Question : FSMO Roles

was wondering what is a good pratice for FSMO Roles....i will try to spead some light on this...

currently getting new server 2008 for single domain...we have 2 DC....this will make 3....

i am planning on taking the Main or the DC that holds all FSMO Roles down and gone forever when i put this other 2008 DC online.....

i was going to transfer all Roles over to the new 2008 machine...and then dcpromo the older DC...Correct?????????.

question....

is there any hickups i need to worry about...from the reading seems very easy...doing through MMC Schema snapin and AD Comp and Users.....i will be doing this on the current FSMO Holder.....correct?

also is it a good security practice to be putting all the roles on one system or should i spread them out...i believe the Schema and Domain Master has to be on one, but should i put the RID, PDC and Infrastructures on another????????

Just wondering what the best way was....currently all roles have been on the one DC with no problems.....any help is appreciated!!!!

Answer : FSMO Roles

Transfer then Demote: Yes, that is the correct approach.

If you don't fancy digging through all of the different GUI tools you can use NTDSUtil on the command line. But your approach is correct otherwise.

For an environment with 2 or 3 DCs you may as well put all roles on a single DC. There's no benefit to having them split up because you aren't going to run into the associated performance hits.

The only part you should make sure of is that all your Domain Controllers should be Global Catalog servers. Again, there's no downside to this for a small domain / single-domain forest.

As with any operation like this, or really anything that effects your domain, you should ensure you have a good backup and that your current DCs are not reporting errors (DCDiag and the Event Viewer). I'm not suggesting that this operating is especially risky though, it really isn't.

HTH

Chris