Solved

Physical and virtual domain controllers

Posted on 2011-09-22
11
418 Views
Last Modified: 2012-05-12
Hi experts

I have three domain controllers at the moment: a 2003 box, holding the FSMO roles, and two 2008 machines.

I want to transfer the roles to one of my 2008 DCs, however I'm not sure which one to choose, since one is a physical server, and the other is virtualised (Hyper-V).

Looking for some opinions on which would be the best choice please. I'm leaning towards virtual, as its easier to backup and restore.

Cheers
0
Comment
Question by:failed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36579260
THere is no problem with running FSMO roles on physical box or virtual machines. You need to only evaluate which one is more stable and available. Because you need to restore that DC after crash. More reasonable is to place them on a virtual server because it's very fast and simple in restore.

How to transfer FSMO roles you can find on my blog at
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/

But remember, do regurarly System State backup of each of your DCs. That's the only supported solution in DC/AD recovery process. Do not use snapshots of your virtual DC! It leads to problems like USN rolback and other.

Regards,
Krzysztof
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36579271
They are FMSO roles, so it doesn't matter too much; FMSO roles can always be transferred or seized if necessary. Be sure your virtualized DC does NOT have the time sync with its host enabled.
0
 

Author Comment

by:failed
ID: 36579284
Thanks for the info; has anyone transferred the roles during working hours? Is it safe to do it, or should it wait until no ones on the network?

Cheers
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579297
Yes, it's safe and it's transparent process. It takes a while and they are ready to server their functionality. That process do not require a reboot. Don't worry, it's safe :)

But if you're aware of that you may do a system state backup of your DCs and transfer them after business hours.

Regards,
Krzysztof
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36579454
Thing to remember is that after you transfer ALL the roles, your primary time source will have moved so you need to set the server you moved the roles TO to sync its time with an outside source.

http://technet.microsoft.com/en-us/library/cc784800(WS.10).aspx
0
 

Author Comment

by:failed
ID: 36579517
OK, one more question; I want to set up a forest trust, and I'm not sure if that has to be set up on the primary DC, or whether its ok to configure it on a different dc...or does the dc not matter?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579527
Doesn't matter :) AD works in multi-master replication topology, so it's not matter on which DC you will do that :)

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579529
Oh, one more importatn thing. Before you establish forest trust, you need to have routing between those 2 networks and at lest conditional forwarders/Stub zone fot DNS name resolution process

Krzysztof
0
 

Author Comment

by:failed
ID: 36579629
We have a site to site VPN, so routing is OK, but I haven't configured DNS. Do I configure DNS before or after the trust is established?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579675
Yes, whole AD relies on DNS. You may wish to follow with one of my guides.

Conditional Forwarders
 Configuring-conditional-forwarde.pdf

Stub zone
 Configuring-Stub-zone.pdf

Krzysztof
0
 
LVL 7

Expert Comment

by:ComputerBeast
ID: 36580090
Hi all,

Yes you need to configure DNS first.

Refer to the article for the complete description:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Thank you
Anil
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question