Solved

Implications of seperating DCs and seizing FSMO roles

Posted on 2008-10-28
8
346 Views
Last Modified: 2012-05-05
Hi folks,

I would like to know any implications of doing the following, I cannot see any. This is a hypothetical scenario ..

If I had two physical sites, all on the same forest/domain and subnet. There is a DC in both, the DC in site A has all the FSMO roles, and both Site A and Site B DCs are GC servers. There is layer 2 connectivity between these sites, so its all the same broadcast domain and no routing.

What would happen if I broke the link between the sites, and siezed the FSMO roles to the DC in Site B. I'm presuming both sites would continue to operate as normal?

Apart from the obvious like not being able to address computers in the other site, I cannot see any problems with users logging on and authenticating? Should this work?



0
Comment
Question by:ma77smith
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22825491
You will have issues, when you change schema, or any other information in the domain, because all you primary roles will be at the separate site.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22825508
Why Seize the roles - TRANSFER them, its a much cleaner option.

If you split a domain line this then they the DCs will not be able to replicate and if left in this state for more than the tombstone time 60-120 days by defualt depending on the version, you would be unable to connect them again.

Providing that both DCs has a global catalog, DNS and Active Directory then all clients could log on. Eventually though you would hit problems, you would be unable to create new objects on the domain for example if the RID master was not available, you would be unable to make chnages to the infrastructure without the IM Master etc.
0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22825526
You should be able to seize the FSMO roles and continue operating both sites. Basically you would have two seperate but contained domains with the same name and information. As long as you had DNS and AD set up and working at both sites you shouldn't have any "issues".

That beings said I wouldn't recommend doing this.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ma77smith
ID: 22825715
Hi KCTS

I cannot transfer as there will be no connectivity between the locations. My point is once I break the site link and seize the FSMO roles I affectively end up with two identical domains, both with GCs and FSMO roles ...

0
 
LVL 14

Expert Comment

by:dfxdeimos
ID: 22825724
That is correct. I take it they will not be reconnected?
0
 

Author Comment

by:ma77smith
ID: 22825745
No, never reconnected. I know it's not going to be best practice - but I cannot see any foreseeable problems with doing this ..
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 22825755
OK - I see you want to create two domains from the one
In that case yes - what tou say will work so long as you end up with the FSMO roles on both domains and assuming that you never want to re-connect the two
0
 

Author Closing Comment

by:ma77smith
ID: 31510917
cool, just what I thought - thanks for that
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question