Bill H
asked on
FSMO Ro es 2 DC's
I have 2 domain controllers setup supporting about 30 users. I want to keep the network as redundant as possible, now i have the 5 roles split between 2 servers.
Is there a recommendation from Microsoft as to how to split the roles between 2 servers? As in which one should go on which?
Is there a recommendation from Microsoft as to how to split the roles between 2 servers? As in which one should go on which?
Renato Montenegro Rustici
You can enable all roles in one server or mix them. To avoid certain unsupported combinations, enable the Global Catalog in both servers.
If a dc fails, then you can seize the roles to the surviving server. Take a look at this document:
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
support.microsoft.com/kb/2
Keep in mind that you must take daily system state backups of your DCs.
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
support.microsoft.com/kb/2
Keep in mind that you must take daily system state backups of your DCs.
ASKER
I have setup both servers as GC's. If i have all the roles on one server, and if that were server were to die then i would have to force a seize on all the roles.
There is no possibility to "replicate" FSMO roles between DCs as the only one FSMO role can exist within environment.
There is no problem with that. FSMO roles are not used every day. More, when you have more DCs in your environment and you do not monitor them, you probably would know that FSMO holder is broken after soooooommmeeee time ;)
FSMO roles can be simply transfer between DCs if necessary or even after hard FSMO holder crash, seized using NTDSUTIL
However, you can always split them. On one DC leave Schema Master and Domain Naming Master (forest-wide roles) and on another place (RID, PDC Emulator and Unfrastructure Master).
After you change PDC Emulator master, re-advertise Time Server in your forest
[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]
as extract from MVP blog at
http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx
Regards,
Krzysztof
There is no problem with that. FSMO roles are not used every day. More, when you have more DCs in your environment and you do not monitor them, you probably would know that FSMO holder is broken after soooooommmeeee time ;)
FSMO roles can be simply transfer between DCs if necessary or even after hard FSMO holder crash, seized using NTDSUTIL
However, you can always split them. On one DC leave Schema Master and Domain Naming Master (forest-wide roles) and on another place (RID, PDC Emulator and Unfrastructure Master).
After you change PDC Emulator master, re-advertise Time Server in your forest
[...]- after transfer of the PDCEmulator role, configure the NEW PDCEmulator to an external timesource and reconfigure the old PDCEmulator to use the domainhierarchie now. Therefore run on the NEW "w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update" where PEERS will be filled with the ip address or server(time.windows.com) and on the OLD one run "w32tm /config /syncfromflags:domhier /reliable:no /update" and stop/start the time service on the old one. All commands run in an elevated command prompt without the quotes. [...]
as extract from MVP blog at
http://msmvps.com/blogs/mweber/archive/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2.aspx
Regards,
Krzysztof
Check that article about seizing FSMO roles on my blog if you're interested at
http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/
Krzysztof
http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/
Krzysztof
ASKER
Yes i know there is no way to replicate them. I was just wondering what is best practice in a 2 DC environment. I run full backups on the servers every night including system state. However i dont think the system state backup will help on a server that has completely died and cannot be brought back to life.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with Neilsr
Don't worry about FSMO roles, take care about AD database :) That's the most important!
Krzysztof
Don't worry about FSMO roles, take care about AD database :) That's the most important!
Krzysztof
ASKER
Thanks guys. I know when you have exchange installed in your environment, I've read that MS recommends that 2 of the roles do not reside on the same server (I do not remember the exact ones however)
The only caveat that you should take care is if you seize a role, dont bring back the old server anymore. This can cause inconsistencies in the AD database or unpredictable results. If a server dies and you seize a role, never bring that server back by restoring a system state backup. Just install ADDS and dcpromo the server to the domain.
If you turn on Global Catalog on both servers, you can distribute the roles at will.
If you turn on Global Catalog on both servers, you can distribute the roles at will.
You should not enable Infrastructure Master and the Global Catalog in the same saver. But, there are tree exceptions:
1) You have only one domain.
2) There's only one domain controller.
3) All your domain controllers are global catalogs.
1) You have only one domain.
2) There's only one domain controller.
3) All your domain controllers are global catalogs.
I would guess that with 30 users it is quite obvious that its a single domain with 2 servers and we already know that both are GC so pointless facts really rmrustice....
Pointless to us that are aware of how it works. Just explaing him why we recommended that rules.
I support what has already been said by some, there is absolutely no point in splitting the FSMO roles across servers if you have a single domain. Only if you have multiple domains and if not all DCs are Global Catalog servers do you need to split the Infrastructure Master Role from the Global Catalog holder.
Hi,
do you need any further help in this topic? Please, let us know
Thanks in advance
Krzysztof
do you need any further help in this topic? Please, let us know
Thanks in advance
Krzysztof
ASKER
All good. Will assign points shortly. Thanks
That's not about points :) Just wanted to know if you need any other help :)
Krzysztof
Krzysztof