Placemenr of Windows-2012 Active Directory FSMO Items on Domain Controlleres
Sorry for the high request but we are cutting over to a new AD Sunday morning and I just ran into an odd complication here.
We are in the process of upgrading from 2003 to 2012R2 Domain Controllers and have both of the new 2012R2 controllers running and in the domain with integrated DNS. The FSMO currently looks like this:
FSMO Roles in UAT
C:\>netdom query /domain:CNXUAT.com FSMO
Schema master cnxuatdc01.cnxuat.com
Domain naming master cnxuatdc01.cnxuat.com
PDC cnxuatdc01.cnxuat.com
RID pool manager cnxuatdc01.cnxuat.com
Infrastructure master cnxuatdc01.cnxuat.com
The command completed successfully.
Miocrosoft KB https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control says:
"Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest."
SO would I set up as follows? Global Catalog is on both new and old Servers now so I'd remove it off newdc02 before the next steps?
Schema master newdc01.cnxuat.com
Domain naming master newdc01.cnxuat.com
PDC newdc01.cnxuat.com
RID pool manager newdc01.cnxuat.com
Infrastructure master newdc02.cnxuat.com
We are in the process of upgrading from 2003 to 2012R2 Domain Controllers and have both of the new 2012R2 controllers running and in the domain with integrated DNS. The FSMO currently looks like this:
FSMO Roles in UAT
C:\>netdom query /domain:CNXUAT.com FSMO
Schema master cnxuatdc01.cnxuat.com
Domain naming master cnxuatdc01.cnxuat.com
PDC cnxuatdc01.cnxuat.com
RID pool manager cnxuatdc01.cnxuat.com
Infrastructure master cnxuatdc01.cnxuat.com
The command completed successfully.
Miocrosoft KB https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control says:
"Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest."
SO would I set up as follows? Global Catalog is on both new and old Servers now so I'd remove it off newdc02 before the next steps?
Schema master newdc01.cnxuat.com
Domain naming master newdc01.cnxuat.com
PDC newdc01.cnxuat.com
RID pool manager newdc01.cnxuat.com
Infrastructure master newdc02.cnxuat.com
ASKER
Ok that makes sense and yes we do. What would you suggest moving yo the second server if anything with about 500 VMs and 250 Users that doesn't strike me as a "large" environment by Microsoft's standards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Already have the time part covered with an NTP client. All of our workstations and servers talk to them with the Meinberg NTP client. Thank you. Solved.
I disagree - it's not about larger environments - it's about multi-domain environments (which are often but not always larger environments).
https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers
Quoting the above article:
In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
https://support.microsoft.com/en-us/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers
Quoting the above article:
In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
ASKER
We have a multiple forests but a single domain in each forest. Example cnxprod, cnxuat, ctcom each has its own forest and domain within there. So my thought was to place every roll on each of the 2 AD systems within each forest which is how its currently built and how the article you reference seems to indicate it will work best.
ASKER
OK We tried to cutover today and have the items move to the new DCs and tried to move the existing IPs of the old DCs to the new Servers so each had 2 IPs on the interface new and old. Turned off both old servers and 99% of the servers we tried to connect to or login on console to failed with "No logon servers available" removing the IPs and powering the old DCs back up solved that issue. How do we go the last step and get the old DCs out of the forest and powered down here but move their IPs over?
Whoa - what? Are you trying to preserve the IPs?! Why?! And putting two IPs on a DC? not advisable!
Did you run DCDIAG /C /E /V on All DCs prior to promoting and AFTER promoting to ensure everything was working right?
Not sure who advised you to keep the same IPs (or replace ALL DCs at once).
(This should probably be another question because your issues are not with FSMO placement anymore).
Did you run DCDIAG /C /E /V on All DCs prior to promoting and AFTER promoting to ensure everything was working right?
Not sure who advised you to keep the same IPs (or replace ALL DCs at once).
(This should probably be another question because your issues are not with FSMO placement anymore).
splitting roles between servers is more for a much larger environment
i have never had to split roles between servers and never had issues with having both a GC and FSMO roles on 1 server
if you want to split between your domain controllers, that's fne - though i wouldn't remove dc02 as a GC; if dc01 goes down, now you have no global catalog server available (single point of failure) - assuming those are the only 2 domain controllers.
if you are running exchange, that is critical to have a GC always available