[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

how long a dc can stay without seeing the FSMO role dc's

Posted on 2009-04-03
6
Medium Priority
?
797 Views
Last Modified: 2012-05-06
As a part of our DRBC exercise we want to isolate a site from another which contains all the FSMO role Domain Controllers.  How long a DC can stay without seeing its FSMO role domain controllers ?
0
Comment
Question by:nmu-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057680
The main roles to worry about are the RID and and PDC the rid pool is what assigns new Relative IDs to new objects in AD and they are dished out in blocks of 500. So once you've created 500 object in your AD with no RID master, you cant create any more. If your AD rarely changes  then this could ba a long time.
As for the PDCe, this role get involved for all sorts of things such as Password lockouts/resets time sync etc - not very long at all.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24057681
Without access to the FSMO roles, you won't be able to modify group membership or change passwords, create users or computer accounts etc.  
0
 
LVL 8

Expert Comment

by:Share-IT
ID: 24057685
Also in any case not more than 60 days or it gets tombstoned.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:nmu-admin
ID: 24057710
I actually want to know how long a normal domain controller can be isolated from the domain controllers which has its FSMO roles ?
0
 
LVL 8

Accepted Solution

by:
Share-IT earned 1500 total points
ID: 24057720
If it has no FSMO roles then no more than 60 days or it will be tombstoned and therefor effectively evicted from AD
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24057761
It depends...
Providing that the other DC has a global catalog and can resolve DNS it can remain isolated for some time. Problems will only arise if you try to change the schema, change trusts, create new domains and new objects since the relevant FSMO role holders will not be available (that said the RID master normally issues RIDs in blocks to DCs, so you can normally create a few new objects such as users, before it runs out and needs to contact the RID master again).

Obviously any chnages made will not be able ro replicate id the DC is isolated.

As has alreasy been said, the DC must not be left isolated for longer than the tombstone preiod - otherwise you are into serious issues - the actual length of the tombstone period varies according to the OS and service pack - You can change/check it - see http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question