FSMO Roles in 2012 R2

Pierre Ammoun
Pierre Ammoun used Ask the Experts™
on
Dears

I have a server (Physical) that has been promoted to  a Domain controller.
I have a DHCP server running on it and DNS server also.
(I have an exchange 2013 server box too).

In order to have a backup I created another server and also made it a domain controller.
it is working fine. I checked the logs and everything seems fine.
I also configured DNS on that server and it is playing nice with the other DNS server on my 'primary' domain controller.

as for the DHCP i used the option of 2012R2 that has the load balancing.
there also it is working fine.

my problem is the following :
As far as I know the FSMO roles can leave (each one) on 1 server only.
If my assumption is right then if I have a problem with my primary server (DC) then reverting to the second DC (if the first one is dead) will not make me run 100% without issues.
is that statement correct ?

what I am trying to say is what are the settings/measures I should be taking so that my 2 servers (DC1 and DC2) can be replaceable (meaning I m 100% functional if one is down forecefully).

I am sure that it is possible. It is just me that doesnt have the knowledge. That is why I come back to you gurus !!

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
If a server with any of the operations master roles ever failed in an unrecoverable way, manual intervention will always be required. That is unavoidable. If is worth mentioning, however, that moving such a role go a new server, while if is a manual process, is also relatively straightforward. You don't need to preemptively take special steps.
Nagendra Pratap SinghDesktop Applications Specialist

Commented:
It is fairly easy to seize the roles in case you need it.
Pierre AmmounIT Consultant

Author

Commented:
I do know that it is aomehow easy to seize a role but my problem is the following
is it possible to seize the role even if the primary DC (the owner of that role) is dead all of the sudden ?
will it be seized correctly without any hiccup !?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Nagendra Pratap SinghDesktop Applications Specialist

Commented:
Yes. If the current role owner is up then it is called a transfer. A seizing is needed when the original role owner is missing permanently.
Pierre AmmounIT Consultant

Author

Commented:
Thank you for the clarifiaction.
my last sub-question would be the following
is there anything else needed to be done other than transferinf those 4 roles to have the "promoted" DC working fully as primary ?
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
From top of my head...

  1. Make all DCs GCs
  2. Configure DNS forwarders on both in server configuration (external)
  3. Configure DNS client configuration to point to other DC, its own network IP and 127.0.0.1
  4. Create time sync policy that changes when PDC role is moved
  5. Ensure all clients have both DCs as DNS entries (DHCP and static entries)

The only roles you need to worry about during normal operations is PDC and RID, both can be offline and clients will still authenticate but you should get it back online as soon as you can. If you cannot, you can seize them. As soon as you seize it, the GPO for time will automatically change it's time configuration in registry

You can monitor how far any DC is from RID depletion is from events or checking DCDiag.

  • PDC Emulator (One per domain) - For immediate passwords changes, account lockouts etc.
  • RID Master (One per domain) - Handles RID pool for new objects
  • Schema Master (One per forest) - Only required when making schema changes
  • Domain Naming Master (One per forest) - Only required when doing namespace changes like removing domain
  • Infrastructure Master (One per domain) - Irrelevant in a forest with just one domain
Technology and Business Process Advisor
Most Valuable Expert 2013
Commented:
If you are to be in charge of managing your Active Directory environment then you should learn more about it.  I strongly recommend you do some research on the FSMO roles and Global Catalogs.

I further suggest you setup a test network and start playing with these things and don't just ask the question - EXPERIENCE it on the test network.  Experience ensures you do things right and that you understand what can and cannot be done in an emergency.

Familiarize yourself with the tools of Active Directory, including DCDIAG, REPADMIN, DNS, Group Policy, and Backup and Recovery.
Aanand Singh KarkiAssociate Consultant

Commented:
Hi Pierre Ammoun,

Your question itself contradicts your requirement. As you are aware there can be one and only one instance of each FSMO role at a given point of time, you don't really have to do anything on secondary as far as your primary server is up and running. However, if it fails and can't be recovered due to any reason, you must perform the FSMO role seizure so that the Secondary server would start serving as FSMO.

In such catastrophic, events the downtime is expected and it completely depends on how proactively you monitor your critical applications and server roles.

Once you are aware of failure and type of failure (temporary or permanent) you can perform the Seizure by following these steps.

https://support.microsoft.com/en-in/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller

Regards,
Aanand Singh Karki

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial