Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

highly available domain controllers

Posted on 2009-05-16
4
Medium Priority
?
379 Views
Last Modified: 2012-05-07
I have 1 server that is the main domain controller.  I have a 2nd server that I ran dcpromo on to replicate the existing domain controller.  I also made this server a global catalog.   Now I am reading about FSMO roles and a little unsure on how I can make my domain function if my main server were to go down.  I see I can seize them or transfer.  How would one seize if the main server was completely down?  Can both server have the FSMO roles?  If so how is this done?
0
Comment
Question by:jcs1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24404694
If your first DC went down and you could not recover it and it was totally dead you can seize the roles
http://support.microsoft.com/kb/255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
There are two forest wide FSMO roles (schema and domain naming master) and three domain wide fsmo roles (PDC emulator, RID Master, and Infrastructure Master)
You can split the roles between DCs but you can't have the same FSMO role on two servers simultaneously.
So what happens if your main server went down due to a hardware issue and you are watiing a day or so for a part.  In that case you probably don't need to seize the roles right away.   Brian Puhl (on the Microsoft AD team) has a really good blog entry on that here
http://blogs.technet.com/bpuhl/archive/2005/12/07/415761.aspx
What to do with FSMO roles
One thing you didn't mention, how is DNS setup on your network?
Thanks
Mike
0
 

Author Comment

by:jcs1977
ID: 24404720
Thanks for the reply.

As for DNS I have a watchguard firewall and in there I have the IP for the domain controller server and a DNS IP gave to me by my IP provider.  I havent done anything wiith the DNS on DC 2

I think what I need to configure is Universal Group Membership Caching but still trying to find setting.  It is not a big deal if my DC goes down but it is if my users cannot login to their PC's to access the internet.  Am I correct?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 24405186
Ok so your DNS is not Windows DNS, the reason I ask is because if it was and your DC1 went down then something would have to carry the DNS duties but your firewall is doing that.
As for Universal group caching...you don't need it since both your DCs are global catalogs.  Making them both GCs is the best practice.  Actually its good to always make your DCs GCs (see bullet 1 in the blog below)
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
 
For reference the setting is located in sites and services
  • Expand the Sites container, expand the name of the site
  • Right-click on NTDS Site Settings, select Properties
  • Select the checkbox Enable Universal Group Membership Caching
  • See screenshot
Thanks
Mike

UniversalGroupCaching.jpg
0
 

Author Comment

by:jcs1977
ID: 24406016
Thank you for your help!!  Off to work to go to test logging in when the main global catalog is powered off.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question