FSMO Roles in 2012 R2

Dears

I have a server (Physical) that has been promoted to  a Domain controller.
I have a DHCP server running on it and DNS server also.
(I have an exchange 2013 server box too).

In order to have a backup I created another server and also made it a domain controller.
it is working fine. I checked the logs and everything seems fine.
I also configured DNS on that server and it is playing nice with the other DNS server on my 'primary' domain controller.

as for the DHCP i used the option of 2012R2 that has the load balancing.
there also it is working fine.

my problem is the following :
As far as I know the FSMO roles can leave (each one) on 1 server only.
If my assumption is right then if I have a problem with my primary server (DC) then reverting to the second DC (if the first one is dead) will not make me run 100% without issues.
is that statement correct ?

what I am trying to say is what are the settings/measures I should be taking so that my 2 servers (DC1 and DC2) can be replaceable (meaning I m 100% functional if one is down forecefully).

I am sure that it is possible. It is just me that doesnt have the knowledge. That is why I come back to you gurus !!

Thanks
LVL 1
Pierre AmmounIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
If a server with any of the operations master roles ever failed in an unrecoverable way, manual intervention will always be required. That is unavoidable. If is worth mentioning, however, that moving such a role go a new server, while if is a manual process, is also relatively straightforward. You don't need to preemptively take special steps.
0
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
It is fairly easy to seize the roles in case you need it.
0
Pierre AmmounIT ConsultantAuthor Commented:
I do know that it is aomehow easy to seize a role but my problem is the following
is it possible to seize the role even if the primary DC (the owner of that role) is dead all of the sudden ?
will it be seized correctly without any hiccup !?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Nagendra Pratap SinghDesktop Applications SpecialistCommented:
Yes. If the current role owner is up then it is called a transfer. A seizing is needed when the original role owner is missing permanently.
0
Pierre AmmounIT ConsultantAuthor Commented:
Thank you for the clarifiaction.
my last sub-question would be the following
is there anything else needed to be done other than transferinf those 4 roles to have the "promoted" DC working fully as primary ?
0
Shaun VermaakTechnical Specialist IVCommented:
From top of my head...

  1. Make all DCs GCs
  2. Configure DNS forwarders on both in server configuration (external)
  3. Configure DNS client configuration to point to other DC, its own network IP and 127.0.0.1
  4. Create time sync policy that changes when PDC role is moved
  5. Ensure all clients have both DCs as DNS entries (DHCP and static entries)

The only roles you need to worry about during normal operations is PDC and RID, both can be offline and clients will still authenticate but you should get it back online as soon as you can. If you cannot, you can seize them. As soon as you seize it, the GPO for time will automatically change it's time configuration in registry

You can monitor how far any DC is from RID depletion is from events or checking DCDiag.

  • PDC Emulator (One per domain) - For immediate passwords changes, account lockouts etc.
  • RID Master (One per domain) - Handles RID pool for new objects
  • Schema Master (One per forest) - Only required when making schema changes
  • Domain Naming Master (One per forest) - Only required when doing namespace changes like removing domain
  • Infrastructure Master (One per domain) - Irrelevant in a forest with just one domain
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you are to be in charge of managing your Active Directory environment then you should learn more about it.  I strongly recommend you do some research on the FSMO roles and Global Catalogs.

I further suggest you setup a test network and start playing with these things and don't just ask the question - EXPERIENCE it on the test network.  Experience ensures you do things right and that you understand what can and cannot be done in an emergency.

Familiarize yourself with the tools of Active Directory, including DCDIAG, REPADMIN, DNS, Group Policy, and Backup and Recovery.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aanand Singh KarkiAssociate ConsultantCommented:
Hi Pierre Ammoun,

Your question itself contradicts your requirement. As you are aware there can be one and only one instance of each FSMO role at a given point of time, you don't really have to do anything on secondary as far as your primary server is up and running. However, if it fails and can't be recovered due to any reason, you must perform the FSMO role seizure so that the Secondary server would start serving as FSMO.

In such catastrophic, events the downtime is expected and it completely depends on how proactively you monitor your critical applications and server roles.

Once you are aware of failure and type of failure (temporary or permanent) you can perform the Seizure by following these steps.

https://support.microsoft.com/en-in/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

Regards,
Aanand Singh Karki
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.