Solved

when a domain controller goes down...

Posted on 2013-12-31
18
4,043 Views
Last Modified: 2014-01-15
I have two domain controllers in my domain.  Both have DNS and DHCP and activie directory.  If the main controller goes down, what should I do?  Should I promote the second one?  

What are some things I need to keep in mind in the event that the main controller goes down?

The main controller is 2003 server and the second controller is 2008
0
Comment
Question by:al4629740
  • 5
  • 4
  • 2
  • +4
18 Comments
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 73 total points
ID: 39749287
You really only need to promote a DC if the existing Primary is going to be offline for an extended period. I think 3 days is the gotcha point. You can promote it after 3 days if you are in a situation where you need to but unless you have a catastrophic failure and you think the Primary will be down for that long, don't change it.
0
 
LVL 17

Assisted Solution

by:lruiz52
lruiz52 earned 72 total points
ID: 39749346
If you have two domain controllers both being GC and one goes down for an extended amount of time what you would have to do is seize whatever fsmo roles that the good domain controller doesn't have.
0
 
LVL 23

Assisted Solution

by:Stelian Stan
Stelian Stan earned 36 total points
ID: 39749410
What do you mean by "main domain controller"? Is the one running the FSMO roles? If yes, then if that DC goes down then you have to size the FSMO roles on second domain controller. Also after you size the roles to second domain controller DO NOT bring first DC online.
I would also update the first DC to 2008.
0
 

Author Comment

by:al4629740
ID: 39749421
What are the FSMO roles?
0
 

Author Comment

by:al4629740
ID: 39749423
Also,  can't the domain function without seizing the roles?
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 175 total points
ID: 39749432
You should check the sites and services in AD,  and the NTDS settings of your domain controllers, and make sure  that your backup DC has "Global catalog server"  checked.

The order that you list DNS servers on  AD member computers is another matter.
(You should re-order DNS server lists configured on clients or DHCP servers,  so that the more responsive DNS server is listed first.)


"What are the FSMO roles?"

The short answer is that if you don't actually know what the FSMO roles are,  you should under no circumstances go down the path of attempting the highly dangerous action of forcibly seize FSMO roles,  without explicit direction from Microsoft support  or  the direct approval of a highly experienced windows admin  at your company,    who  has the full details of whatever is  actually going on in your environment.

FSMO roles are crucial to certain maintenance tasks for the directory, such as schema updates, object moves,  long term maintenance of each DC's RID pools that new objects are created from,  and certain cross-domain operations;  However,  you should in most cases survive without these functions, for the few days it takes to get the domain controller repaired or  rebuilt and replaced.

No FSMO roles available would interfere with tasks such as installing Exchange or other additional software requiring schema updates ---   these tasks should not be attempted with downed domain controllers, anyways.      There should be no urgent need whatsoever to seize any FSMO roles   from a downed domain controller.

You will eventually need to do it,  if the DC  HAD the roles, is gone forever, and cannot be repaired.

FSMO role seizure is an irreversible procedure, that can do serious damage to the directory, or to the downed DC,  if it is executed under inappropriate circumstances, or performed improperly.

If a domain controller goes down,  your first steps should be to build a new domain controller to replace it,  and possibly restore from server backup  and system state backup:  in order to recover the missing domain controller.

After a FSMO role seizure, the former domain controller must be permanently left off,  and never turned on again  while connected to the network  ----  the old DC will be in an inconsistent state,   and  if  booted,   it should be tombstoned  and unable to resync,
but if that were not the case  -- irreparable damage could be caused to the directory,   ultimately requiring a full rebuild of the AD environment    or restoration of AD from an earlier backup.

Role seizure  also  means  that you can no longer restore the old domain controller  from a backup,  as the DC   is now  invalid.

Taking  the option of "restoring the DC from backup" off the table,  may result in a longer repair.


On the other hand: if a domain controller is permanently gone,  then role seizure may be the ultimate path you have to eventually head down  (If the downed controller actually held any FSMO roles).

But again,  building a new domain controller to replace the gone one,   should be the first recovery steps.



For most database operations,  Active Directory is a  multiple master database, and the global catalog servers in a forest are all  "equals",  so there is no such thing as a "Primary" and  "Backup"  AD domain controller.

HOWEVER,   as an exception,  there are  5  SINGLE-Master roles  called FSMO roles.
Each of the 5 roles is assigned to a server in the directory;  in some cases, all 5 roles might be assigned to the same server.

In the event that a domain controller will be  PERMANENTLY down,    any of the FSMO roles that server had  need  to  be transferred to another server.

If the domain controller cannot be booted up into an online state successfully,  to  PROPERLY  transfer  the FSMO roles to another server,

Then there is a procedure called SEIZING  that may be required to  recover the lost FSMO roles, and transfer them to a domain controller that is still operational.
0
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 73 total points
ID: 39749433
0
 
LVL 17

Assisted Solution

by:lruiz52
lruiz52 earned 72 total points
ID: 39749438
Agree with Mysidia, be very careful when dealing with fsmo role seizure.

http://social.technet.microsoft.com/wiki/contents/articles/17018.understanding-fsmo-roles.aspx
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 72 total points
ID: 39749473
Please promote the second domain controller and transfer 2-3 fsmo roles on to it.
For DNS, make sure that your zones are AD integrated zones so both DNS servers will be in Sync.
For DHCP, either you can go by 80-20 rule or have 50-50 scopes splited on two DCs.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 72 total points
ID: 39749566
You can't PROMOTE a DC. A DC is a DC - Since windows 2000 there is no such thing as a PDC (Primary Domain Controller) and BDC (Backup Domain Controller). All DCs are in effect PDCs.

That said, one DC (Normally the first one to be created), will hold what are called FSMO Roles, Schema Master, Domain Naming Master, RID Master, infrastructure Master and  PDC Emulator. These roles can only exist on one machine at any one time.

Assuming that each DC has DHCP, DNS and global catalog - as seems to be the case, then if a DC which is not an FSMO role holder fails, you do not need to do anything, in the short term at least to the other DCs.

If the FSMO role holder fails then it all depends on the nature of the failure. The domain can normally continue fully operational for some considerable time even without the FSMO roles, so if you envisage a short down-time, then again do nothing.

If you have a more serious issue with the FSMO role holder, then you can seize the FSMO roles, effectively making another DC the FSMO role holder as described in http://cmckeeg.wordpress.com/2013/02/17/how-to-seize-a-lost-fsmo-role/
If you do seize the roles, then you must NEVER bring the original FSMO role holder back on-line, if you do then the two machines will conflict with each other.
0
 

Author Comment

by:al4629740
ID: 39756737
When does the FSMO roles become critical?  If the FSMO holder goes down and the second DC is online, when does it become an issue?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39756892
Yes, it becomes critical when the dc holding that perticular role goes down.
0
 

Author Comment

by:al4629740
ID: 39756908
I guess the question I have is why is it critical?
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 72 total points
ID: 39756947
It depends on which fsmo goes down. The most critical is PDC EMULATOR  which will affect authentication immediately as it manages time sync. If RID is down, you will unable to create new objects after some time period (once RID pool on DC gets fully utilized) and so on, each fsmo has its own criticality.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 72 total points
ID: 39757161
The PDC emulator is used to sync time and is requited for some password changes so will probably be the first FSMO role to be missed.

The RID master is use as part of the process of assigning SIDs to new objects - but as it issues RIDs in batches, unless you are adding a lot of new users/computers it will normally be a while before its missed.

The Infrastructure master and Domain Naming master contain details about the structure of your domain/forest/trusts, so unless you want to change these, these roles will not be missed.

The Schema Master is used to make changes to the AD Schema, so again unless you want to modify the schema you won't miss this role in normal use.
0
 

Author Comment

by:al4629740
ID: 39760616
To me it seems worthless to have a backup DC that can't automatically handle domain authentication requests once the main FSMO DC goes down...
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39776487
yes but you can always transfer those roles in the event of disaster. There are manual efforts required for this but this is how microsoft designed it.
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 175 total points
ID: 39780483
"To me it seems worthless to have a backup DC that can't automatically handle domain authentication requests once the main FSMO DC goes down..."

You missed the point.    The only thing you really need to ensure, is that you have global catalog servers online, and you can have multiple global catalog servers in a site.  

In an environment at Windows 2003 functional level or newer  (Win2k, not WinNT);  there is no such thing in a directory as a "backup" DC;  the operations masters roles  are additional roles besides being a DC; the roles can be shared among your DCs.  The single-master operations master roles are not required for authentication to occur;   they are exclusively used to effect specific changes and maintenance to the Active Directory database ---  or on the case of the PDC Emulator, to  act as the authoritative time source, for all the other domain controllers.

"The most critical is PDC EMULATOR  which will affect authentication immediately as it manages time sync. "

In general no,  not in an environment operating at Windows 2003 functional level or newer.
The PDC emulator's primary job was interoperability within a mixed server environment, with older releases such as Windows NT,  that still  relied on the concept of a primary domain controller.

WinNT is obsolete, and most AD domains are operating at  Windows Server 2008 R2 or Server 2012 R2 functional levels so, the PDC emulator role has very little purpose.

   As long as the clocks of your computers are within 5 minutes of each other,  and the various domain controllers' clocks are within 1 minute of each other.  The PDC emulator does manage clock synchronization;  which is important --- but it is not as if all the clocks on the computers will switch from perfect sync,  to five minutes away,  the moment the PDC goes down.

In most cases, it would be weeks, before there would be a clock issue.
Also,  you don't have to use the PDC emulator to sync your clocks ----   you can sync the clocks on your computers using a different  'backup'  method,  so in a sense...    that role is the least important.

In a Windows NT environment, the PDC is important, is because it processes and manages the replication of password changes to downlevel domain controllers.


"When does the FSMO roles become critical?  If the FSMO holder goes down and the second DC is online, when does it become an issue?"

The only answer is,  it depends.     For a small environment, you probably have  10 days or longer, for most roles.  If you have a multi-domain environment,  it will be noticed sooner,  as a number of the FSMO roles specifically have a number of purposes that are only used in multi-domain or multi-forest environments.


If you have an environment with a high velocity of directory changes... e.g.  several new user accounts,  or new computers every day,  it will be noticed sooner,  since without the RID, for example,  the number of new objects you can allocate before restoring the RID will be finite.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now