redundancy for domain controller that has fsmo/schema master roles

We had a situation recently where a Windows DC (with schema master/fsmo roles) flipped its profile from domain network to public network causing all sorts of  issues.  Is there a way to have redundancy with the schema master and other roles.  We have a mix of 2008 R2 and 2012 R2 domain controllers but are in the process of migrating to 2012 R2.  Is there a way to keep the domain operational if this were to happen again?  Thank you.

Sam
jesusislove333333Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
"causing all sorts of  issues"
Such as?  

If your AD is setup properly to begin with the FSMO roles aren't critical to everyday operation for single domain environments.  If you understand the roles and their functions, most domains can remain without ALL FSMO roles for days or weeks before any obvious negative consequence.  This doesn't mean you WANT to be without them, but the masters can be down.

If you don't have any other Global Catalog servers, that can create issues - and that's just a checkbox on the DC in Sites and Services.  

To be clear, you cannot have redundant masters - any attempt to create them (for example, replicating them to another DC and then turning it on if it fails) is a huge potential risk to corrupting your AD.  If the FSMOs go down for any serious length of time, you can always seize them... but even that should not be your FIRST action - that should be your last once you know you CANNOT get the holder running again without going to backups (though backups CAN be an option if you understand AD backup and restore procedures and implications, in GENERAL I wouldn't).
jesusislove333333Author Commented:
We have two domains in a single forest.  The major issue was that one of our apps that relies on AD authentication and contacts a SQL database server was failing.  If needed, I can find the exact error.  Exchange was also failing but that is because of the client issue described below.

We did have associated issues with many client workstations that switched from domain profile to public profile.

All this seemed to happen at about 3 AM with an automatic update on the DC.
Lee W, MVPTechnology and Business Process AdvisorCommented:
First, I NEVER automatically apply updates to critical servers.  I'm in control of them.  Further, you should be testing updates on non-critical systems and in test environments.

I do understand that's not always possible in smaller environments, but then it's even more reason NOT to apply updates automatically.

Second, I would strongly encourage you to learn about AD and how it works in greater detail if you are in charge of maintaining it.  In this case, I would start by reading over this Technet article on how Global Catalogs work - https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28v=ws.10%29.aspx

One reason your clients may have had exchange issues is related to the global catalogs.  Honestly, given the issues your describing, I would point to your GC structure as being your pimary issue in relation to your problems recently.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.