when a domain controller goes down...

I have two domain controllers in my domain.  Both have DNS and DHCP and activie directory.  If the main controller goes down, what should I do?  Should I promote the second one?  

What are some things I need to keep in mind in the event that the main controller goes down?

The main controller is 2003 server and the second controller is 2008
Who is Participating?

Improve company productivity with a Business Account.Sign Up

MysidiaConnect With a Mentor Commented:
"To me it seems worthless to have a backup DC that can't automatically handle domain authentication requests once the main FSMO DC goes down..."

You missed the point.    The only thing you really need to ensure, is that you have global catalog servers online, and you can have multiple global catalog servers in a site.  

In an environment at Windows 2003 functional level or newer  (Win2k, not WinNT);  there is no such thing in a directory as a "backup" DC;  the operations masters roles  are additional roles besides being a DC; the roles can be shared among your DCs.  The single-master operations master roles are not required for authentication to occur;   they are exclusively used to effect specific changes and maintenance to the Active Directory database ---  or on the case of the PDC Emulator, to  act as the authoritative time source, for all the other domain controllers.

"The most critical is PDC EMULATOR  which will affect authentication immediately as it manages time sync. "

In general no,  not in an environment operating at Windows 2003 functional level or newer.
The PDC emulator's primary job was interoperability within a mixed server environment, with older releases such as Windows NT,  that still  relied on the concept of a primary domain controller.

WinNT is obsolete, and most AD domains are operating at  Windows Server 2008 R2 or Server 2012 R2 functional levels so, the PDC emulator role has very little purpose.

   As long as the clocks of your computers are within 5 minutes of each other,  and the various domain controllers' clocks are within 1 minute of each other.  The PDC emulator does manage clock synchronization;  which is important --- but it is not as if all the clocks on the computers will switch from perfect sync,  to five minutes away,  the moment the PDC goes down.

In most cases, it would be weeks, before there would be a clock issue.
Also,  you don't have to use the PDC emulator to sync your clocks ----   you can sync the clocks on your computers using a different  'backup'  method,  so in a sense...    that role is the least important.

In a Windows NT environment, the PDC is important, is because it processes and manages the replication of password changes to downlevel domain controllers.

"When does the FSMO roles become critical?  If the FSMO holder goes down and the second DC is online, when does it become an issue?"

The only answer is,  it depends.     For a small environment, you probably have  10 days or longer, for most roles.  If you have a multi-domain environment,  it will be noticed sooner,  as a number of the FSMO roles specifically have a number of purposes that are only used in multi-domain or multi-forest environments.

If you have an environment with a high velocity of directory changes... e.g.  several new user accounts,  or new computers every day,  it will be noticed sooner,  since without the RID, for example,  the number of new objects you can allocate before restoring the RID will be finite.
Gregory MillerConnect With a Mentor General ManagerCommented:
You really only need to promote a DC if the existing Primary is going to be offline for an extended period. I think 3 days is the gotcha point. You can promote it after 3 days if you are in a situation where you need to but unless you have a catastrophic failure and you think the Primary will be down for that long, don't change it.
lruiz52Connect With a Mentor Commented:
If you have two domain controllers both being GC and one goes down for an extended amount of time what you would have to do is seize whatever fsmo roles that the good domain controller doesn't have.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Stelian StanConnect With a Mentor Network AdministratorCommented:
What do you mean by "main domain controller"? Is the one running the FSMO roles? If yes, then if that DC goes down then you have to size the FSMO roles on second domain controller. Also after you size the roles to second domain controller DO NOT bring first DC online.
I would also update the first DC to 2008.
al4629740Author Commented:
What are the FSMO roles?
al4629740Author Commented:
Also,  can't the domain function without seizing the roles?
MysidiaConnect With a Mentor Commented:
You should check the sites and services in AD,  and the NTDS settings of your domain controllers, and make sure  that your backup DC has "Global catalog server"  checked.

The order that you list DNS servers on  AD member computers is another matter.
(You should re-order DNS server lists configured on clients or DHCP servers,  so that the more responsive DNS server is listed first.)

"What are the FSMO roles?"

The short answer is that if you don't actually know what the FSMO roles are,  you should under no circumstances go down the path of attempting the highly dangerous action of forcibly seize FSMO roles,  without explicit direction from Microsoft support  or  the direct approval of a highly experienced windows admin  at your company,    who  has the full details of whatever is  actually going on in your environment.

FSMO roles are crucial to certain maintenance tasks for the directory, such as schema updates, object moves,  long term maintenance of each DC's RID pools that new objects are created from,  and certain cross-domain operations;  However,  you should in most cases survive without these functions, for the few days it takes to get the domain controller repaired or  rebuilt and replaced.

No FSMO roles available would interfere with tasks such as installing Exchange or other additional software requiring schema updates ---   these tasks should not be attempted with downed domain controllers, anyways.      There should be no urgent need whatsoever to seize any FSMO roles   from a downed domain controller.

You will eventually need to do it,  if the DC  HAD the roles, is gone forever, and cannot be repaired.

FSMO role seizure is an irreversible procedure, that can do serious damage to the directory, or to the downed DC,  if it is executed under inappropriate circumstances, or performed improperly.

If a domain controller goes down,  your first steps should be to build a new domain controller to replace it,  and possibly restore from server backup  and system state backup:  in order to recover the missing domain controller.

After a FSMO role seizure, the former domain controller must be permanently left off,  and never turned on again  while connected to the network  ----  the old DC will be in an inconsistent state,   and  if  booted,   it should be tombstoned  and unable to resync,
but if that were not the case  -- irreparable damage could be caused to the directory,   ultimately requiring a full rebuild of the AD environment    or restoration of AD from an earlier backup.

Role seizure  also  means  that you can no longer restore the old domain controller  from a backup,  as the DC   is now  invalid.

Taking  the option of "restoring the DC from backup" off the table,  may result in a longer repair.

On the other hand: if a domain controller is permanently gone,  then role seizure may be the ultimate path you have to eventually head down  (If the downed controller actually held any FSMO roles).

But again,  building a new domain controller to replace the gone one,   should be the first recovery steps.

For most database operations,  Active Directory is a  multiple master database, and the global catalog servers in a forest are all  "equals",  so there is no such thing as a "Primary" and  "Backup"  AD domain controller.

HOWEVER,   as an exception,  there are  5  SINGLE-Master roles  called FSMO roles.
Each of the 5 roles is assigned to a server in the directory;  in some cases, all 5 roles might be assigned to the same server.

In the event that a domain controller will be  PERMANENTLY down,    any of the FSMO roles that server had  need  to  be transferred to another server.

If the domain controller cannot be booted up into an online state successfully,  to  PROPERLY  transfer  the FSMO roles to another server,

Then there is a procedure called SEIZING  that may be required to  recover the lost FSMO roles, and transfer them to a domain controller that is still operational.
lruiz52Connect With a Mentor Commented:
Agree with Mysidia, be very careful when dealing with fsmo role seizure.

Pramod UbheConnect With a Mentor Commented:
Please promote the second domain controller and transfer 2-3 fsmo roles on to it.
For DNS, make sure that your zones are AD integrated zones so both DNS servers will be in Sync.
For DHCP, either you can go by 80-20 rule or have 50-50 scopes splited on two DCs.
KCTSConnect With a Mentor Commented:
You can't PROMOTE a DC. A DC is a DC - Since windows 2000 there is no such thing as a PDC (Primary Domain Controller) and BDC (Backup Domain Controller). All DCs are in effect PDCs.

That said, one DC (Normally the first one to be created), will hold what are called FSMO Roles, Schema Master, Domain Naming Master, RID Master, infrastructure Master and  PDC Emulator. These roles can only exist on one machine at any one time.

Assuming that each DC has DHCP, DNS and global catalog - as seems to be the case, then if a DC which is not an FSMO role holder fails, you do not need to do anything, in the short term at least to the other DCs.

If the FSMO role holder fails then it all depends on the nature of the failure. The domain can normally continue fully operational for some considerable time even without the FSMO roles, so if you envisage a short down-time, then again do nothing.

If you have a more serious issue with the FSMO role holder, then you can seize the FSMO roles, effectively making another DC the FSMO role holder as described in http://cmckeeg.wordpress.com/2013/02/17/how-to-seize-a-lost-fsmo-role/
If you do seize the roles, then you must NEVER bring the original FSMO role holder back on-line, if you do then the two machines will conflict with each other.
al4629740Author Commented:
When does the FSMO roles become critical?  If the FSMO holder goes down and the second DC is online, when does it become an issue?
Pramod UbheCommented:
Yes, it becomes critical when the dc holding that perticular role goes down.
al4629740Author Commented:
I guess the question I have is why is it critical?
Pramod UbheConnect With a Mentor Commented:
It depends on which fsmo goes down. The most critical is PDC EMULATOR  which will affect authentication immediately as it manages time sync. If RID is down, you will unable to create new objects after some time period (once RID pool on DC gets fully utilized) and so on, each fsmo has its own criticality.
KCTSConnect With a Mentor Commented:
The PDC emulator is used to sync time and is requited for some password changes so will probably be the first FSMO role to be missed.

The RID master is use as part of the process of assigning SIDs to new objects - but as it issues RIDs in batches, unless you are adding a lot of new users/computers it will normally be a while before its missed.

The Infrastructure master and Domain Naming master contain details about the structure of your domain/forest/trusts, so unless you want to change these, these roles will not be missed.

The Schema Master is used to make changes to the AD Schema, so again unless you want to modify the schema you won't miss this role in normal use.
al4629740Author Commented:
To me it seems worthless to have a backup DC that can't automatically handle domain authentication requests once the main FSMO DC goes down...
Pramod UbheCommented:
yes but you can always transfer those roles in the event of disaster. There are manual efforts required for this but this is how microsoft designed it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.