Solved

Windows 2012 Adding DC in child domain

Posted on 2013-10-23
12
1,588 Views
Last Modified: 2013-10-28
I am studying for the 70-417 upgrade exam and have the following question.

If you want to add an addition Active Directory DC to a child domain, which FSMO roles must be online in the child and or parent domain?
0
Comment
Question by:compdigit44
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39595802
this explains which ones are per-forest and per-domain

http://en.wikipedia.org/wiki/Flexible_single_master_operation
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39595882
I know the question asked is confusing in the dump as I am also going to appear the same this week.My answer will be domain naming master as we have only one option to select.

My first answer was RID too as a DC requires a RID Master to get an accountidentifier
pool so he can create accounts in AD , but as we have only one choice and the Domain Naming
Master is explicitly designated as being required when promoting a DC.So I will go with domain naming master.

I have also attached the FSMO role placement asked in dump for above query.Are you refering the same.
FSMO-role.png
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39595883
Man I hate these types of questions because they are vague.   Are you adding a DC that is the same OS as what you have or a new OS?

The domain naming master is needed if you were adding or removing a domain or application partition but an additional DC in a child domain doesn't need it.

Is it asking for one choice or multiple answers?

Thanks

Mike
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39596023
To add an additional DC to the child domain will require you to have the RID, PDC, and Infrastructure Master present and online in the child domain. As these 3 roles are the "Domain FSMO Roles" Domain Naming and Schema are Forest FSMO roles.

Domain Naming is only used when you are creating another domain within the forest.

Schema Master is the bases for the entire forest and is the "skeletal structure". If you were to upgrade software like Exchange which is forest wide you would need to make sure that the Schema Master is present. Doing an Exchange upgrade modifies the attributes at the schema level and affect the entire forest.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39596061
Are all the DCs GCs in the forest?  Just wondering about the Inf role needing to be online?   I may have to test/blog this one.

Thanks

Mike
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39598926
At least I am on the only one who is confused with this question. So far I have taken the 70-417 exam and failed both times.

From my understanding Domain Naming is needed when adding a new child domain to a forest but what about addding a new DC to an existing child domain. Am I understanding everyone correctly that all three domain roles are need? What about a GC
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39599099
GC should not be required because this is "Forest Wide" information. We are talking about adding a DC to a child domain, and a DC does not need to be a GC in order to operate. The infrastrucutre master role will update its root domain with the new DC object promoted in the Child domain.

Will.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39599118
The domain naming master FSMO role holder is the only computer that can add or remove a domain in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote replica domain controllers in an existing domain.

See this KB:http://support.microsoft.com/kb/254933

I think this requires testing as mike suggested.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39600068
@Mike if all of the DC's are GC's in the child domain the infrastructure master basically is not used as all of the DC's have the forest wide info about other objects in parent or child domains. But, based around the question I do not believe it states anything about all DC's acting as GC's in the environment. I actually do recall this question on the exam when I wrote and if not all DC's are GC's then Infra master, PDC and RID would be the correct answer.

But theory and practical can have 2 totally different  outcomes so testing would prove the concept.


Will.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39600936
So the correct answer is the PDC, Infrastrucutre and RID master roles need to be online in the "child domin" in order to add a new DC.

As it is not recommended to have the Infrastructure master as a GC as well correct.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39604261
I am confused ms kb article http://support.microsoft.com/kb/254933 states the following

"The domain naming master FSMO role holder is the only computer that can add or remove a domain in a Windows 2000 Active Directory forest, and is the only FSMO role owner contacted by the Active Directory Installation Wizard (Dcpromo.exe). No FSMO role access is required to promote or demote replica domain controllers in an existing domain."

To me this means you could add a DC to an existing domain if all fsmo roles were offline?????
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 39604429
correct.
i just proved this in a test environment with 4 roles on a powered-off system
just having the 1 domain controller running with the domain naming master role, was able to create a child domain on a 3rd system

of course, you wouldn't want to have your other fsmo roles offline in the first place; you would want to either transfer/seize the role(s) to other server(s) as appropriate to the situation when something happens to that machine and there will be extensive downtime

if you have a small forest/domain, having the infrastructure master as a GC doesn't hurt anything.  if it's larger, has multiple sites with a number of domain controllers and can spread the roles around, then that's fine also

going back to your original question, "which FSMO roles must be online in the child and or parent domain?", the article link i posted on the 23rd clearly answers that.

in the test environment i setup, rid/pdc/infrastructure roles are held on that 3rd server (in the child domain) for that child domain while the domain naming/schema master roles (again, 1 each per forest) are on the 1st and 2nd servers respectively

does that answer your questions or do you need further clarification?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now