Transfer FSMO roles automatically on pdc down?
Pash
Member Posts: 1,600 ■■■■■□□□□□
Hi all,
Is it possible at all? Even with a simple script or something. Same with a demote and transfer of roles, can this be made as easy as possible. Im looking for solution that requires minimal technical presence to achieve this.
Thanks!
Is it possible at all? Even with a simple script or something. Same with a demote and transfer of roles, can this be made as easy as possible. Im looking for solution that requires minimal technical presence to achieve this.
Thanks!
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
Comments
Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?
Absolutely mark!
This is for Disaster Recovery infact. Im just wondering how easy it is to transfer roles and pdc promote if we lose our main PDC, in this scenario no techy's would be at DR site, so it would have to be fairly automated.
http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
If the server holding the fsmo roles is going to be down for a while then you could "seize" the needed role/s to another DC. But the person standing in front of the DC doesn't have to be the one performing the task. Unless your sites aren't interconnected???
If you have multiple Domain Controllers then you might consider spreading the fsmo roles around.
Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure.
Silver Bullet:
This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about:
1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC.
2. NO techy onsite at DR to seize the needed roles temporarily
3. Quick Operation, no time to restore from backup, has to be GO straight after failure.
Things i need to happen:-
1. Users have to logon to domain with usual credentials
2. Ability to add additional pc's to the domain at DR site IF needed.
If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par
Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea?
Suggestions as always, welcome.
Thanks mate,
Okay, the next bit is pure theory on my part, may be complete garbage....
As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master.
Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.
Don't worry about the Schema Master, you can live without that without ever possibly noticing that it is not online.... It's just a matter of whether or not you ever make changes to the schema.
Anyway, As far as making the BDC a GC, it depends... Firstly, are you in a single domain environment or a multi-domain environment? Next, do you plan on Placing the Infrastructure role on it at any point (being a standby)?
If you are in a single domain then yes make it a GC, it won't harm anything. If you are in a multi-domain and plan on using the BDC as a standby operations master then either do not make it a GC or do not make it the standby for the infrastructure role. (EDIT::: For this to be done though, I believe that you would need a separate DC that holds the Infrastructure role.)
For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.
Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles.
Like I said, I could be wrong, I guess Pash will let us know
Ok thanks for the input Ahriakin. Im gonna lab this up in the office for the next couple of days and see what works.
In regards to the GC hosted on the infra master, I understand the rule is, only do this if you have one domain in your forest, or if all dc's in the forest host the GC? In both these cases currently, we are fine. Btw, creating a sub domain for the DR is also an option, there would be no issues here aslong as the correct trusts are in place for replication?
Anyway, I guess there is only so much reading I can do, time to test it.
Cheers all,
This is correct, false of habbit, many appologies.
Really ajs1976? So for the purposes of keeping user operations in the "norm" we should be ok?
Thanks again,
Now time for a beer
I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?
Thanks!
profile: linkedin.com/in/astorrs
+1
I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?
==============================================================
since you mention you had an other dc before the fsmo role holder crashed you should be able to seaze the roles to the dc tha was left then add new dc to the mix you should be good i had that issue a couple of times im not really worried about lossing the fsmo holder anymore as long as i have a another dc in the network[/quote]
I think this is pretty much the solution that the other guys contributing to the thread came up with, but sometimes it's nice to have a voice of experience
Anyway, I'll take it from all of your quite impressive credentials that it should be like falling off a log, right?
Appreciate the help, (even if I am too late on the thread!)
jd
profile: linkedin.com/in/astorrs
I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC?
I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over.
Any thoughts from anyone else?
Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
The worst thing that would happen is either it would fail and roll back during the DCPROMO process, or that the DCPROMO would complete, but Active Directory would fail to startup fully on the new DC (no NETLOGON/SYSVOL shares).
With that said, I always suggest having a roll back plan, breaking the mirror by pulling one of the drives would be an excellent method (although if you do have a problem you may need to manually cleanup AD - but that's rare and we can walk you through it if it does happen for some reason).
profile: linkedin.com/in/astorrs
As for breaking the mirror my suggestion would be to just remove one of the drives (if you don't have hot-swap drives, make sure to shutdown first).
To view the FSMO Masters, and assuming you have installed the Windows 2000/2003 Support Tools (on the O/S installation CD in the \SUPPORT directory), run the following from a command prompt:
netdom query /domain:<domain> fsmo
profile: linkedin.com/in/astorrs
Yea, the mirror break, restore is my next issue. The breaking is easy, the (proper) recovery could be the interesting part!
Going home, will sleep on it. Definately want the second DC online before this next hurricane makes it into GA!
If you use ntdsutil and connect up to a DC, then run "select operation target" and "list roles for connected server" you can see the roles the DC knows.
Just ran "netdom query /domain:<domain> fsmo" and determined that the extinct DC has all fsmo roles, as suspected. This is what you were getting at, right?