Solved

how long a dc can stay without seeing the FSMO role dc's

Posted on 2009-04-03
6
788 Views
Last Modified: 2012-05-06
As a part of our DRBC exercise we want to isolate a site from another which contains all the FSMO role Domain Controllers.  How long a DC can stay without seeing its FSMO role domain controllers ?
0
Comment
Question by:nmu-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057680
The main roles to worry about are the RID and and PDC the rid pool is what assigns new Relative IDs to new objects in AD and they are dished out in blocks of 500. So once you've created 500 object in your AD with no RID master, you cant create any more. If your AD rarely changes  then this could ba a long time.
As for the PDCe, this role get involved for all sorts of things such as Password lockouts/resets time sync etc - not very long at all.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24057681
Without access to the FSMO roles, you won't be able to modify group membership or change passwords, create users or computer accounts etc.  
0
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057685
Also in any case not more than 60 days or it gets tombstoned.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:nmu-admin
ID: 24057710
I actually want to know how long a normal domain controller can be isolated from the domain controllers which has its FSMO roles ?
0
 
LVL 8

Accepted Solution

by:
Share-IT earned 500 total points
ID: 24057720
If it has no FSMO roles then no more than 60 days or it will be tombstoned and therefor effectively evicted from AD
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24057761
It depends...
Providing that the other DC has a global catalog and can resolve DNS it can remain isolated for some time. Problems will only arise if you try to change the schema, change trusts, create new domains and new objects since the relevant FSMO role holders will not be available (that said the RID master normally issues RIDs in blocks to DCs, so you can normally create a few new objects such as users, before it runs out and needs to contact the RID master again).

Obviously any chnages made will not be able ro replicate id the DC is isolated.

As has alreasy been said, the DC must not be left isolated for longer than the tombstone preiod - otherwise you are into serious issues - the actual length of the tombstone period varies according to the OS and service pack - You can change/check it - see http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question