Solved

Physical and virtual domain controllers

Posted on 2011-09-22
11
407 Views
Last Modified: 2012-05-12
Hi experts

I have three domain controllers at the moment: a 2003 box, holding the FSMO roles, and two 2008 machines.

I want to transfer the roles to one of my 2008 DCs, however I'm not sure which one to choose, since one is a physical server, and the other is virtualised (Hyper-V).

Looking for some opinions on which would be the best choice please. I'm leaning towards virtual, as its easier to backup and restore.

Cheers
0
Comment
Question by:failed
11 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
Comment Utility
THere is no problem with running FSMO roles on physical box or virtual machines. You need to only evaluate which one is more stable and available. Because you need to restore that DC after crash. More reasonable is to place them on a virtual server because it's very fast and simple in restore.

How to transfer FSMO roles you can find on my blog at
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/

But remember, do regurarly System State backup of each of your DCs. That's the only supported solution in DC/AD recovery process. Do not use snapshots of your virtual DC! It leads to problems like USN rolback and other.

Regards,
Krzysztof
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
They are FMSO roles, so it doesn't matter too much; FMSO roles can always be transferred or seized if necessary. Be sure your virtualized DC does NOT have the time sync with its host enabled.
0
 

Author Comment

by:failed
Comment Utility
Thanks for the info; has anyone transferred the roles during working hours? Is it safe to do it, or should it wait until no ones on the network?

Cheers
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Yes, it's safe and it's transparent process. It takes a while and they are ready to server their functionality. That process do not require a reboot. Don't worry, it's safe :)

But if you're aware of that you may do a system state backup of your DCs and transfer them after business hours.

Regards,
Krzysztof
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Thing to remember is that after you transfer ALL the roles, your primary time source will have moved so you need to set the server you moved the roles TO to sync its time with an outside source.

http://technet.microsoft.com/en-us/library/cc784800(WS.10).aspx
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:failed
Comment Utility
OK, one more question; I want to set up a forest trust, and I'm not sure if that has to be set up on the primary DC, or whether its ok to configure it on a different dc...or does the dc not matter?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Doesn't matter :) AD works in multi-master replication topology, so it's not matter on which DC you will do that :)

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Oh, one more importatn thing. Before you establish forest trust, you need to have routing between those 2 networks and at lest conditional forwarders/Stub zone fot DNS name resolution process

Krzysztof
0
 

Author Comment

by:failed
Comment Utility
We have a site to site VPN, so routing is OK, but I haven't configured DNS. Do I configure DNS before or after the trust is established?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Yes, whole AD relies on DNS. You may wish to follow with one of my guides.

Conditional Forwarders
 Configuring-conditional-forwarde.pdf

Stub zone
 Configuring-Stub-zone.pdf

Krzysztof
0
 
LVL 7

Expert Comment

by:ComputerBeast
Comment Utility
Hi all,

Yes you need to configure DNS first.

Refer to the article for the complete description:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Thank you
Anil
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now