asked on AD FSMO Roles
These questions are related to AD and FSMO roles:
1- If I need to reboot a DC do I need to transfer the roles to another DC or the transfer is automatic when the DC is no longer online? would this have any impact ?
2-Can someone explain to me clearly why Infrastructure role should not be in the same DC that is a Global Catalog? Is this not recommended only when you have more than one domain or even within one domain?
3- How do you seize a role from a DC that has crashed?
4-if the PDC emulator has a wrong time, would other computer be able to logon to the domain?
Thanks
1- If I need to reboot a DC do I need to transfer the roles to another DC or the transfer is automatic when the DC is no longer online? would this have any impact ?
2-Can someone explain to me clearly why Infrastructure role should not be in the same DC that is a Global Catalog? Is this not recommended only when you have more than one domain or even within one domain?
3- How do you seize a role from a DC that has crashed?
4-if the PDC emulator has a wrong time, would other computer be able to logon to the domain?
Thanks
Active Directory
Last Comment
jskfan
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
if a DC has 5 FSMO roles and it happens do die, how would you seize roles from it? would you use a restore from previous backup?
You would seize the roles from it using ntdsutil
http://support.microsoft.c
You would also never bring that server back online.
Thanks
Mike
http://support.microsoft.c
You would also never bring that server back online.
Thanks
Mike
ASKER
when you run ntdsutil, then you are supposed establish connection to a DC that no longer exist(crashed), how does this work to connect to a crashed server and seize its roles?
You don't connect to the failed server. You connect to one of the remaining DCs on which you want to make the changes to Active Directory, and the DC you want to seize the FSMO roles to. These changes will then replicate to other DCs on the domain.
-Matt
ASKER
so in fact it's creating new roles not seizing roles.
Because if the DC that has 5 roles died completely and can't be brought online, then you use Ntdsutil from a working DC to "SEIZE" the roles to another working DC, what you are doing is creating new roles and not "SIEZING" them from the dead DC. Correct?
by the way if you have only 2 DCs and the 5 FSMO role- holder died, can you create "SEIZE" the roles
on the only one working DC?
Because if the DC that has 5 roles died completely and can't be brought online, then you use Ntdsutil from a working DC to "SEIZE" the roles to another working DC, what you are doing is creating new roles and not "SIEZING" them from the dead DC. Correct?
by the way if you have only 2 DCs and the 5 FSMO role- holder died, can you create "SEIZE" the roles
on the only one working DC?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Yes if you have 5 FSMO roles and that box dies then yes you can seize those roles to your working DC
...hopefully that never happens to you.
Thanks
Mike
...hopefully that never happens to you.
Thanks
Mike
ASKER
It still confusing.
it's like:
If A owes money to B and C and A dies how are B and C going to get the money back.
so the 5-FSMO DC holder died , does that mean 5 FSMOs are inside the dead DC?
if so how are you going to get them from the Dead DC?
did you get my point?
it's like:
If A owes money to B and C and A dies how are B and C going to get the money back.
so the 5-FSMO DC holder died , does that mean 5 FSMOs are inside the dead DC?
if so how are you going to get them from the Dead DC?
did you get my point?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I got it now. Thanks
However, if you're formatting and wiping a DC, you MUST transfer the FSMO roles off of it and demote it gracefully using dcpromo prior to formatting.
Placing the Infrastructure Master role on a Global Catalog is not supported, since a GC holds a partial copy of every object in the forest. That server will therefore not act correctly as an Infrastructure Master since no records will be updated by the server. This does not apply in either a single-domain forest, or in an environment where ALL DCs are also Global Catalog servers.
Seizing FSMO roles: http://www.petri.co.il/seizing_fsmo_roles.htm. Also, remember to do a metadata cleanup of a failed DC.
By default, no machine will authenticate with a DC if the time is out by more than 5 - 15 minutes. It is the time difference between the machine being used at login and the authenticating DC which is used to determine whether there is a change.
-Matt