Solved

how long a dc can stay without seeing the FSMO role dc's

Posted on 2009-04-03
6
791 Views
Last Modified: 2012-05-06
As a part of our DRBC exercise we want to isolate a site from another which contains all the FSMO role Domain Controllers.  How long a DC can stay without seeing its FSMO role domain controllers ?
0
Comment
Question by:nmu-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057680
The main roles to worry about are the RID and and PDC the rid pool is what assigns new Relative IDs to new objects in AD and they are dished out in blocks of 500. So once you've created 500 object in your AD with no RID master, you cant create any more. If your AD rarely changes  then this could ba a long time.
As for the PDCe, this role get involved for all sorts of things such as Password lockouts/resets time sync etc - not very long at all.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24057681
Without access to the FSMO roles, you won't be able to modify group membership or change passwords, create users or computer accounts etc.  
0
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057685
Also in any case not more than 60 days or it gets tombstoned.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:nmu-admin
ID: 24057710
I actually want to know how long a normal domain controller can be isolated from the domain controllers which has its FSMO roles ?
0
 
LVL 8

Accepted Solution

by:
Share-IT earned 500 total points
ID: 24057720
If it has no FSMO roles then no more than 60 days or it will be tombstoned and therefor effectively evicted from AD
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24057761
It depends...
Providing that the other DC has a global catalog and can resolve DNS it can remain isolated for some time. Problems will only arise if you try to change the schema, change trusts, create new domains and new objects since the relevant FSMO role holders will not be available (that said the RID master normally issues RIDs in blocks to DCs, so you can normally create a few new objects such as users, before it runs out and needs to contact the RID master again).

Obviously any chnages made will not be able ro replicate id the DC is isolated.

As has alreasy been said, the DC must not be left isolated for longer than the tombstone preiod - otherwise you are into serious issues - the actual length of the tombstone period varies according to the OS and service pack - You can change/check it - see http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question