Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Would you recommend a dedicated DC just for your Master Schema and nothing else?

Hi, I am researching and preparing to extend my schema(AD) for Exchange 2007 and I keep seeing where it mentions to take the master schema offline just in case the process blows up and that would prevent it from replicating to the other DC's on the domain, which would preserve my AD.

So, how many recommend that I have a dedicated DC to be my master schema and running nothing else of signaficance?  Right now, my Master Schema is a Windows Server 2003 - Standard Edition x32 which also runs my student email server.  So, if I was to do what is recommended I would bring down my student email server and not to mention if it did blow up during the extending process, I would have to keep it offline until I could either fix it or rebuild it...meaning no email for students.

Just was wondering what other AD Admins do.

Thanks for your time.

Bob
0
rsnellman
Asked:
rsnellman
2 Solutions
 
tigermattCommented:

The Schema Master FSMO role is seldom used - in fact, it is only usually used when upgrading the schema to support new applications such as a new Operating System as a DC or Exchange. This happens perhaps once a year at most, if that.

As such, the investment in licensing for a dedicated machine simply to run the Schema Master role, as well as the rack space and energy required to run it, would vastly outweigh the benefits.

What we do is consolidate all FSMO roles onto one server. This doesn't cause a problem with the Infrastructure Master/Global Catalog in a multiple-domain forest, because we make all DCs GCs, per best practices. When we are running any sort of schema upgrade, we stop outbound replication first, so the changes are not replicated to other DCs.

Once you are sure the changes have taken effect and are successful you can then re-enable replication to replicate the changes around the network. If there was a serious issue which seriously screwed up the schema (you would know; AD would not function properly on that DC) you could blow the DC away, seize the FSMO roles, run a metadata cleanup, then rebuild and try again.

See http://support.microsoft.com/kb/321153 for details on controlling outbound replication.

-Matt
0
 
LauraEHunterMVPCommented:
As a rule, domain controllers should be dedicated hardware - you do not need a separate dedicated DC for each FSMO, but I do not advocate running line of business applications, databases, web servers, email servers, or anything else, on my domain controllers. Better for your security posture, better for maintenance and troubleshooting of your domain controllers.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now