?
Solved

how long a dc can stay without seeing the FSMO role dc's

Posted on 2009-04-03
6
Medium Priority
?
794 Views
Last Modified: 2012-05-06
As a part of our DRBC exercise we want to isolate a site from another which contains all the FSMO role Domain Controllers.  How long a DC can stay without seeing its FSMO role domain controllers ?
0
Comment
Question by:nmu-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057680
The main roles to worry about are the RID and and PDC the rid pool is what assigns new Relative IDs to new objects in AD and they are dished out in blocks of 500. So once you've created 500 object in your AD with no RID master, you cant create any more. If your AD rarely changes  then this could ba a long time.
As for the PDCe, this role get involved for all sorts of things such as Password lockouts/resets time sync etc - not very long at all.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24057681
Without access to the FSMO roles, you won't be able to modify group membership or change passwords, create users or computer accounts etc.  
0
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057685
Also in any case not more than 60 days or it gets tombstoned.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:nmu-admin
ID: 24057710
I actually want to know how long a normal domain controller can be isolated from the domain controllers which has its FSMO roles ?
0
 
LVL 8

Accepted Solution

by:
Share-IT earned 1500 total points
ID: 24057720
If it has no FSMO roles then no more than 60 days or it will be tombstoned and therefor effectively evicted from AD
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24057761
It depends...
Providing that the other DC has a global catalog and can resolve DNS it can remain isolated for some time. Problems will only arise if you try to change the schema, change trusts, create new domains and new objects since the relevant FSMO role holders will not be available (that said the RID master normally issues RIDs in blocks to DCs, so you can normally create a few new objects such as users, before it runs out and needs to contact the RID master again).

Obviously any chnages made will not be able ro replicate id the DC is isolated.

As has alreasy been said, the DC must not be left isolated for longer than the tombstone preiod - otherwise you are into serious issues - the actual length of the tombstone period varies according to the OS and service pack - You can change/check it - see http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month11 days, 12 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question