Solved

Physical and virtual domain controllers

Posted on 2011-09-22
11
416 Views
Last Modified: 2012-05-12
Hi experts

I have three domain controllers at the moment: a 2003 box, holding the FSMO roles, and two 2008 machines.

I want to transfer the roles to one of my 2008 DCs, however I'm not sure which one to choose, since one is a physical server, and the other is virtualised (Hyper-V).

Looking for some opinions on which would be the best choice please. I'm leaning towards virtual, as its easier to backup and restore.

Cheers
0
Comment
Question by:failed
11 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36579260
THere is no problem with running FSMO roles on physical box or virtual machines. You need to only evaluate which one is more stable and available. Because you need to restore that DC after crash. More reasonable is to place them on a virtual server because it's very fast and simple in restore.

How to transfer FSMO roles you can find on my blog at
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-gui/
http://kpytko.wordpress.com/2011/08/26/transferring-fsmo-roles-from-command-line/

But remember, do regurarly System State backup of each of your DCs. That's the only supported solution in DC/AD recovery process. Do not use snapshots of your virtual DC! It leads to problems like USN rolback and other.

Regards,
Krzysztof
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36579271
They are FMSO roles, so it doesn't matter too much; FMSO roles can always be transferred or seized if necessary. Be sure your virtualized DC does NOT have the time sync with its host enabled.
0
 

Author Comment

by:failed
ID: 36579284
Thanks for the info; has anyone transferred the roles during working hours? Is it safe to do it, or should it wait until no ones on the network?

Cheers
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579297
Yes, it's safe and it's transparent process. It takes a while and they are ready to server their functionality. That process do not require a reboot. Don't worry, it's safe :)

But if you're aware of that you may do a system state backup of your DCs and transfer them after business hours.

Regards,
Krzysztof
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36579454
Thing to remember is that after you transfer ALL the roles, your primary time source will have moved so you need to set the server you moved the roles TO to sync its time with an outside source.

http://technet.microsoft.com/en-us/library/cc784800(WS.10).aspx
0
 

Author Comment

by:failed
ID: 36579517
OK, one more question; I want to set up a forest trust, and I'm not sure if that has to be set up on the primary DC, or whether its ok to configure it on a different dc...or does the dc not matter?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579527
Doesn't matter :) AD works in multi-master replication topology, so it's not matter on which DC you will do that :)

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579529
Oh, one more importatn thing. Before you establish forest trust, you need to have routing between those 2 networks and at lest conditional forwarders/Stub zone fot DNS name resolution process

Krzysztof
0
 

Author Comment

by:failed
ID: 36579629
We have a site to site VPN, so routing is OK, but I haven't configured DNS. Do I configure DNS before or after the trust is established?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579675
Yes, whole AD relies on DNS. You may wish to follow with one of my guides.

Conditional Forwarders
 Configuring-conditional-forwarde.pdf

Stub zone
 Configuring-Stub-zone.pdf

Krzysztof
0
 
LVL 7

Expert Comment

by:ComputerBeast
ID: 36580090
Hi all,

Yes you need to configure DNS first.

Refer to the article for the complete description:

http://araihan.wordpress.com/2009/08/05/how-to-create-an-external-trust-between-two-domains/

Thank you
Anil
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question