Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 549
  • Last Modified:

Consolidating all FSMO Role to one DC in single domain forest

Hi All,

My current AD forest is consist of single domain DOMAIN.COM and the functionality is still Windows 2000 Native because our file server is still on Samba 2.2.8

and the DC configuration is like this:

Server A - 1st DNS + DC Global Catalog (Schema Master role)
Server B - Exc.Srv07 + DC Global Catalog (PDC,RID,Infra. Master, Domain Naming master)

Would it be better if i put my schema master role into Server B for the ease of backup and if Server A restart, server B still can send and receive email ?

I need your advice and suggestion guys, what should i do about it ?

thanks.

0
jjoz
Asked:
jjoz
  • 7
  • 6
  • 3
3 Solutions
 
tigermattCommented:

The Schema Master role is only used when changes to the schema are actually taking place. As such, most of the time, the Schema Master role on Server A will be doing nothing, so it doesn't matter too much where you place it. Server A, however, will still be acting as a standard DC/GC and can authenticate users if Server B is taken down.

You would gain no benefit from transferring the Schema Master role to the other server. I would transfer it simply because Microsoft say it is best practice to locate all FSMO roles in a single-domain forest on the same server, but you don't have to. You'd be much better checking Server B is a DNS Server and configured is an Additional DNS Server on servers and workstations.

Rebooting Server A will not have any detrimental effect on Exchange as that will use only Server B for Active Directory queries.

-Matt
0
 
Chris DentPowerShell DeveloperCommented:

The Schema Master role is not a role you will need on-line 100% of the time to run an operational domain. It certainly will not effect mail delivery.

Is Server B also a DNS server?

Moving the Schema Master onto the Exchange Server will not make your life any easier (or harder).

Even if you lost the Schema Master in a Forest the role can be seized from another DC. Ideally you should backup Server A as well as it is much easier to recover if you happen to need to restore deleted objects in the directory.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Damn Matt, I thought I was the only one that posted this early on a Sunday morning :)

Chris
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
tigermattCommented:

*smile* You're not alone :)

-Matt
0
 
jjozAuthor Commented:
Matt,

Thanks for your response during the weekend ;-)
it is really helpful for me in doing all of this task at the moment.

yes, this is the "part II" question from my other thread that you replied today.

at the moment, the Server B is already acting as the Secondary DNS Server in my domain, and I'm wondering if i could fit all of the FSMO role into single box for simplifying the backup.

Initially, my plan is just reinstall CAS Server role, but then I found out that my FSMO role is spread across 2 servers, now I also planning to reinstall Server A as well since it's been running slow installed with too many software

In this case I shall then do these steps:

0. Backup Server A and B as Full (store it somewhere safe)
1. transfer Schema Master role to Server B
2. restart and check the email flow
3. Uninstall CAS-Role then restart.
4. Install CAS-ROLE and restart.
5. take final full backup again for both Server A and B

prepare another thread for Server A decommisioning and reinstallation :-)
0
 
jjozAuthor Commented:
Wow,

Chris thanks for replying my thread again in Sunday Night (Australian time) :-)

"Is Server B also a DNS server?"

the answer is YES.
0
 
tigermattCommented:

If you will be reinstalling Server A then you need to transfer the Schema Master role off of it, demote it gracefully (using dcpromo), then rebuild it and repromote it.

You would have no problem in placing the Schema Master role onto Server B. As both Chris and myself have said above, it is seldom used and would therefore sit on any DC and not have any form of performance hit.

You should configure your DNS zones to be Active Directory-integrated, so they replicate around all DCs automatically: http://technet.microsoft.com/en-us/library/cc978010.aspx

-Matt
0
 
jjozAuthor Commented:
Matt,

Regarding "You should configure your DNS zones to be Active Directory-integrated"
Yes it is done already initially as Chris-Dent guide me last year.

wow, using this forum feels like having a chat directly with and experts, even during the weekend ;-)

have a great day to you Chris and Matt !
I'll be singing alone in the server room and hope that all is good during those defined steps.

Cheers.
0
 
Chris DentPowerShell DeveloperCommented:

Curious, but... What went / is going wrong with the CAS / Autodiscovery that requires re-installation there?

I would also suggest you run DCDiag and NetDiag prior to running DCPromo to demote the first DC. It's worth making sure that everything is working without trouble prior to changing things :)

Chris
0
 
jjozAuthor Commented:
It is simply because the Autodiscover service failed on my CAS, as the consequence these services is no longer available since last year Exchange Server 2007.

1. Offline Address Book.
 2. Out of Office Message.
 3. Free/Busy status in shared calendar.      

================================================================================
NETDIAG
================================================================================
.....................................
 
    Computer Name: SERVER-B
    DNS Host Name: SERVER-B.domain.com
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : EM64T Family 6 Model 23 Stepping 6, GenuineIntel
    List of installed hotfixes : 
        KB915800-v9
        KB921503
        KB923561
        KB924667-v2
        KB925398_WMP64
        KB925876
        KB925902
        KB926122
        KB926139
        KB927891
        KB929123
        KB930178
        KB931836
        KB932168
        KB932596
        KB933729
        KB935839
        KB935840
        KB936021
        KB936357
        KB936594
        KB936782
        KB937143
        KB938127
        KB938127-IE7
        KB938464
        KB940349-v3
        KB940467-v2
        KB941202
        KB941568
        KB941569
        KB941644
        KB941672
        KB941693
        KB941716
        KB942615-IE7
        KB942763
        KB942830
        KB942831
        KB943055
        KB943460
        KB943484
        KB943485
        KB943729
        KB944533-IE7
        KB944653
        KB945553
        KB946026
        KB947864-IE7
        KB948496
        KB948590
        KB948881
        KB949014
        KB950759-IE7
        KB950760
        KB950762
        KB950974
        KB951066
        KB951072-v2
        KB951698
        KB951746
        KB951748
        KB952004
        KB952069
        KB952954
        KB953838-IE7
        KB953839
        KB954211
        KB954600
        KB955069
        KB955839
        KB956390-IE7
        KB956391
        KB956572
        KB956802
        KB956803
        KB956841
        KB957095
        KB957097
        KB958215-IE7
        KB958644
        KB958687
        KB958690
        KB959426
        KB960225
        KB960714-IE7
        KB960715
        KB960803
        KB961063
        KB961260-IE7
        KB961373
        KB963027-IE7
        KB967715
        Q147222
 
 
Netcard queries test . . . . . . . : Passed
 
 
 
Per interface results:
 
    Adapter : Gigabit LAN Port #1
 
        Netcard queries test . . . : Passed
 
        Host Name. . . . . . . . . : SERVER-B
        IP Address . . . . . . . . : SERVER-B IP Address
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 149.135.204.1
        Primary WINS Server. . . . : 149.135.204.34
        Dns Servers. . . . . . . . : SERVER-A IP Address
                                     SERVER-B IP Address
 
 
        AutoConfiguration results. . . . . . : Passed
 
        Default gateway test . . . : Passed
 
        NetBT name test. . . . . . : Passed
 
        WINS service test. . . . . : Failed
            The test failed.  We were unable to query the WINS servers.
 
 
Global results:
 
 
Domain membership test . . . . . . : Passed
 
 
NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{9D2B325F-DA1B-43CF-BFF5-27F0DE7A84CA}
    1 NetBt transport currently configured.
 
 
Autonet address test . . . . . . . : Passed
 
 
IP loopback ping test. . . . . . . : Passed
 
 
Default gateway test . . . . . . . : Passed
 
 
NetBT name test. . . . . . . . . . : Passed
 
 
Winsock test . . . . . . . . . . . : Passed
 
 
DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server 'SERVER-A IP Address' and other DCs also have some of the name
s registered.
    PASS - All the DNS entries for DC are registered on DNS server 'SERVER-B IP Address' and other DCs also have some of the name
s registered.
 
 
Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{9D2B325F-DA1B-43CF-BFF5-27F0DE7A84CA}
    The redir is bound to 1 NetBt transport.
 
    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{9D2B325F-DA1B-43CF-BFF5-27F0DE7A84CA}
    The browser is bound to 1 NetBt transport.
 
 
DC discovery test. . . . . . . . . : Passed
 
 
DC list test . . . . . . . . . . . : Passed
 
 
Trust relationship test. . . . . . : Skipped
 
 
Kerberos test. . . . . . . . . . . : Passed
 
 
LDAP test. . . . . . . . . . . . . : Passed
 
 
Bindings test. . . . . . . . . . . : Passed
 
 
WAN configuration test . . . . . . : Skipped
    No active remote access connections.
 
 
Modem diagnostics test . . . . . . : Failed
    [FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
 
IP Security test . . . . . . . . . : Skipped
 
    Note: run "netsh ipsec dynamic show /?" for more detailed information
 
 
The command completed successfully
 
================================================================================
DCDIAG
================================================================================
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER-B
      Starting test: Connectivity
         ......................... SERVER-B passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER-B
      Starting test: Replications
         ......................... SERVER-B passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER-B passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER-B passed test NetLogons
      Starting test: Advertising
         ......................... SERVER-B passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-B passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER-B passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER-B passed test MachineAccount
      Starting test: Services
         ......................... SERVER-B passed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER-B passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SERVER-B passed test frssysvol
      Starting test: frsevent
         ......................... SERVER-B passed test frsevent
      Starting test: kccevent
         ......................... SERVER-B passed test kccevent
      Starting test: systemlog
         ......................... SERVER-B passed test systemlog
      Starting test: VerifyReferences
         ......................... SERVER-B passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : DOMAIN
      Starting test: CrossRefValidation
         ......................... DOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : domain.com
      Starting test: Intersite
         ......................... domain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... domain.com passed test FsmoCheck

Open in new window

0
 
tigermattCommented:

How did Autodiscover fail?

-Matt
0
 
jjozAuthor Commented:
Matt,
It was simply the changes made in .NET FX 3.5 SP1 affect the way Outlook communicates with Exchange 2007
0
 
tigermattCommented:

Before taking drastic steps to reinstall the CAS role, I'd probably simply try reinstalling the latest Service Pack which was applied to the server. Also attempt to reconfigure the auto-discover virtual directory via Exchange Management Console.

-Matt
0
 
jjozAuthor Commented:
Yes, I've tried that before and I couldn't find it which one that actually broke Exchange.
However, here's the plan in backing up my Server B using BESRO:

1. Make sure to shut down al MS Exchange services and to shutdown the NETLOGON service.

2. As soon as BESR is completed turn the services back on.
so that is the last resort that i know of.
0
 
tigermattCommented:

Sounds good to me.
0
 
jjozAuthor Commented:
thanks for your help and very fast response Chris and Matt !
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 7
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now