What does NetIQ recommend when considering the ramifications of FSMO Role locations as well as name (NETIQKB1890)

  • 7701890
  • 02-Feb-2007
  • 12-Oct-2007


What does NetIQ recommend when considering the ramifications of FSMO Role locations as well as name resolution configurations for Enterprise environment migration scenarios?


Enterprise environments include many complex configurations, such as multiple sites and WAN links. Review your environment and consider how it may affect the performance and ease of your migration.

This article identifies some of the important configuration issues to consider. Be sure to review all aspects of your environment and consider how they may affect your specific migration needs.

During the migration process, Domain Migration Administrator must process many objects. For each object, the product needs to collect information, process and validate the object, and write new information. You should try to limit communication issues, especially across WAN links.

When working with a Windows 2000 Active Directory Enterprise Environment that's made up of multiple sites, NetIQ would like to make a number of recommendations for our customers to gain the utmost performance and stability throughout their migration experience with our Domain Migration Administrator (DMA) tool. Consider the following configuration issues to simplify your migration process, limit WAN traffic, and improve your migration performance:

Install important services and computer roles in the same physical Site as the DMA computer to reduce WAN and router traffic thereby largely increasing performance. And for the best migration performance, locate these computer roles and services noted below in the same physical IP subnet as the DMA computer. This layout reduces the router hops required during the migration process:

  • DNS Server (an authoritative server for both the Target and Source zones would be best, but a caching server would be better than nothing here). Note: For better performance, configure the DNS Server to use WINS reverse lookup because NT4 resources are resolved via this change.
  • WINS Server (NetBIOS name resolution configured for both the Source and Target to use when migrating from NT4).
  • Global Catalog Server (this should be the Global Catalog Server from the Target forest because the Windows 2000 Operating System contacts the GC when examining group memberships of existing groups during incremental migrations and very likely new migrations as well. In addition, during virtually every aspect of the Intra-forest migration scenario, the GC is contacted).
  • Infrastructure Master FSMO Role (this should be a role from the Target domain, it is key when Active Directory is updating groups).
  • RID Pool Allocator (needed for Intra-forest migrations because the underlying Microsoft Move Object APIs are contacting the RID Pool Allocator FSMO Role during Intra-Forest operations).
  • PDC Emulator (this should be a role from the Target domain since it is key for replication traffic that saturates links after password migrations because the Domain Controller DMA writes to replicates the passwords directly to the PDC emulator).
  • Domain Controller from the Forest Root domain of the Target and also Source if you've got a Windows 2000 Source domain (this is helpful because replication traffic goes over the site links and this site link information is only stored in the forest's root domain).
  • It is helpful to add the Source PDC if possible, especially if you plan to change any objects in the source domain during the migration, like disabling or expiring accounts or using scripting (this can be done by adding a BDC, synching it with the domain, moving it to the DMA console's site, then promoting it as the PDC temporarily during the migration).

If your source domain is a Windows 2000 domain, install the important services for your Source domain as well as your Target domain (as mentioned above).

Before you migrate objects, configure your WAN link for the DMA computer site to replicate at night, after the local migration is finished (don't let it replicate immediately after your migration if it's not being done after-hours, as the replication of hundreds to thou.
sands to millions of objects all at once can saturate your bandwidth). This configuration limits WAN traffic as you migrate and update objects. Then, all the migration changes can be replicated during non-business hours.

Consider the following issues for Windows 2000 Intra-forest migrations:

  • To improve performance, use direct trusts rather than transitive trusts (this saves constant Kerberos traffic created by the communication efforts via the transitive trusts).
  • Install a domain controller for the source domain in the local site.
  • Install a domain controller for the target domain in the local site.

To help future corporate mergers and acquisitions, and to limit security issues related to the Enterprise Admins group in the forest root domain, Microsoft recommends you create an empty forest root domain.

To address some potential security issues, name your forest root domain different than your published domain name. For example, if your published domain name is acme.com, consider naming your forest root domain acme.local.

Please contact Technical Support to create a Support Request for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.


Additional Information

Formerly known as NETIQKB1890