Best Recommended Practices for FSMO Roles Placement
When you install a new Active Directory domain, all FSMO roles are placed on a single server (on the first domain controller in the domain). According to Microsoft’s recommendation, the Best Practice is to split the FSMO roles between the different domain controllers.
The forest-wide FSMO roles should be placed on one DC, and the domain-wide roles on another. If you have only one domain controller, it is recommended to deploy an additional DC. Thus, in an AD domain with a minimum configuration (2 DCs), you need to place the FSMO role as follows:
| FSMO Role | Impact | Role Type | Domain Controller | Best practice |
|---|---|---|---|---|
| Schema master | No schema changes can be made while the Schema Master is down. Normal operations continue unaffected unless a schema modification is needed. | Forest | DC1 | Keep forest wide roles in one server |
| Domain Naming master | New domains or domain removals cannot be performed while the Domain Naming Master is down. Existing domains continue to function normally. | Forest | DC1 | Keep forest wide roles in one server |
| PDC emulator | This is the most crtical role make sure the DC having this role is Highly available if the environment has more than 2 DC then use dedicated domain controller for this role Password changes may not be replicated immediately. Time synchronization within the domain might be affected, potentially leading to Kerberos authentication issues. Group Policy changes might not propagate promptly. Account lockouts might not be processed correctly. | Domain wide | DC2 | Keep Domain wide roles in one server |
| RID Master | New security principals cannot be created if the RID pool is exhausted. Existing accounts and operations continue unaffected until the RID pool runs out. | Domain wide | DC2 | Keep Domain wide roles in one server |
| Infrastructure master | Cross-domain object references might become outdated. This is especially relevant in multi-domain environments. Single-domain environments are unaffected. | Domain wide | DC2 | Keep Domain wide roles in one server |
