Solved

Would you recommend a dedicated DC just for your Master Schema and nothing else?

Posted on 2009-05-06
2
327 Views
Last Modified: 2012-05-06
Hi, I am researching and preparing to extend my schema(AD) for Exchange 2007 and I keep seeing where it mentions to take the master schema offline just in case the process blows up and that would prevent it from replicating to the other DC's on the domain, which would preserve my AD.

So, how many recommend that I have a dedicated DC to be my master schema and running nothing else of signaficance?  Right now, my Master Schema is a Windows Server 2003 - Standard Edition x32 which also runs my student email server.  So, if I was to do what is recommended I would bring down my student email server and not to mention if it did blow up during the extending process, I would have to keep it offline until I could either fix it or rebuild it...meaning no email for students.

Just was wondering what other AD Admins do.

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24320226

The Schema Master FSMO role is seldom used - in fact, it is only usually used when upgrading the schema to support new applications such as a new Operating System as a DC or Exchange. This happens perhaps once a year at most, if that.

As such, the investment in licensing for a dedicated machine simply to run the Schema Master role, as well as the rack space and energy required to run it, would vastly outweigh the benefits.

What we do is consolidate all FSMO roles onto one server. This doesn't cause a problem with the Infrastructure Master/Global Catalog in a multiple-domain forest, because we make all DCs GCs, per best practices. When we are running any sort of schema upgrade, we stop outbound replication first, so the changes are not replicated to other DCs.

Once you are sure the changes have taken effect and are successful you can then re-enable replication to replicate the changes around the network. If there was a serious issue which seriously screwed up the schema (you would know; AD would not function properly on that DC) you could blow the DC away, seize the FSMO roles, run a metadata cleanup, then rebuild and try again.

See http://support.microsoft.com/kb/321153 for details on controlling outbound replication.

-Matt
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 250 total points
ID: 24320233
As a rule, domain controllers should be dedicated hardware - you do not need a separate dedicated DC for each FSMO, but I do not advocate running line of business applications, databases, web servers, email servers, or anything else, on my domain controllers. Better for your security posture, better for maintenance and troubleshooting of your domain controllers.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now