Best Practice for FSMO Roles, DNS, DHCP

Posted on 2011-05-03
Medium Priority
Last Modified: 2012-05-11
More or less looking for advice/opinions.

We have a server that we pretty much can't rely on as it BSODs with "registry errors" upon any login attempt at the console or through RDP.  Other than that it functions, but that just isn't sitting right.  This server happens to have all 5 FSMO roles, DHCP for our main office and is our Primary DNS.  Which are all still functioning and manageable through snap-ins, RSET, etc.

It's a 2008 R2 box and we are just a single domain/forest.  So I know I'm good to transfer all FSMO roles to another 2008 R2 DC.  But what is everyone thoughts for DHCP and DNS?  This just seems like an example of why you wouldn't want all this stuff on one box when you have the option of spreading them out.  And any trouble with having any of these roles virtualized?  Thanks for the thoughts.

Question by:sseifer
LVL 57

Accepted Solution

Mike Kline earned 400 total points
ID: 35517233
DNS I'd also run on the DC  so you get the benefits of AD Integrated DNS.  DHCP I've seen both ways.  If you have a spare box (non-DC) then I'd rather have DHCP there than on the DC

Yes all those roles can be virtualized.  At my last job we virtualized 95 percent of our member servers (including DC/DNS and DHCP.


LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 800 total points
ID: 35517831
A Domain Controller has to have DNS installed on it to be a domain controller, so you're not going to cause problems by having a DC as your primary DNS server, and you lose some functionality by having DNS on a dedicated server. DHCP isn't really resource intensive and can be handy to have on a DC, but as Mike said you can go either way with it. You can virtualize any role you want, to be honest, but I tend to avoid Virtualizing Domain Controllers because having a Physical DC removes the temptation (and possibility) for someone to do a snapshot restore of the DC, which can be a little deadly to an AD environment. But again, that's just a matter of personal preference and what you have available in the way of hardware.
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 800 total points
ID: 35517838
Also, as long as you're using AD Integrated Zones already, you don't even have to worry about transferring the DNS information to the new DC you're planning on using, since that info is replicated automatically and it already has it. DHCP would need to be transferred over manually, though, and there is a process for doing that.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 27

Assisted Solution

DrDave242 earned 400 total points
ID: 35517860
If you've got more than one DC, I'd highly recommend putting DNS on at least two of them (and making the zones AD-integrated so you don't have to worry about zone transfers).  I'd make multiple DCs global catalog servers as well, though you didn't specifically ask about that.

You can't have more than one DHCP server handling the same address range, but you can split the scope into two smaller scopes, each managed by a different server, for some degree of redundancy there.

You can certainly virtualize them all.  Be careful with that too, though: if you virtualize multiple servers but host all of the VMs on the same physical box, failure of that box means they all come crashing down.  You can use Hyper-V failover clustering to mitigate that, but be advised that the cluster service has to be able to contact a DC in order to start, so if you virtualize all of your DCs and the cluster goes down, you've got yourself a nice little catch-22 in which the cluster won't start because it can't find a DC, and you can't start a DC until the cluster starts.  There are ways to recover from that, but it might be better to leave one DC on dedicated hardware.
LVL 39

Assisted Solution

ChiefIT earned 400 total points
ID: 35562034
I am sure you realize, when troubleshooting on EE, it is usually automatically assumed that the FSMO roles all reside on one DC, and that then becomes the (PDCe). Dividing the roles isn't really a measure of making your domain trustworthy. That's because all FSMO roles are important. If  a server goes down, it goes down. By dividing the roles, now you risk one of the two, (or three), servers going down, You will still have to transfer/seize the roles from that downed server.

By dividing the roles, you are effectively increasing the change of a problem, not circumventing it.


Author Closing Comment

ID: 35576814
Thanks all.  Exactly what I was looking for.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question