Solved

how long a dc can stay without seeing the FSMO role dc's

Posted on 2009-04-03
6
779 Views
Last Modified: 2012-05-06
As a part of our DRBC exercise we want to isolate a site from another which contains all the FSMO role Domain Controllers.  How long a DC can stay without seeing its FSMO role domain controllers ?
0
Comment
Question by:nmu-admin
6 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057680
The main roles to worry about are the RID and and PDC the rid pool is what assigns new Relative IDs to new objects in AD and they are dished out in blocks of 500. So once you've created 500 object in your AD with no RID master, you cant create any more. If your AD rarely changes  then this could ba a long time.
As for the PDCe, this role get involved for all sorts of things such as Password lockouts/resets time sync etc - not very long at all.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24057681
Without access to the FSMO roles, you won't be able to modify group membership or change passwords, create users or computer accounts etc.  
0
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057685
Also in any case not more than 60 days or it gets tombstoned.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:nmu-admin
ID: 24057710
I actually want to know how long a normal domain controller can be isolated from the domain controllers which has its FSMO roles ?
0
 
LVL 8

Accepted Solution

by:
Share-IT earned 500 total points
ID: 24057720
If it has no FSMO roles then no more than 60 days or it will be tombstoned and therefor effectively evicted from AD
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24057761
It depends...
Providing that the other DC has a global catalog and can resolve DNS it can remain isolated for some time. Problems will only arise if you try to change the schema, change trusts, create new domains and new objects since the relevant FSMO role holders will not be available (that said the RID master normally issues RIDs in blocks to DCs, so you can normally create a few new objects such as users, before it runs out and needs to contact the RID master again).

Obviously any chnages made will not be able ro replicate id the DC is isolated.

As has alreasy been said, the DC must not be left isolated for longer than the tombstone preiod - otherwise you are into serious issues - the actual length of the tombstone period varies according to the OS and service pack - You can change/check it - see http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now