When the first domain controller is installed in your environment, all five roles are established in that domain controller and also that domain controller will be flagged as global catalog server. It is quite clear if the following DC which holds all the roles fails, there will be no logons. There are some reasons to place FSMO roles in different places like: Availability and Load on the server.
In any size of network which is based on Active Directory you have experienced the account lock out problem. You simply ask yourself why it is locked? I am more than a hundred percent sure that I am entering my password in a correct form but why it becomes locked again and again? The answer might be a bit general: “It depends on many reasons”. Although entering the password in the wrong form turns out to be the first reason of account locked out problems, there are plenty of reasons behind this incidence. I am going to cover how you can find out the source of problem with a simple GPO and then your enterprise will be problem free.