Solved

Would you recommend a dedicated DC just for your Master Schema and nothing else?

Posted on 2009-05-06
2
329 Views
Last Modified: 2012-05-06
Hi, I am researching and preparing to extend my schema(AD) for Exchange 2007 and I keep seeing where it mentions to take the master schema offline just in case the process blows up and that would prevent it from replicating to the other DC's on the domain, which would preserve my AD.

So, how many recommend that I have a dedicated DC to be my master schema and running nothing else of signaficance?  Right now, my Master Schema is a Windows Server 2003 - Standard Edition x32 which also runs my student email server.  So, if I was to do what is recommended I would bring down my student email server and not to mention if it did blow up during the extending process, I would have to keep it offline until I could either fix it or rebuild it...meaning no email for students.

Just was wondering what other AD Admins do.

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
2 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24320226

The Schema Master FSMO role is seldom used - in fact, it is only usually used when upgrading the schema to support new applications such as a new Operating System as a DC or Exchange. This happens perhaps once a year at most, if that.

As such, the investment in licensing for a dedicated machine simply to run the Schema Master role, as well as the rack space and energy required to run it, would vastly outweigh the benefits.

What we do is consolidate all FSMO roles onto one server. This doesn't cause a problem with the Infrastructure Master/Global Catalog in a multiple-domain forest, because we make all DCs GCs, per best practices. When we are running any sort of schema upgrade, we stop outbound replication first, so the changes are not replicated to other DCs.

Once you are sure the changes have taken effect and are successful you can then re-enable replication to replicate the changes around the network. If there was a serious issue which seriously screwed up the schema (you would know; AD would not function properly on that DC) you could blow the DC away, seize the FSMO roles, run a metadata cleanup, then rebuild and try again.

See http://support.microsoft.com/kb/321153 for details on controlling outbound replication.

-Matt
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 250 total points
ID: 24320233
As a rule, domain controllers should be dedicated hardware - you do not need a separate dedicated DC for each FSMO, but I do not advocate running line of business applications, databases, web servers, email servers, or anything else, on my domain controllers. Better for your security posture, better for maintenance and troubleshooting of your domain controllers.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question