View all posts by ÖMER ŞIVKA →

You might also like

“Legacy_Cardinality_Estimation ‘is not a valid Database Scoped Configuration.(Microsoft.SqlServer.Smo)” Error and Solution

Installing SCCM Console Tool on Windows 10 Computer

MSF Meterpreter Backdoor – What is metsvc?

Leave a Reply

Your email address will not be published. Required fields are marked *