Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 552
  • Last Modified:

Move FSMO Roles from Physical Server and Decomission DC

Good day everyone. We currently have 4 Domain Controllers in our domain. The domain controller holding the FSMO roles is a very old Windows 2000 server. We would like to transfer the roles to a newer DC and decommission it.

 Here is our layout:

    FSMO role holder is a physical server, other 3 are VMs on different hosts (using Hyper-V)

    The 3 other DCs are on Windows 2003 SP2


Would it be a good idea to have all DCs as VMs or should at least one be on a physical machine?

In a previous question, a fellow member informed me that the Hyper-V servers should be set in a workgroup (because if they are in the domain and all DCs are virtual, they boot up and there is no DC available until the Hyper-V server finishes loading and starts the VM.

I understand this but I have all Hosts in the domain as I use GP and for authentication purposes. Would the only way around this be to have a physical DC?
0
mig1980
Asked:
mig1980
  • 6
  • 6
  • 2
6 Solutions
 
s3e3Commented:
I highly recommend you have one domain controller on a physical server. The others can certainly be on VM's. You don't want to have to deal with time sync issues, having one physical host is good practice.
0
 
mig1980Author Commented:
Would it be OK to have the FSMO role holding DC also be a VM Host? I am trying to avoid having one extra piece of hardware if at all possible, but not if it will cause any issues.
0
 
s3e3Commented:
You can certainly decide to virtualize all AD guests but you will need to read a couple of white papers. there is a good one by vmware called "Virtualizing a Windows Active Directoy
Domain Infrastructure". It talks about how to deal with clock drift in a vm.

Sorry don't have the link handy.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Suliman Abu KharroubIT Consultant Commented:
It is strongly reommanded to have at least one physical DC on the doamin.


Things to consider when you host Active Directory domain controllers in virtual hosting environments:
http://support.microsoft.com/kb/888794
0
 
mig1980Author Commented:
Thank you for this information. My only remaining concern is how to handle a potentially situation where all servers have to be shutdown for maintenance. Given that the FSMO DC would also be a VM, as well as the remaining DCs, that would mean that the host machines (which are also on the domain) would be the first to start.

What type of issues would be noticeable and are there ways around this issue?
0
 
Suliman Abu KharroubIT Consultant Commented:
Id depends on which FSMO role is not availvle:

1. Domain nameiing : th eimpact is you can't add/delete domain.
2.Infrustructre: no impact in single domain forest.
3. RID: Cant add users/comuters to domain.
4. Schema: can't make any modifications on schema such as prepare schema for exchange installation
5. PDC: can't reset passwords/ source time is not availbe...etc

the most important (impact) are RID and PCD.

and excelent artice about FSMO:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2796-Demystifying-the-Active-Directory-FSMO-Roles.html
0
 
mig1980Author Commented:
Well, all roles would be on one DC. I am only referring to the impact of the DC not being on before the VM Hosts. The impacts you are referring to above are impacts to changes being made, with the exception of source time.
0
 
Suliman Abu KharroubIT Consultant Commented:
If you get your point correct, you are refaring to the order of starting the DCs up ?

If so, no empact. if the FSMO hloder was started up before othor DC there is no impact on the domain.
0
 
mig1980Author Commented:
Not quite. I was referring to the Host that FSMO DC resides on being started first, next the FSMO holder, and all the remaining servers.
0
 
Suliman Abu KharroubIT Consultant Commented:
For the host server it will fail communicating with the DC to get computer policies...

here is another good article describing all the process :

http://www.petri.co.il/domain-controller-virtualization-options.htm

"Keep the Hyper-V servers out of the domain, i.e. leave it in a workgroup, and virtualize the DCs – This will mostly work for small deployments where you can consider leaving the Hyper-V servers as part of a workgroup and then running all domain controllers inside virtual machines, just like any other VM.  There are 2 problems in this approach:  First, you lose the security advantages of running Hyper-V servers in a domain environment; and second, when more than a couple of Hyper-V servers need to be managed in this manner, it is hard to have multiple administrators in such an environment.  Another drawback of this approach is that you will not be able to use all the functionality of SCVMM 2008."
0
 
mig1980Author Commented:
I understand the host would fail to communicate but would I am trying to figure out is whether any serious issues would arise by having this happen?

Not interested in having the Host hyper-v servers in workgroup environment for the reasons named.
0
 
Suliman Abu KharroubIT Consultant Commented:
I can'r remember any of these issues now....

Running all DCs on VMS is really a risk for the reasion which mentioned on the article, so it is highly recommanded to run the root Dc  on a physical server.... I would not take this risk (my personal opinion).
0
 
mig1980Author Commented:
That's exactly what I wanted to hear. I knew it was a risk but wanted people's opinion on whether the pros outweighed the cons. Don't think so. I have the hardware to make this happen physically but wanted to try and reduce my footprint. Oh well, one more server to maintain. Thank you for your help.
0
 
Suliman Abu KharroubIT Consultant Commented:
You are welcome!

please close the quesiton if you get the answer.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now