Avatar of Tyson0317
 asked on

Does SBS play nice with other domain controllers?

Hi Guys,

I have been reading some conflicting information regarding the limitations placed on SBS 2003 and 2008 by MSFT. We are planning a 2-server environment for our 35 users with plans to take it to as many as 50. Obviously, there is quite a price jump, not with just Windows OS, but also 3rd party software like Backup Exec - buying for SBS is MUCH cheaper! I would like some feedback and write-ups from you guys pertaining to a multi-server environment where both servers are AD controllers and one of them is an SBS box.

I have read and heard that although SBS will allow another server as a domain controller, it does not play well and starts fighting for control. I would like to know if there is any truth to this.

We currently have SBS 2003 running on our domain and our 2003 Std server is joined like a workstation (member-server) and does not hold the domain info. Problem is, when the SBS box goes down (and man, those damn things that FOR EVER to reboot), nobody is able to authenticate to the domain - Quickbooks flips out and various other softwares that we have don't like it. I want out new server config to be resiliant - in the even that the Exchange box is booted, everything else should continue to work normally; likewise if the Exchange server tanks, I need to have our users be able to log on and perform other work. Each hour of downtime costs our company over $2000 and I need to limit our exposure as much as possible.
SBSWindows Server 2008Windows Server 2003

Avatar of undefined
Last Comment
Lee W, MVP

8/22/2022 - Mon
Lee W, MVP

First, SBS can have as many servers and domain controllers as you want.  The restriction is that there can only be ONE SBS Server... NON-SBS servers are fine - as Domain controllers or standard servers.  This is because the SBS server MUST be the FSMO master DC - it must contain all 5 FSMO roles.  So you can have other DCs so long as you DO NOT attempt to transfer the FSMO roles off the SBS Server.

As for redundancy, if each our of downtime is costing your company $2000 then you REALLY should look into server mirroring products such as NeverFail or DoubleTake - they are expensive... but two hours of downtime should pay for them.  

Lee (or others) can you explain or post up a write-up explaining better what the FSMO roles are and how our network will be effected if they are not present for a period of time? What happens when we retire our SBS box, can the roles be moved as part of removing the SBS machine from the domain?
Lee W, MVP

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

OK, I just partly answered my own question when I found the article at http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm  - it does a good job of explaining FSMO - pretty much the PDC role in NT infrastructure (for those of you as old as I am).

Now the question remains, can this PDC role be transferred to another server? In NT4 you were able to promote any BDC or a PDC with relative ease. Assuming our SBS box takes a bullet and is completely, will our 2003/2008STD be able to fully take over the domain?

Also, assuming the above bullet-taking scenerio - will the 2003/2008Std box give up it's FSMO roles to a newly re-instroduced SBS box?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Lee W, MVP

As for retiring the SBS box - you should migrate either to a new SBS server or to the Essential Business Server (EBS) which is capable of handling a larger number of users (250-300).  I recommend this because, unless you purchase the transition pack (see below), migrating away from SBS will almost always cost you FAR more money since the CALs are non-transferable (except via transition pack) and you lose some features as well - Remote Web Workplace, the wizards, and the SBS Reporting system are NOT AVAILABLE on standard versions of the products.  There are other things can be purchased and generally substitute for them, but they will definitely cost you more.

With SBS, if you attempt to move the FSMO roles off the server, the server will determine that you are violating licensing and restart every hour.  When replacing an SBS server you have 1-3 weeks grace period where the server need not be the FSMO master and will not automatically reboot itself periodically.  It varies depending on the patches you have installed.

You can also purchase the transition pack which "evens out" (roughly) the cost of SBS with what you would have paid had you purchased non-SBS versions of the SBS included software.  The Transition pack removes the restrictions that are otherwise applicable to SBS.  (max 75 users, must hold FSMO roles, no trusts, and I think I'm forgetting one, but I know the vast majority of small businesses are not impacted by these restrictions UNLESS they are actively trying to violate licensing or implement a network that frankly would be overly complex for them)
Lee W, MVP

Next, you need to understand that there is no such thing as a BDC and no real PDC either.  Many people like to call the FSMO master server the PDC, but strictly speaking, that's WRONG.  In the PDC/BDC model of NT4, PDCs were the ONLY writable domain controller on the network.  The BDCs were READ-ONLY COPIES of the PDC.  Certain mechanisms were put in place so that the BDCs would check with the PDCs if a password didn't match, but, for example, you could not change a user's password if the PDC was down.  That is not the case with Active Directory.  If you read Petri's article, you probably have some understanding that, among other things, the FSMO Roles essentially dole out "blocks" of IDs and other information to be used by other DCs.  Each DC can accept and apply changes to users and accounts - they are timestamped and the newest change wins, if I remember correctly.

Do you still have questions about transferring the FSMO roles in the event of an outage?  And again, given your potential hourly losses, I would STRONGLY recommend you look into using DoubleTake or Neverfail on your network instead of merely having a second DC.