Solved

Physical and virtual domain controllers

Posted on 2011-09-22
11
417 Views
Last Modified: 2012-05-12
Hi experts

I have three domain controllers at the moment: a 2003 box, holding the FSMO roles, and two 2008 machines.

I want to transfer the roles to one of my 2008 DCs, however I'm not sure which one to choose, since one is a physical server, and the other is virtualised (Hyper-V).

Looking for some opinions on which would be the best choice please. I'm leaning towards virtual, as its easier to backup and restore.

Cheers
0
Comment
Question by:failed
11 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36579260
THere is no problem with running FSMO roles on physical box or virtual machines. You need to only evaluate which one is more stable and available. Because you need to restore that DC after crash. More reasonable is to place them on a virtual server because it's very fast and simple in restore.

How to transfer FSMO roles you can find on my blog at
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/

But remember, do regurarly System State backup of each of your DCs. That's the only supported solution in DC/AD recovery process. Do not use snapshots of your virtual DC! It leads to problems like USN rolback and other.

Regards,
Krzysztof
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36579271
They are FMSO roles, so it doesn't matter too much; FMSO roles can always be transferred or seized if necessary. Be sure your virtualized DC does NOT have the time sync with its host enabled.
0
 

Author Comment

by:failed
ID: 36579284
Thanks for the info; has anyone transferred the roles during working hours? Is it safe to do it, or should it wait until no ones on the network?

Cheers
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579297
Yes, it's safe and it's transparent process. It takes a while and they are ready to server their functionality. That process do not require a reboot. Don't worry, it's safe :)

But if you're aware of that you may do a system state backup of your DCs and transfer them after business hours.

Regards,
Krzysztof
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36579454
Thing to remember is that after you transfer ALL the roles, your primary time source will have moved so you need to set the server you moved the roles TO to sync its time with an outside source.

http://technet.microsoft.com/en-us/library/cc784800(WS.10).aspx
0
 

Author Comment

by:failed
ID: 36579517
OK, one more question; I want to set up a forest trust, and I'm not sure if that has to be set up on the primary DC, or whether its ok to configure it on a different dc...or does the dc not matter?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579527
Doesn't matter :) AD works in multi-master replication topology, so it's not matter on which DC you will do that :)

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579529
Oh, one more importatn thing. Before you establish forest trust, you need to have routing between those 2 networks and at lest conditional forwarders/Stub zone fot DNS name resolution process

Krzysztof
0
 

Author Comment

by:failed
ID: 36579629
We have a site to site VPN, so routing is OK, but I haven't configured DNS. Do I configure DNS before or after the trust is established?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579675
Yes, whole AD relies on DNS. You may wish to follow with one of my guides.

Conditional Forwarders
 Configuring-conditional-forwarde.pdf

Stub zone
 Configuring-Stub-zone.pdf

Krzysztof
0
 
LVL 7

Expert Comment

by:ComputerBeast
ID: 36580090
Hi all,

Yes you need to configure DNS first.

Refer to the article for the complete description:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Thank you
Anil
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question