asked on FSMO role Question
I think I know the answer to this, but my boss is questioning that answer so I wanted to check for sure. Currently we're running AD2003 - yeah, I know. In that environment I have each of the FSMO roles assigned to one of two DC.'s. We will probably be upgrading to 2008 or 2012 soon and we're establishing a second data center that will also function as a DR site. So, my question is, as a part of DR does any version of AD support having any one FSMO role living on more than one DC at the same time, or does any kind of replication exist so that if a DC died that was hosting a role that role can automatically be transferred to another DC?
Windows Server 2008Windows Server 2012Active Directory
Last Comment
DLeaver
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
might not be related.
we have a customer who utilizes replication so they have a replica servers in our DC.
they also have a 100MB Pipe to our DC and VLANs configured accordingly
In case of problem with primary the replica kicks in and the downtime is literally 5 minutes or even less in most case.
we have a customer who utilizes replication so they have a replica servers in our DC.
they also have a 100MB Pipe to our DC and VLANs configured accordingly
In case of problem with primary the replica kicks in and the downtime is literally 5 minutes or even less in most case.
Replicating DCs is dangerous and should be avoided. As others have said, the nature of AD and the function of the FSMO roles don't require it if you have more than one DC. FSMO role holders, depending on the size of the environment and number of AD objects, can go WEEKS OR MONTHS with the FSMO master down (stay within the tombstone life of the domain, default 60 days). Else you simply seize the roles.
For DR environments we do either one of the following:-
- Provision a DC in the DR site that is always on and is ready to serve requests in the event of an invocation, set up as another AD site. As mentioned above if a disaster occurs in the Production environment and the primary DC is dead you would seize the FSMO roles. This is the preferred method as there is no reconfiguration of the AD element after invocation.
- Do a straight synchronisation of data to the DR site using Zerto/Veeam/Doubletake or if you own the kit in the DR location maybe storage replication with SRM. In the event of invocation then the environment is re-ip addressed etc and powered on. There is obviously an impact to re-ip addressing so depending on your RTO this isn't preferred, especially if you have other AD sites that will remain active after DR invocation...
- Provision a DC in the DR site that is always on and is ready to serve requests in the event of an invocation, set up as another AD site. As mentioned above if a disaster occurs in the Production environment and the primary DC is dead you would seize the FSMO roles. This is the preferred method as there is no reconfiguration of the AD element after invocation.
- Do a straight synchronisation of data to the DR site using Zerto/Veeam/Doubletake or if you own the kit in the DR location maybe storage replication with SRM. In the event of invocation then the environment is re-ip addressed etc and powered on. There is obviously an impact to re-ip addressing so depending on your RTO this isn't preferred, especially if you have other AD sites that will remain active after DR invocation...
Without looking into any Microsoft materials, the primary reason why this may be a non-factor is because all DC's are, inherently, writable. As such all DC's can act as an authority when clients make requests to them.
The biggest concern is replication.
-saige-