Solved

highly available domain controllers

Posted on 2009-05-16
4
370 Views
Last Modified: 2012-05-07
I have 1 server that is the main domain controller.  I have a 2nd server that I ran dcpromo on to replicate the existing domain controller.  I also made this server a global catalog.   Now I am reading about FSMO roles and a little unsure on how I can make my domain function if my main server were to go down.  I see I can seize them or transfer.  How would one seize if the main server was completely down?  Can both server have the FSMO roles?  If so how is this done?
0
Comment
Question by:jcs1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24404694
If your first DC went down and you could not recover it and it was totally dead you can seize the roles
http://support.microsoft.com/kb/255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
There are two forest wide FSMO roles (schema and domain naming master) and three domain wide fsmo roles (PDC emulator, RID Master, and Infrastructure Master)
You can split the roles between DCs but you can't have the same FSMO role on two servers simultaneously.
So what happens if your main server went down due to a hardware issue and you are watiing a day or so for a part.  In that case you probably don't need to seize the roles right away.   Brian Puhl (on the Microsoft AD team) has a really good blog entry on that here
http://blogs.technet.com/bpuhl/archive/2005/12/07/415761.aspx
What to do with FSMO roles
One thing you didn't mention, how is DNS setup on your network?
Thanks
Mike
0
 

Author Comment

by:jcs1977
ID: 24404720
Thanks for the reply.

As for DNS I have a watchguard firewall and in there I have the IP for the domain controller server and a DNS IP gave to me by my IP provider.  I havent done anything wiith the DNS on DC 2

I think what I need to configure is Universal Group Membership Caching but still trying to find setting.  It is not a big deal if my DC goes down but it is if my users cannot login to their PC's to access the internet.  Am I correct?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24405186
Ok so your DNS is not Windows DNS, the reason I ask is because if it was and your DC1 went down then something would have to carry the DNS duties but your firewall is doing that.
As for Universal group caching...you don't need it since both your DCs are global catalogs.  Making them both GCs is the best practice.  Actually its good to always make your DCs GCs (see bullet 1 in the blog below)
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
 
For reference the setting is located in sites and services
  • Expand the Sites container, expand the name of the site
  • Right-click on NTDS Site Settings, select Properties
  • Select the checkbox Enable Universal Group Membership Caching
  • See screenshot
Thanks
Mike

UniversalGroupCaching.jpg
0
 

Author Comment

by:jcs1977
ID: 24406016
Thank you for your help!!  Off to work to go to test logging in when the main global catalog is powered off.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question