| Author | Messages | |
AD000001404
Posts:0
 | | 11/29/2005 4:07 AM |
| | Message body was not found. | | | |
| ZJORZ
Posts:100
| | 11/29/2005 4:11 AM |
| First, look at each role and see
what it does...
Forest FSMOs
* Schema Master --> needed
when updating the schema
* Domain Naming master -->
needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator --> needed for
legacy clients (NT4, W9x) when changing passwords, used for time sync, is used
for pwd checking when a user enters an incorrect pwd at another DC, used by DFS
roots to get DFS info
* RID Master --> needed to
distribute RID pools to DCs that have exhausted their current RID pool for 50%
(=250 RIDs)
* Infrastructure --> needed
to update references between domains in a forest (does not do anything in a
single domain forest)
If you look at this, there is no
need to first transfer the FSMO roles to another DC, just to carry out
maintenance activities. It also depends on the FSMO role. The most used ones in
your case will be the RID and the PDC FSMO. Only if you create more than 500
security principals (users, groups and computers) during the moment that the DC
with the RID FSMO is down, you will experience a problem on the DC that is left.
If you still have legacy clients and they want to change the password that will
not be possible. And if those clients have the DSClient installed that will not
be an issue either.
In short: leave as is. it will
be OK for those 2 hours
Cheers,
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy
HunterSent: Tuesday, November 29, 2005 16:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which
holds the domain FSMO roles.
I plan to take each server down at different times so that one of
the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while
maintainance work is carried out and transferring it back once it's online
again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of
mind knowing they are available, but if I don't need to do that, I won! 't
bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed
the all new Yahoo!
Security Centre.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| AD000001290
Posts:0
| | 11/29/2005 4:47 AM |
| Sorry, but for peace of mind, I *would* transfer the roles.
If there is opportunity to do so, then why not transfer? It's a trivial task and
will take no time to replicate (assuming the other DC is in the same
site).
More worrying perhaps, is the fact that if clients point to
one (or both) DCs for DNS name resolution, then they may experience issues when
one of the machines is taken down.
Hopefully, the poster has considered this latter
scenario.
hth,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: 29 November 2005 15:54To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
Amy,
If it™s
what you need to hear (for peace of mind “ or reassurance) leave the FSMO roles
where they are - you™ll be fine. You don™t need to transfer the rolls if
your talking about a timeframe of 2 hours - - -when you bring it back on line -
-I would just leave the other DC online for at least and hour (unless you have
adjusted the replication intervals) to make sure any changes are
replicated.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday, November
29, 2005 10:43 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles,
the other which holds the domain FSMO roles.
I plan to take each server down at different times
so that one of the two servers can provide authentication etc while the
other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move the
roles for peace of mind knowing they are available, but if I don't need to do
that, I won't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| AD000001069
Posts:0
| | 11/29/2005 4:59 AM |
| But here are the best practice recommendations for FSMO role optimization:
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&sd=tech
HTH
Santhosh
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA
Houston, TX
On 11/29/05, Craig Cerino wrote:
Amy,
If it's what you need to hear (for peace of mind “ or reassurance) leave the FSMO roles where they are - you'll be fine. You don't need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 10:43 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.
I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed the all new
Yahoo! Security Centre.-- Santhosh SivarajanMCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX | | | |
| AD000001377
Posts:0
| | 11/29/2005 5:21 AM |
| It probably depends on what you™re
doing during those 2 hours. If I were installing SP1 on a DC that had problems
rebooting/booting in the past, or has known HW issues, or for some odd reason
the machine is not on a UPS when installing a Service Pack, I think it would be
easier to move the FSMO roles in the case of failure so that you don™t have
to seize the roles and clean stuff up so quickly.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, November 29, 2005
11:09 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role
transfer
First,
look at each role and see what it does...
Forest FSMOs
* Schema
Master --> needed when updating the schema
* Domain
Naming master --> needed when adding or removing domains within the forest
Domain
FSMOs
* PDC
Emulator --> needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect
pwd at another DC, used by DFS roots to get DFS info
* RID
Master --> needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
*
Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
If you
look at this, there is no need to first transfer the FSMO roles to another DC,
just to carry out maintenance activities. It also depends on the FSMO role. The
most used ones in your case will be the RID and the PDC FSMO. Only if you
create more than 500 security principals (users, groups and computers) during
the moment that the DC with the RID FSMO is down, you will experience a problem
on the DC that is left. If you still have legacy clients and they want to
change the password that will not be possible. And if those clients have the
DSClient installed that will not be an issue either.
In short:
leave as is. it will be OK for those 2 hours
Cheers,
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005
16:43
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other
which holds the domain FSMO roles.
I plan to take each server down at different times so
that one of the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC
while maintainance work is carried out and transferring it back once it's
online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for
peace of mind knowing they are available, but if I don't need to do that, I
won! 't bother
Is there any recommended practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security Centre.
This e-mail and any attachment is for
authorised use by the intended recipient(s) only. It may contain proprietary
material, confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you. | | | |
| AD00000582
Posts:0
| | 11/29/2005 5:37 AM |
| Going by the If it aint broke don™t
fix it adage or the idea of Don™t mess with the production
environment while IN production I would still say leave the FSMO roles
where they are.
If you want to try or tinker with or test “
transferring or (actually) seizing FSMO roles “ set up a test environment
and give it a whirl ( if you have the resources.)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of neil.ruston@xxxxxxxxxxxxx
Sent: Tuesday, November 29, 2005
11:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role
transfer
Sorry, but for peace of mind, I *would*
transfer the roles. If there is opportunity to do so, then why not transfer?
It's a trivial task and will take no time to replicate (assuming the other DC
is in the same site).
More worrying perhaps, is the fact that if
clients point to one (or both) DCs for DNS name resolution, then they may
experience issues when one of the machines is taken down.
Hopefully, the poster has considered this
latter scenario.
hth,
neil
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig Cerino
Sent: 29 November 2005 15:54
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role
transfer
Amy,
If it™s what you
need to hear (for peace of mind “ or reassurance) leave the FSMO roles
where they are - you™ll be fine. You don™t need to transfer
the rolls if your talking about a timeframe of 2 hours - - -when you bring it
back on line - -I would just leave the other DC online for at least and hour
(unless you have adjusted the replication intervals) to make sure any changes
are replicated.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005
10:43 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other
which holds the domain FSMO roles.
I plan to take each server down at different times so that one
of the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC
while maintainance work is carried out and transferring it back once it's
online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for
peace of mind knowing they are available, but if I don't need to do that, I
won't bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed the
all new Yahoo! Security Centre.
PLEASE READ: The information contained in this email is
confidential and
intended for the named recipient(s) only. If you are not an
intended
recipient of this email please notify the sender immediately
and delete your
copy from your system. You must not copy, distribute or take
any further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent
permitted by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious
or disabling
code in, this message or any attachment(s) to it. If
verification of this
email is sought then please request a hard copy. Unless
otherwise stated
this email: (1) is not, and should not be treated or relied
upon as,
investment research; (2) contains views or opinions that are
solely those of
the author and do not necessarily represent those of NIplc;
(3) is intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial
instruments. NIplc
does not provide investment services to private customers. Authorised
and
regulated by the Financial Services Authority. Registered in
England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group of companies. | | | |
| Gil
Posts:75
| | 11/29/2005 5:44 AM |
| I'd move the FSMOs just in case "something" happens and the
DC in fact doesn't come back in 2 hours. How many times have you done PM on a
machine only to have it completely f***** up and have to restore? It seems like
about a 1-in-25 chance that something will go wrong.
-gil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Tuesday, November 29, 2005 9:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
First, look at each role and see
what it does...
Forest FSMOs
* Schema Master --> needed
when updating the schema
* Domain Naming master -->
needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator --> needed for
legacy clients (NT4, W9x) when changing passwords, used for time sync, is used
for pwd checking when a user enters an incorrect pwd at another DC, used by DFS
roots to get DFS info
* RID Master --> needed to
distribute RID pools to DCs that have exhausted their current RID pool for 50%
(=250 RIDs)
* Infrastructure --> needed
to update references between domains in a forest (does not do anything in a
single domain forest)
If you look at this, there is no
need to first transfer the FSMO roles to another DC, just to carry out
maintenance activities. It also depends on the FSMO role. The most used ones in
your case will be the RID and the PDC FSMO. Only if you create more than 500
security principals (users, groups and computers) during the moment that the DC
with the RID FSMO is down, you will experience a problem on the DC that is left.
If you still have legacy clients and they want to change the password that will
not be possible. And if those clients have the DSClient installed that will not
be an issue either.
In short: leave as is. it will
be OK for those 2 hours
Cheers,
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy
HunterSent: Tuesday, November 29, 2005 16:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which
holds the domain FSMO roles.
I plan to take each server down at different times so that one of
the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while
maintainance work is carried out and transferring it back once it's online
again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of
mind knowing they are available, but if I don't need to do that, I won! 't
bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed
the all new Yahoo!
Security Centre.
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| AD000001404
Posts:0
| | 11/29/2005 6:08 AM |
| | Message body was not found. | | | |
| AD00000804
Posts:0
| | 11/29/2005 6:14 AM |
| You can have the servers down for 2 hours with the Forest FSMO roles and/or
the Domain FSMO roles for cleanup without concern. It would become more of
an issue if for a day or more. Also bear in mind what each FSMO roles does
since each is unique to a domain or the entire forest so that you don't rely on
those things at the time of the cleanup. One other consideration is that
the three domain roles are easier to transfer but don't worry about them for
scheduled maintenance of as short as 2 hours.
Chuck Gafford
Systems ArchitectUnisys | | | |
| AD00000804
Posts:0
| | 11/29/2005 6:23 AM |
| If something went wrong you could still seize the FSMO roles as an option
rather than doing a transfer. Of course the procedures for all of these
for the 5 FSMOs should be documented just in case needed..
Chuck | | | |
| habr
Posts:25
| | 11/29/2005 6:30 AM |
| OK,
I've been witing for this
one.
If we have yet to move our 2K3
FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns
like "No one being able to log on", would you move the roles first (ie: Off the
Forest Root FSMO and the Child Domain FSMO)?
Is that
prudent?
A better question would be, how
many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc.
etc., apologies to any other in the Heavyweight class not explicitly mentioned)
Ώ] Did not move the roles, ΐ] Upgraded to SP1, Α] Went home to dinner with
"NO" problems?
Thanks.
RH
______________________________-
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Douglas M.
LongSent: Tuesday, November 29, 2005 11:53 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
It probably depends
on what you™re doing during those 2 hours. If I were installing SP1 on a DC
that had problems rebooting/booting in the past, or has known HW issues, or
for some odd reason the machine is not on a UPS when installing a Service
Pack, I think it would be easier to move the FSMO roles in the case of failure
so that you don™t have to seize the roles and clean stuff up so quickly.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto,
Jorge deSent: Tuesday,
November 29, 2005 11:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
First,
look at each role and see what it does...
Forest
FSMOs
*
Schema Master --> needed when updating the
schema
*
Domain Naming master --> needed when adding or removing domains within the
forest
Domain
FSMOs
* PDC
Emulator --> needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect
pwd at another DC, used by DFS roots to get DFS
info
* RID
Master --> needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
*
Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
If
you look at this, there is no need to first transfer the FSMO roles to another
DC, just to carry out maintenance activities. It also depends on the FSMO
role. The most used ones in your case will be the RID and the PDC FSMO. Only
if you create more than 500 security principals (users, groups and computers)
during the moment that the DC with the RID FSMO is down, you will experience a
problem on the DC that is left. If you still have legacy clients and they want
to change the password that will not be possible. And if those clients have
the DSClient installed that will not be an issue
either.
In
short: leave as is. it will be OK for those 2
hours
Cheers,
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday,
November 29, 2005 16:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO
roles, the other which holds the domain FSMO
roles.
I plan to take each server down at different
times so that one of the two servers can provide authentication etc while
the other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move
the roles for peace of mind knowing they are available, but if I don't need to
do that, I won! 't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by,
any other party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform the sender.
Thank you. | | | |
| AD000001335
Posts:0
| | 11/29/2005 6:48 AM |
| I'm not a heavyweight by any stretch of the imagination (at
least not in the context of this thread) but I would move the roles prior to
maintenance, since it takes about two minutes to do, there's a credible up-side
and no real down-side. I'm rather surprised that there's all this
agonizing over what I've always considered to be a routine
procedure.
Ed
Crowley MCSE+Internet MVP (Exchange, NOT
AD)Freelance E-Mail PhilosopherProtecting the world from PSTs and
Bricked Backups!„¢
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rocky
HabeebSent: Tuesday, November 29, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
OK,
I've been witing for this
one.
If we have yet to move our 2K3
FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns
like "No one being able to log on", would you move the roles first (ie: Off the
Forest Root FSMO and the Child Domain FSMO)?
Is that
prudent?
A better question would be, how
many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc.
etc., apologies to any other in the Heavyweight class not explicitly mentioned)
Ώ] Did not move the roles, ΐ] Upgraded to SP1, Α] Went home to dinner with
"NO" problems?
Thanks.
RH
______________________________-
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Douglas M.
LongSent: Tuesday, November 29, 2005 11:53 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
It probably depends
on what you™re doing during those 2 hours. If I were installing SP1 on a DC
that had problems rebooting/booting in the past, or has known HW issues, or
for some odd reason the machine is not on a UPS when installing a Service
Pack, I think it would be easier to move the FSMO roles in the case of failure
so that you don™t have to seize the roles and clean stuff up so quickly.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto,
Jorge deSent: Tuesday,
November 29, 2005 11:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
First,
look at each role and see what it does...
Forest
FSMOs
*
Schema Master --> needed when updating the
schema
*
Domain Naming master --> needed when adding or removing domains within the
forest
Domain
FSMOs
* PDC
Emulator --> needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect
pwd at another DC, used by DFS roots to get DFS
info
* RID
Master --> needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
*
Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
If
you look at this, there is no need to first transfer the FSMO roles to another
DC, just to carry out maintenance activities. It also depends on the FSMO
role. The most used ones in your case will be the RID and the PDC FSMO. Only
if you create more than 500 security principals (users, groups and computers)
during the moment that the DC with the RID FSMO is down, you will experience a
problem on the DC that is left. If you still have legacy clients and they want
to change the password that will not be possible. And if those clients have
the DSClient installed that will not be an issue
either.
In
short: leave as is. it will be OK for those 2
hours
Cheers,
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday,
November 29, 2005 16:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO
roles, the other which holds the domain FSMO
roles.
I plan to take each server down at different
times so that one of the two servers can provide authentication etc while
the other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move
the roles for peace of mind knowing they are available, but if I don't need to
do that, I won! 't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by,
any other party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform the sender.
Thank you. | | | |
| AD
Posts:2
| | 11/29/2005 7:16 AM |
| Amy,
You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices:
1. install base os and do a full system restore from the tapes of the old server.
or
2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment.
Good Luck
Y
From: Amy HunterSent: Tue 29/11/2005 11:46 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role transfer
So are these FSMO roles stored in some sort of configuration partition in AD? if not, where are they stored?
I plan to replace my DC hardware next year, as long as I bring the new server up with the same IP/Name etc configuration etc, I won't need to move the FSMO roles to another DC when I replace the hardware?
Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience)
thank you for your help, Amy ;o)
"Almeida Pinto, Jorge de" wrote:
First, look at each role and see what it does...
Forest FSMOs
* Schema Master --> needed when updating the schema
* Domain Naming master --> needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator --> needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info
* RID Master --> needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs)
* Infrastructure --> needed to update references between domains in a forest (does not do anything in a single domain forest)
If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either.
In short: leave as is. it will be OK for those 2 hours
Cheers,
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.
I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. | | | |
| ZJORZ
Posts:100
| | 11/29/2005 7:28 AM |
| If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason.
Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Gil Kirkpatrick
Sent: Tue 11/29/2005 6:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role transfer
I'd move the FSMOs just in case "something" happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f***** up and have to restore? It seems like about a 1-in-25 chance that something will go wrong.
-gil
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, November 29, 2005 9:09 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role transfer
First, look at each role and see what it does...
Forest FSMOs
* Schema Master --> needed when updating the schema
* Domain Naming master --> needed when adding or removing domains within the forest
Domain FSMOs
* PDC Emulator --> needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info
* RID Master --> needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs)
* Infrastructure --> needed to update references between domains in a forest (does not do anything in a single domain forest)
If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either.
In short: leave as is. it will be OK for those 2 hours
Cheers,
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005 16:43
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] FSMO role transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.
I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother
Is there any recommended practice?
Amy
________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre .
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:299
| | 11/29/2005 8:33 AM |
| Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller:
http://support.microsoft.com/kb/255504
And XPs and Outlook 2003 will use cached credentials and cached storage
of Outlook so even if the DC is down, Exchange is horked, even in a
single DC setting your end users aren't freaking too much.
We're starting to do more of this temp dc, move the roles, break the
connection, build a new final box, push the FSMO roles back on the new
box method down here in SBSland to keep from ripping out desktops and
user profiles. [that's just one of many KBs that are followed in the
procedure]
AD wrote:
Amy,
You will not be able to do that. Creating a new machine with the same
name and same ip will not automatically add your new server to the
domain. You will have two choices:
1. install base os and do a full system restore from the tapes of the
old server.
or
2. install base os and run dcpromo, install new DC to existing domain
and then remove old server from environment.
Good Luck
Y
------------------------------------------------------------------------
*From:* Amy Hunter
*Sent:* Tue 29/11/2005 11:46 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] FSMO role transfer
So are these FSMO roles stored in some sort of configuration partition
in AD? if not, where are they stored?
I plan to replace my DC hardware next year, as long as I bring the new
server up with the same IP/Name etc configuration etc, I won't need to
move the FSMO roles to another DC when I replace the hardware?
Sorry if these seems junior questions, this is my first job in IT (i'm
doing this for free for experience)
thank you for your help, Amy ;o)
*/"Almeida Pinto, Jorge de" /*
wrote:
First, look at each role and see what it does...
Forest FSMOs
* Schema Master --> needed when updating the schema
* Domain Naming master --> needed when adding or removing domains
within the forest
Domain FSMOs
* PDC Emulator --> needed for legacy clients (NT4, W9x) when
changing passwords, used for time sync, is used for pwd checking
when a user enters an incorrect pwd at another DC, used by DFS
roots to get DFS info
* RID Master --> needed to distribute RID pools to DCs that have
exhausted their current RID pool for 50% (=250 RIDs)
* Infrastructure --> needed to update references between domains
in a forest (does not do anything in a single domain forest)
If you look at this, there is no need to first transfer the FSMO
roles to another DC, just to carry out maintenance activities. It
also depends on the FSMO role. The most used ones in your case
will be the RID and the PDC FSMO. Only if you create more than 500
security principals (users, groups and computers) during the
moment that the DC with the RID FSMO is down, you will experience
a problem on the DC that is left. If you still have legacy clients
and they want to change the password that will not be possible.
And if those clients have the DSClient installed that will not be
an issue either.
In short: leave as is. it will be OK for those 2 hours
Cheers,
jorge
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Amy Hunter
*Sent:* Tuesday, November 29, 2005 16:43
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* [ActiveDir] FSMO role transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other
which holds the domain FSMO roles.
I plan to take each server down at different times so that one of
the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC
while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for
peace of mind knowing they are available, but if I don't need to
do that, I won! 't bother
Is there any recommended practice?
Amy
------------------------------------------------------------------------
To help you stay safe and secure online, we've developed the all
new *Yahoo! Security Centre*
.
This e-mail and any attachment is for authorised use by the
intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It
should not be copied, disclosed to, retained or used by, any other
party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform
the sender. Thank you.
------------------------------------------------------------------------
To help you stay safe and secure online, we've developed the all new
*Yahoo! Security Centre*
.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:429
| | 11/29/2005 8:52 AM |
| In production I always move the domain roles prior to
working on a DC or even rebooting a DC. As you mention, the role move is trivial
and if something does dork up you have less to think about and aren't wondering
at what point you should be seizing. I am not so worried about the forest roles
but will usually move them as well.
Dean and I actually chatted about this previously as I put
something like that in the AD3E book and he was like, you *always* move the
domain roles like that and I was like " In production, absolutely". The one time
you don't you seem to get burned and you feel very stupid for not doing it when
you could have. Once in the distant past I had a PDC role machine that
hung up when shutting down (it was just a quick reboot so I figured why bother)
and started acting very fishy and I kicked myself for not moving the roles.
Why risk that?
It is very cheap insurance. At one point I had a CMD file
called something like movefsmo that used NTDSUTIL to move the roles, I
think it took all of about 5 seconds to run to move all roles from one
machine to another.
I agree with Ed in that I consider this
SOP.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Tuesday, November 29, 2005 11:03
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
FSMO role transfer
Sorry, but for peace of mind, I *would* transfer the roles.
If there is opportunity to do so, then why not transfer? It's a trivial task and
will take no time to replicate (assuming the other DC is in the same
site).
More worrying perhaps, is the fact that if clients point to
one (or both) DCs for DNS name resolution, then they may experience issues when
one of the machines is taken down.
Hopefully, the poster has considered this latter
scenario.
hth,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: 29 November 2005 15:54To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
Amy,
If it™s
what you need to hear (for peace of mind “ or reassurance) leave the FSMO roles
where they are - you™ll be fine. You don™t need to transfer the rolls if
your talking about a timeframe of 2 hours - - -when you bring it back on line -
-I would just leave the other DC online for at least and hour (unless you have
adjusted the replication intervals) to make sure any changes are
replicated.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday, November
29, 2005 10:43 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles,
the other which holds the domain FSMO roles.
I plan to take each server down at different times
so that one of the two servers can provide authentication etc while the
other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move the
roles for peace of mind knowing they are available, but if I don't need to do
that, I won't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies. | | | |
| listmail
Posts:429
| | 11/29/2005 9:00 AM |
| Since you specifically mentioned me. I always move the
roles for reboots and maintenance.
Brett don't much
care about roles, ESE doesn't care about them.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rocky
HabeebSent: Tuesday, November 29, 2005 1:02 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
OK,
I've been witing for this
one.
If we have yet to move our 2K3
FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns
like "No one being able to log on", would you move the roles first (ie: Off the
Forest Root FSMO and the Child Domain FSMO)?
Is that
prudent?
A better question would be, how
many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc.
etc., apologies to any other in the Heavyweight class not explicitly mentioned)
Ώ] Did not move the roles, ΐ] Upgraded to SP1, Α] Went home to dinner with
"NO" problems?
Thanks.
RH
______________________________-
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Douglas M.
LongSent: Tuesday, November 29, 2005 11:53 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
It probably depends
on what you™re doing during those 2 hours. If I were installing SP1 on a DC
that had problems rebooting/booting in the past, or has known HW issues, or
for some odd reason the machine is not on a UPS when installing a Service
Pack, I think it would be easier to move the FSMO roles in the case of failure
so that you don™t have to seize the roles and clean stuff up so quickly.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Almeida Pinto,
Jorge deSent: Tuesday,
November 29, 2005 11:09 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
First,
look at each role and see what it does...
Forest
FSMOs
*
Schema Master --> needed when updating the
schema
*
Domain Naming master --> needed when adding or removing domains within the
forest
Domain
FSMOs
* PDC
Emulator --> needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect
pwd at another DC, used by DFS roots to get DFS
info
* RID
Master --> needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
*
Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
If
you look at this, there is no need to first transfer the FSMO roles to another
DC, just to carry out maintenance activities. It also depends on the FSMO
role. The most used ones in your case will be the RID and the PDC FSMO. Only
if you create more than 500 security principals (users, groups and computers)
during the moment that the DC with the RID FSMO is down, you will experience a
problem on the DC that is left. If you still have legacy clients and they want
to change the password that will not be possible. And if those clients have
the DSClient installed that will not be an issue
either.
In
short: leave as is. it will be OK for those 2
hours
Cheers,
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday,
November 29, 2005 16:43To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO
roles, the other which holds the domain FSMO
roles.
I plan to take each server down at different
times so that one of the two servers can provide authentication etc while
the other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move
the roles for peace of mind knowing they are available, but if I don't need to
do that, I won! 't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by,
any other party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform the sender.
Thank you. | | | |
| milburnr
Posts:0
| | 11/29/2005 10:23 AM |
| Amy the easiest path for your new hardware
comment is Y™s #2 below “ new server, dcpromo, AND MOVE FSMOs, and
then decom the old one. Note that if there is DNS involved, and DHCP, and
WINS, there™s a bit more to it¦ computer names etc¦ you can
get around those issues by demoting the old box, removing it from the domain,
and then building the new server with the same IP and name, dcpromo, etc. But
as several people pointed out, do move the FSMOs first if there are any on that
server. Much easier to move them while both servers are up, than seize them
when the FSMO holder is down. This isn™t a step by step guide for
hardware replacement but hopefully it gives you some ideas in the right
direction.
Rich
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of AD
Sent: Tuesday, November 29, 2005
1:08 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role
transfer
Amy,
You will not be able to do that. Creating a new machine with
the same name and same ip will not automatically add your new server to the
domain. You will have two choices:
1. install base os and do a full system restore from the
tapes of the old server.
or
2. install base os and run dcpromo, install new DC to
existing domain and then remove old server from environment.
Good Luck
Y
From: Amy
Hunter
Sent: Tue 29/11/2005 11:46 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] FSMO role
transfer
So are these FSMO roles stored in some sort of configuration
partition in AD? if not, where are they stored?
I plan to replace my DC hardware next year, as long as I bring the
new server up with the same IP/Name etc configuration etc, I
won't need to move the FSMO roles to another DC when I replace the
hardware?
Sorry if these seems junior questions, this is my first job in IT (i'm
doing this for free for experience)
thank you for your help, Amy ;o)
"Almeida Pinto,
Jorge de"
wrote:
First,
look at each role and see what it does...
Forest FSMOs
* Schema
Master --> needed when updating the schema
* Domain
Naming master --> needed when adding or removing domains within the forest
Domain
FSMOs
* PDC
Emulator --> needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect
pwd at another DC, used by DFS roots to get DFS info
* RID
Master --> needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
*
Infrastructure --> needed to update references between domains in a forest
(does not do anything in a single domain forest)
If you
look at this, there is no need to first transfer the FSMO roles to another DC,
just to carry out maintenance activities. It also depends on the FSMO role. The
most used ones in your case will be the RID and the PDC FSMO. Only if you
create more than 500 security principals (users, groups and computers) during
the moment that the DC with the RID FSMO is down, you will experience a problem
on the DC that is left. If you still have legacy clients and they want to
change the password that will not be possible. And if those clients have the
DSClient installed that will not be an issue either.
In short:
leave as is. it will be OK for those 2 hours
Cheers,
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005
16:43
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other
which holds the domain FSMO roles.
I plan to take each server down at different times so
that one of the two servers can provide authentication etc while the other
gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC
while maintainance work is carried out and transferring it back once it's
online again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when
you perform maintenance on a DC holding the roles. Each server
will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for
peace of mind knowing they are available, but if I don't need to do that, I
won! 't bother
Is there any recommended practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security Centre.
This
e-mail and any attachment is for authorised use by the intended recipient(s)
only. It may contain proprietary material, confidential information and/or be
subject to legal privilege. It should not be copied, disclosed to, retained or
used by, any other party. If you are not an intended recipient then please
promptly delete this e-mail and any attachment and all copies and inform the
sender. Thank you.
To help you stay safe and secure online, we've developed the
all new Yahoo! Security Centre.
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| milburnr
Posts:0
| | 11/29/2005 10:33 AM |
| Yeah but having seize the FSMOs instead
of moving them as your fallback plan is like making sure you have a
current backup in case yanking the power cord instead of Start >
Shutdown > Restart causes file system corruption J
-----------------------------------------------------------------------
Rich Milburn
MCSE, Microsoft MVP -
Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
----------------------------------------------------------------------
I love the smell
of red herrings in the morning - anonymous
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of ChuckGaff@xxxxxxx
Sent: Tuesday, November 29, 2005
11:56 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] FSMO role
transfer
If something went wrong you could still
seize the FSMO roles as an option rather than doing a transfer. Of course
the procedures for all of these for the 5 FSMOs should be documented just in
case needed..
Chuck
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any attachments.
This information is strictly confidential and may be subject to attorney-client
privilege. This message is intended only for the use of the named addressee. If
you are not the intended recipient of this message, unauthorized forwarding,
printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you should
kindly notify the sender by reply e-mail and immediately destroy this message.
Unauthorized interception of this e-mail is a violation of federal criminal law.
Applebee's International, Inc. reserves the right to monitor and review the
content of all messages sent to and from this e-mail address. Messages sent to
or from this e-mail address may be stored on the Applebee's International, Inc.
e-mail system. | | | |
| davidadner
Posts:0
| | 11/29/2005 10:38 AM |
| If the insurance is guarding against apps/services/etc that
may need the FSMO holders while they're offline, then I can agree with
this. If it's out of fear that something unexpected will happen that takes
out the FSMO holders completely, then I don't think it's worth the effort.
If the latter does happen then you just seize the roles.
I would say that many of the customers I've visited have
little experience and even less confidence in how FSMO roles are transferred or
seized. The thought of them touching the roles for every reboot is making
my hair fall out even faster. :/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Tuesday, November 29, 2005 2:51 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
In production I always move the domain roles prior
to working on a DC or even rebooting a DC. As you mention, the role move is
trivial and if something does dork up you have less to think about and aren't
wondering at what point you should be seizing. I am not so worried about the
forest roles but will usually move them as well.
Dean and I actually chatted about this previously as I
put something like that in the AD3E book and he was like, you *always* move
the domain roles like that and I was like " In production, absolutely". The
one time you don't you seem to get burned and you feel very stupid for not
doing it when you could have. Once in the distant past I had a PDC role
machine that hung up when shutting down (it was just a quick reboot so I
figured why bother) and started acting very fishy and I kicked myself for
not moving the roles. Why risk that?
It is very cheap insurance. At one point I had a CMD file
called something like movefsmo that used NTDSUTIL to move the roles, I
think it took all of about 5 seconds to run to move all roles from one
machine to another.
I agree with Ed in that I consider this
SOP.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Tuesday, November 29, 2005 11:03
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] FSMO role transfer
Sorry, but for peace of mind, I *would* transfer the
roles. If there is opportunity to do so, then why not transfer? It's a trivial
task and will take no time to replicate (assuming the other DC is in the same
site).
More worrying perhaps, is the fact that if clients point
to one (or both) DCs for DNS name resolution, then they may experience issues
when one of the machines is taken down.
Hopefully, the poster has considered this latter
scenario.
hth,
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Craig
CerinoSent: 29 November 2005 15:54To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] FSMO role
transfer
Amy,
If it™s
what you need to hear (for peace of mind “ or reassurance) leave the FSMO
roles where they are - you™ll be fine. You don™t need to transfer the
rolls if your talking about a timeframe of 2 hours - - -when you bring it back
on line - -I would just leave the other DC online for at least and hour
(unless you have adjusted the replication intervals) to make sure any changes
are replicated.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Amy
HunterSent: Tuesday,
November 29, 2005 10:43 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] FSMO role
transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO
roles, the other which holds the domain FSMO
roles.
I plan to take each server down at different
times so that one of the two servers can provide authentication etc while
the other gets maintained.
Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC.
I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs.
Does anyone have advice for me? I would like to move
the roles for peace of mind knowing they are available, but if I don't need to
do that, I won't bother
Is there any recommended
practice?
Amy
To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies. | | | |
|
|