Domain Controller FSMO Roles - DR question
We will be conducting a DR test and our infrastructure is as follows.
Headquarters has two Domain controllers (same physical location)
HQ1 This is a Global Catlog Srv and holds RID and PDC roles
HQ2 This is not a Global Catalog Srv and holds Schema, Operations Master, Infrastructure
Remote sites (2 different locations)
DR1 This is a Global Catalog Srv and does not hold any FSMO roles
DC1 This is a Global Catalog Srv and does not hold any FSMO roles
We will be conductiong a DR test and we will be disconnecting the HQ fully. My question is what roles will I need in place at the DR1 site to verify that users can log on and function without any connection to HQ1 or HQ2 where the roles current are? Do I need to worry about any conflicts with roles on the DR1 server and what roles do I need to sieze for logon to function.
Headquarters has two Domain controllers (same physical location)
HQ1 This is a Global Catlog Srv and holds RID and PDC roles
HQ2 This is not a Global Catalog Srv and holds Schema, Operations Master, Infrastructure
Remote sites (2 different locations)
DR1 This is a Global Catalog Srv and does not hold any FSMO roles
DC1 This is a Global Catalog Srv and does not hold any FSMO roles
We will be conductiong a DR test and we will be disconnecting the HQ fully. My question is what roles will I need in place at the DR1 site to verify that users can log on and function without any connection to HQ1 or HQ2 where the roles current are? Do I need to worry about any conflicts with roles on the DR1 server and what roles do I need to sieze for logon to function.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Would this be one point of failure? I thought that some roles should not overlap out of the five. It seems like from what you are saying all five roles can be on one system in a single Domain enviroment?
ASKER
Is there any downfall to having the roles split and on physical locations (speed, logging on, replication etc?)
Check the223346 article I linked above again:
"FSMO availability and placement
Dcpromo.exe performs the initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers."
Default in your case would be all roles on one server. AD is designed to be able to keep running for a while even if the FSMO role masters are offline. You usually have enough time to recover from the situation before the need for a FSMO role even arises.
If you put them all on one machine, then you'll have to seize 5 roles if the machine dies unrecoverably.
If you distribute the roles on two machines, you have less roles to seize if a machine dies, but on the other hand, you now have just doubled the chances that a crashed DC will take some FSMOs with it. Just a question of preferences.
"FSMO availability and placement
Dcpromo.exe performs the initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers."
Default in your case would be all roles on one server. AD is designed to be able to keep running for a while even if the FSMO role masters are offline. You usually have enough time to recover from the situation before the need for a FSMO role even arises.
If you put them all on one machine, then you'll have to seize 5 roles if the machine dies unrecoverably.
If you distribute the roles on two machines, you have less roles to seize if a machine dies, but on the other hand, you now have just doubled the chances that a crashed DC will take some FSMOs with it. Just a question of preferences.
ASKER
Great insight
I will think about this a little, not sure which way to go on this but your comments give me some food for thought. I will post which way I go and also let you know how the DR test goes.
Thanks again for your help!
I will think about this a little, not sure which way to go on this but your comments give me some food for thought. I will post which way I go and also let you know how the DR test goes.
Thanks again for your help!
ASKER
One last question
What are your recommendations on the five roles? Two are owned by HQ1(RID and PDC) and three are owned by HQ2 (Schema Master, Operations master, Infrastructure. HQ2 is a DNS/File server . Would it make more sense to move those roles (HQ2) to DR site?