Solved

Would you recommend a dedicated DC just for your Master Schema and nothing else?

Posted on 2009-05-06
2
333 Views
Last Modified: 2012-05-06
Hi, I am researching and preparing to extend my schema(AD) for Exchange 2007 and I keep seeing where it mentions to take the master schema offline just in case the process blows up and that would prevent it from replicating to the other DC's on the domain, which would preserve my AD.

So, how many recommend that I have a dedicated DC to be my master schema and running nothing else of signaficance?  Right now, my Master Schema is a Windows Server 2003 - Standard Edition x32 which also runs my student email server.  So, if I was to do what is recommended I would bring down my student email server and not to mention if it did blow up during the extending process, I would have to keep it offline until I could either fix it or rebuild it...meaning no email for students.

Just was wondering what other AD Admins do.

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24320226

The Schema Master FSMO role is seldom used - in fact, it is only usually used when upgrading the schema to support new applications such as a new Operating System as a DC or Exchange. This happens perhaps once a year at most, if that.

As such, the investment in licensing for a dedicated machine simply to run the Schema Master role, as well as the rack space and energy required to run it, would vastly outweigh the benefits.

What we do is consolidate all FSMO roles onto one server. This doesn't cause a problem with the Infrastructure Master/Global Catalog in a multiple-domain forest, because we make all DCs GCs, per best practices. When we are running any sort of schema upgrade, we stop outbound replication first, so the changes are not replicated to other DCs.

Once you are sure the changes have taken effect and are successful you can then re-enable replication to replicate the changes around the network. If there was a serious issue which seriously screwed up the schema (you would know; AD would not function properly on that DC) you could blow the DC away, seize the FSMO roles, run a metadata cleanup, then rebuild and try again.

See http://support.microsoft.com/kb/321153 for details on controlling outbound replication.

-Matt
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 250 total points
ID: 24320233
As a rule, domain controllers should be dedicated hardware - you do not need a separate dedicated DC for each FSMO, but I do not advocate running line of business applications, databases, web servers, email servers, or anything else, on my domain controllers. Better for your security posture, better for maintenance and troubleshooting of your domain controllers.
0

Featured Post

Veeam gives away 10 full conference passes

Veeam is a VMworld 2017 US & Europe Platinum Sponsor. Enter the raffle to get the full conference pass. Pass includes the admission to all general and breakout sessions, VMware Hands-On Labs, Solutions Exchange, exclusive giveaways and the great VMworld Customer Appreciation Part

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question