Questions about FSMO roles, Server 2003 Enterprise

[ceez]

Hello everyone.

Per the FSMO role rules, there's 1 server in our forest that performs the schema and domain role for the domains. We were thinking what would happen if this server which holds these 2 roles should happen to crash? Hell would break lose i suppose along with no network authentication and people blocked out of their systems, webmail and even blackberry disruption.

I guess what I am trying to get to is, is it possible to have a 2nd DC that also has these 2 roles as a backup?

as always, thanks for the input!

ceez

[twnukowski]

Funny you mention this, I actually had this happen to me.

I inherited a mess from the previous IT admin at our company. All of our DC's were running on desktops!! (small office, 15 people). I was having some AD replication issues and one of the suggest fixes was to try rebooting the server in question. So, I reboot said server. I immediately found out why we were having replication issues, the drive was dying! No RAID, at all. The server would not come back, it was BSOD'ing right after the boot process started. This basically brought the whole network to it's knees. No Authentication, which means no Exchange, etc.

I ended up seizing the roles and transferring them to another DC. We were only down about 30 minutes, but that was scary as hell. People act really wierd when they have no email. It's like they are lost... angry and lost.

I also invested in Backup Exec System Recovery 8. It can take full and incremental images of the servers, with the added capability for restoring to virtual PC, VM Ware or disimilar hardware.

So the short answer is: Always have more than one DC per domain/forest, Sieze the roles, and backup early and often. Oh yeah, make sure you have more than 1 Global Catalog.

I'm not positive, but I don't think those roles can reside in both places. I'm just a rookie, so I'd love to hear that I'm incorrect.

Tom

[cluberti]

I have to give some experience as well, similar to the last poster. You cannot have a second DC holding a role that another DC holds, as they are the single master operation roles. However, taking regular backups of your AD and ensuring replication is working properly at all times means you can simply seize the roles if one of these DCs that held a FSMO role were to become unavailable. Worst case you could restore from the backup, but again, if replication is good, a siezure of roles from another DC is all that it should take to come back up again.

This is why any cllient that I talk to has multiple DCs, even on smaller domains.

[ceez]

In our case all our servers are actual HP servers and using RAID (stupid not to! :oP)

We also have BUE11d and perform backs up of the system state every day

In our forest root domain we actually have a total of 3 DC's. The 1st DC in the forest obviously holds all 5 roles. It's not a GC so a 2nd DC is the GC. The 3rd one just sits there and acts pretty ;oP

We have 1 child domain with 1 DC which holds sees the scheme and domain master role of that forest root DC and it runs the other 3 roles. Also a GC.

The same for another domain with single DC

Then a 4th with 2 DC setup, sees schema/domain on forest rood DC one of the 2 DCs in this domain holds the GC.

I actually found this article from petri which talks about a 'backup DC' which I can do in my case, I can use one of the 2 DCs on my forest root domain as a backup DC in case of failure.

http://www.petri.co.il/planning_fsmo_roles_in_ad.htm

I just hope that I never have to run across a 'down schema/domain server'....NIGHTMARE.

Thanks for the input!

ceez

ps - lol, yeah users become zombie like when there's no 'network', they look at you funny like if they want to eat your brains!!!!