sprkymrk wrote: I never thought about it.... Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?
Megadeth4168 wrote: How about configuring a standby operations master?http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
Pash wrote: Megadeth4168 wrote: How about configuring a standby operations master?http://www.petri.co.il/planning_fsmo_roles_in_ad.htm Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure. Silver Bullet: This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about: 1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC. 2. NO techy onsite at DR to seize the needed roles temporarily 3. Quick Operation, no time to restore from backup, has to be GO straight after failure. Things i need to happen:- 1. Users have to logon to domain with usual credentials 2. Ability to add additional pc's to the domain at DR site IF needed. If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea? Suggestions as always, welcome. Thanks mate,
ajs1976 wrote: Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role. For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online. Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
Ahriakin wrote: Haven't tried any of this myself but off the top of my head you could script seizing the roles using NTDSutil reasonably easily. The trick is getting an accurate system in place to detect a real FSMO DC outage, as you know seizing roles is an absolute last resort. I've been using Hyperic Free on our own network for the last few months, haven't had as much time with it as I'd like but I know you could have it monitor DC availability quite easily and set an alert threshold that would allow for reboots etc. The only thing is you need to pay for the enterprise version to activate the ability for it to respond automatically to those alerts, but if you did it would be easy to set it to run your batch/script to seize the roles. You may want to write something yourself that just uses PINGs with a set timeout-threshold that again activates the script. Okay, the next bit is pure theory on my part, may be complete garbage.... As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master. Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.
Megadeth4168 wrote: ajs1976 wrote: Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role. For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online. Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC. I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles. Like I said, I could be wrong, I guess Pash will let us know
jtdaly wrote: Hope I can jump in here on this thread, I have a very related question: I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable? Thanks!
astorrs wrote: jtdaly wrote: Hope I can jump in here on this thread, I have a very related question: I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable? Thanks! You'll need the roles to be available. Why not just seize the roles, it only takes a few minutes?
dynamik wrote: Now I'm curious. Maybe I'm just getting rusty, but which roles are necessary for what he wants to do? RID goes out in pools, so I would think his DC has enough of those. It's not a new domain, so no domain naming. Infrastructure is used to keep track of objects in multiple domains, so not that. He's not changing the schema, so not that one either. PDC does a lot of miscellaneous things, but are any of those required for this?
jtdaly wrote: Dynamik, I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC? I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over. Any thoughts from anyone else? Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
jtdaly wrote: Thanks very much for the comments. I think the next step is the FSMO seizure, I seem to have some pretty good notes from MS on that one. However, being the stickler I am for preparation, I don't have a total confirmation from HP on the Raid1 break / restore situation, so when I have that in hand, hopefully tomorrow, I'll go with the seizure. By the way, any easy way to verify the RID Master transference?
Seize FSMO roles To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. 4. Type connections, and then press ENTER. 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. 6. At the server connections prompt, type q, and then press ENTER. 7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.http://support.microsoft.com/kb/255504