+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 30
  1. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #1

    Default Transfer FSMO roles automatically on pdc down?

    Hi all,

    Is it possible at all? Even with a simple script or something. Same with a demote and transfer of roles, can this be made as easy as possible. Im looking for solution that requires minimal technical presence to achieve this.

    Thanks!
    Reply With Quote Quote  

  2. SS -->
  3. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #2
    I never thought about it....

    Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?
    Reply With Quote Quote  

  4. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #3
    Quote Originally Posted by sprkymrk
    I never thought about it....

    Would you have controls/safety net in place to take into account minor outages due to network conditions or maintenance requiring reboots?
    Absolutely mark!

    This is for Disaster Recovery infact. Im just wondering how easy it is to transfer roles and pdc promote if we lose our main PDC, in this scenario no techy's would be at DR site, so it would have to be fairly automated.
    Reply With Quote Quote  

  5. Psychotron Member Megadeth4168's Avatar
    Join Date
    Jan 2006
    Location
    Detroit
    Posts
    2,162

    Certifications
    A+, Network+, Security+, Server+,Project+,MCSE, CCNA:S, CISSP, CCNP, CEH, GCED
    #4
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
    Reply With Quote Quote  

  6. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #5
    I am curious as to why you wouldn't just restore from a backup if it is for Disaster recovery?

    If the server holding the fsmo roles is going to be down for a while then you could "seize" the needed role/s to another DC. But the person standing in front of the DC doesn't have to be the one performing the task. Unless your sites aren't interconnected???

    If you have multiple Domain Controllers then you might consider spreading the fsmo roles around.
    Reply With Quote Quote  

  7. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #6
    Quote Originally Posted by Megadeth4168
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
    Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure.

    Silver Bullet:

    This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about:

    1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC.

    2. NO techy onsite at DR to seize the needed roles temporarily

    3. Quick Operation, no time to restore from backup, has to be GO straight after failure.

    Things i need to happen:-

    1. Users have to logon to domain with usual credentials

    2. Ability to add additional pc's to the domain at DR site IF needed.


    If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par

    Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea?

    Suggestions as always, welcome.

    Thanks mate,
    Reply With Quote Quote  

  8. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #7
    Haven't tried any of this myself but off the top of my head you could script seizing the roles using NTDSutil reasonably easily. The trick is getting an accurate system in place to detect a real FSMO DC outage, as you know seizing roles is an absolute last resort. I've been using Hyperic Free on our own network for the last few months, haven't had as much time with it as I'd like but I know you could have it monitor DC availability quite easily and set an alert threshold that would allow for reboots etc. The only thing is you need to pay for the enterprise version to activate the ability for it to respond automatically to those alerts, but if you did it would be easy to set it to run your batch/script to seize the roles. You may want to write something yourself that just uses PINGs with a set timeout-threshold that again activates the script.

    Okay, the next bit is pure theory on my part, may be complete garbage....
    As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master.

    Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.
    Reply With Quote Quote  

  9. Psychotron Member Megadeth4168's Avatar
    Join Date
    Jan 2006
    Location
    Detroit
    Posts
    2,162

    Certifications
    A+, Network+, Security+, Server+,Project+,MCSE, CCNA:S, CISSP, CCNP, CEH, GCED
    #8
    Quote Originally Posted by Pash
    Quote Originally Posted by Megadeth4168
    How about configuring a standby operations master?

    http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
    Thanks mate, ill have a read, might be an idea to try and do this. This is one option for sure.

    Silver Bullet:

    This is immediate disaster recovery. IE pdc just blows up, 20 critical workers are told to catch the buss to DR site and logon as usual. Things im concerned about:

    1. NO FSMO roles now occupied on the domain. All 5 roles are assigned to this PDC.

    2. NO techy onsite at DR to seize the needed roles temporarily

    3. Quick Operation, no time to restore from backup, has to be GO straight after failure.

    Things i need to happen:-

    1. Users have to logon to domain with usual credentials

    2. Ability to add additional pc's to the domain at DR site IF needed.


    If i understand thing's correctly, I can't add new pc's to the domain without there being a schema master to reach? I could be wrong though because my windows AD skills are below par

    Ohh and would storing the Global Catalog on this BDC at DR be reccommended, im guessing it would, infact for this scenario we have to assume that the pdc still lives but human access to the main office is disabled. The only link from DR to Main office is a slow VPN link. So in this case it has to be a good idea?

    Suggestions as always, welcome.

    Thanks mate,
    Don't worry about the Schema Master, you can live without that without ever possibly noticing that it is not online.... It's just a matter of whether or not you ever make changes to the schema.

    Anyway, As far as making the BDC a GC, it depends... Firstly, are you in a single domain environment or a multi-domain environment? Next, do you plan on Placing the Infrastructure role on it at any point (being a standby)?

    If you are in a single domain then yes make it a GC, it won't harm anything. If you are in a multi-domain and plan on using the BDC as a standby operations master then either do not make it a GC or do not make it the standby for the infrastructure role. (EDIT::: For this to be done though, I believe that you would need a separate DC that holds the Infrastructure role.)
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    1,948

    Certifications
    MCSE (old), SSCP, CCA, Sec+, P+, L+, and N+
    #9
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
    Andy

    2017 Goals: 1 of 5 courses complete, 0 of 2 exams complete
    Reply With Quote Quote  

  11. Psychotron Member Megadeth4168's Avatar
    Join Date
    Jan 2006
    Location
    Detroit
    Posts
    2,162

    Certifications
    A+, Network+, Security+, Server+,Project+,MCSE, CCNA:S, CISSP, CCNP, CEH, GCED
    #10
    Quote Originally Posted by ajs1976
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
    I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles.

    Like I said, I could be wrong, I guess Pash will let us know
    Reply With Quote Quote  

  12. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #11
    Quote Originally Posted by Ahriakin
    Haven't tried any of this myself but off the top of my head you could script seizing the roles using NTDSutil reasonably easily. The trick is getting an accurate system in place to detect a real FSMO DC outage, as you know seizing roles is an absolute last resort. I've been using Hyperic Free on our own network for the last few months, haven't had as much time with it as I'd like but I know you could have it monitor DC availability quite easily and set an alert threshold that would allow for reboots etc. The only thing is you need to pay for the enterprise version to activate the ability for it to respond automatically to those alerts, but if you did it would be easy to set it to run your batch/script to seize the roles. You may want to write something yourself that just uses PINGs with a set timeout-threshold that again activates the script.

    Okay, the next bit is pure theory on my part, may be complete garbage....
    As for which roles you absolutely need to grab it depends on the setup and how long you think the replacement will need to hold those roles. If it's permanent then of course grab them all. If not and you just need a DC in place to allow logons/new computer and user accounts etc. I think you could get away with the RID Master (may not even be necessary if the remaining DC already as a pool of IDs from the old RID master, but it would eventually get used up and with no RID master no new ID pools would be passed to the DCs) and PDC emulator. The others depend more on your domain/forest setup, if you're not modifying AD during the outage the Schema master can wait. if you don't have a multi-domain forest or can live without knowing of changes to groups/assets in other domains then infrastructure can wait too, ditto for the Domain naming master.

    Edit: You mentioned the GC, if you aren't already make sure the GC for that site is NOT the current Infrastructure Master also.
    Ok thanks for the input Ahriakin. Im gonna lab this up in the office for the next couple of days and see what works.

    In regards to the GC hosted on the infra master, I understand the rule is, only do this if you have one domain in your forest, or if all dc's in the forest host the GC? In both these cases currently, we are fine. Btw, creating a sub domain for the DR is also an option, there would be no issues here aslong as the correct trusts are in place for replication?

    Anyway, I guess there is only so much reading I can do, time to test it.

    Cheers all,
    Reply With Quote Quote  

  13. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #12
    Quote Originally Posted by Megadeth4168
    Quote Originally Posted by ajs1976
    Why do you keep referring to PDC and BDC, are you running NT domain controllers on the network? If you do have NT DC, then you could have a problem adding computers to the domain without having access to the PDC Emulator FSMO role.

    For immediate disaster recovery you should not have to do anything with the FSMO roles. The system can run for a limited time without them. Seizing the roles can cause issues, if you bring the old server back online.

    Not having the schema master available should not affect the ability to add a workstation to the domain. The schema master controls the properties of the schema. You would not be able to add something that extends the schema something like Exchange or a newer Windows server as a DC.
    I could be wrong but I think in this case the terms PDC and BDC are being thrown around out of habit... Even in studying, many books seem to use these terms loosely. I'm under the impression that PDC in this case just means the DC that holds the PDC emulator or possibly all roles and the BDC in this scenario simply means any DCs not holding a PDC emulator role or any roles.

    Like I said, I could be wrong, I guess Pash will let us know
    This is correct, false of habbit, many appologies.

    Really ajs1976? So for the purposes of keeping user operations in the "norm" we should be ok?

    Thanks again,
    Reply With Quote Quote  

  14. Senior Member Pash's Avatar
    Join Date
    Nov 2006
    Location
    United Kingdom
    Posts
    1,615

    Certifications
    Comptia Security+, AWS CSA-A
    #13
    Well the proposal is complete, the presentation is ready to be presented to the customer tommorow. They are the IT staff at a banking organisation, so I have to know what I am talking about Luckily after several hours of playing about (wireshark on capture) and reading technet I have a very good idea of how everything works for AD replication, GC, FSMO and what happens when a pc joins a domain.

    Now time for a beer
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Sep 2008
    Location
    Atlanta, GA
    Posts
    6

    Certifications
    MCP
    #14

    Default Adding DC if no FSMO role holder

    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
    Reply With Quote Quote  

  16. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #15

    Default Re: Adding DC if no FSMO role holder

    Quote Originally Posted by jtdaly
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
    You'll need the roles to be available. Why not just seize the roles, it only takes a few minutes?
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jul 2007
    Posts
    1,198
    #16
    This is back from September of 07, too late the horse is dead :P jk...
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jul 2007
    Posts
    1,198
    #17

    Default Re: Adding DC if no FSMO role holder

    Quote Originally Posted by astorrs
    Quote Originally Posted by jtdaly
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?

    Thanks!
    You'll need the roles to be available. Why not just seize the roles, it only takes a few minutes?
    +1
    Reply With Quote Quote  

  19. Senior Member ilcram19-2's Avatar
    Join Date
    Jan 2008
    Posts
    432

    Certifications
    A+,Net+,Server+,Sec+, MCP,MCSA:M/MCSE 2k3, CCNA,CCNA SEC,CCDA,CCDP, CCNP, MCTS, MCITP
    #18
    Hope I can jump in here on this thread, I have a very related question:
    I have a small, 2 DC Win2k network, the FSMO role holder has crashed and burned, wont' be coming back. Before much time passes I want to put into service another DC, as disaster protection. I may not have the time to seize FSMO roles before I add the second DC. Question is, can I add another DC to a domain that has the FSMO role holder unavailable?
    ================================================== ============
    since you mention you had an other dc before the fsmo role holder crashed you should be able to seaze the roles to the dc tha was left then add new dc to the mix you should be good i had that issue a couple of times im not really worried about lossing the fsmo holder anymore as long as i have a another dc in the network[/quote]
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Feb 2006
    Location
    Cookeville, TN
    Posts
    123

    Certifications
    CCNA:Security, CWNA, CWSP,CEH, NCIE,Security+, Linux+, MCSE, MCSA:Messaging, MCP,BS in MIS, MOUS,
    #19
    We were called in to consult on a scenario similar to this where a company had a division sold, was losing their point to point T1 to the corporate HQ where all the FSMO masters lived, but needed to keep the domain services intact. It was essentially the same as the scenario you described. you could create the server and promote to a DC, then disconnect it from the network, connect at the DR site and seize the FSMO roles. Everything worked great for us after this.

    I think this is pretty much the solution that the other guys contributing to the thread came up with, but sometimes it's nice to have a voice of experience
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #20
    Are you going to bring the original server back online? You're going to have problems with that if you seize the roles.
    Reply With Quote Quote  

  22. Junior Member
    Join Date
    Sep 2008
    Location
    Atlanta, GA
    Posts
    6

    Certifications
    MCP
    #21

    Default Ok

    Thanks All, I was just being super cautious, being down to only one DC, and I haven't done a FSMO seizure before, and wanted another DC up and running before I messed with anything at all. I didn't think the FSMO roles would be touched by the DC promotion, but actually, since a RID needs to be assigned to the new DC, I guess that role needs to be present.

    Anyway, I'll take it from all of your quite impressive credentials that it should be like falling off a log, right?

    Appreciate the help, (even if I am too late on the thread!)

    jd
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #22
    Now I'm curious. Maybe I'm just getting rusty, but which roles are necessary for what he wants to do? RID goes out in pools, so I would think his DC has enough of those. It's not a new domain, so no domain naming. Infrastructure is used to keep track of objects in multiple domains, so not that. He's not changing the schema, so not that one either. PDC does a lot of miscellaneous things, but are any of those required for this?
    Reply With Quote Quote  

  24. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #23
    Quote Originally Posted by dynamik
    Now I'm curious. Maybe I'm just getting rusty, but which roles are necessary for what he wants to do? RID goes out in pools, so I would think his DC has enough of those. It's not a new domain, so no domain naming. Infrastructure is used to keep track of objects in multiple domains, so not that. He's not changing the schema, so not that one either. PDC does a lot of miscellaneous things, but are any of those required for this?
    I agree that the other 4 FSMO roles would be unnecessary to bring a new DC online, but how would a new DC get its initial RID pool if the RID Master was unavailable. I would expect the DC startup process to hang (no NETLOGON/SYSVOL shares) until it could get a RID pool - but if someone wants to test...
    Reply With Quote Quote  

  25. Junior Member
    Join Date
    Sep 2008
    Location
    Atlanta, GA
    Posts
    6

    Certifications
    MCP
    #24
    Dynamik,

    I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC?

    I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over.

    Any thoughts from anyone else?

    Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
    Reply With Quote Quote  

  26. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #25
    Quote Originally Posted by jtdaly
    Dynamik,

    I went through that same list in my analysis, and the only area I was unsure of was PDC and RID. I think the other domanin controller should be able to give out the RID value, but if I am correct, the new DC will have to be given a block of RIDs as well, in case it needs to give these out later on. That being said, what would happen if there was no RID meister, so to speak, to set this up. Would I end up with a corrupted DC?

    I am tempted to just try it, but I really don't like taking the cowboy approach. In fact I am looking for some tech guidance on breaking the Raid 1 array that the OS is running on, prior to doing any work. By saving the mirror drive offline, I would theoretically be able to roll everything back if the DC promo on the new box blows up. Then start the whole thing over.

    Any thoughts from anyone else?

    Oh yea, the original FSMO master is dead and gone, it was actually a SBS2K box, that we were migrating away from. I'll still need to do some AD editing to get rid of references to it, when the dust settles.
    PDC Emulator role doesn't matter since you're not dealing with mixed-mode, although you will have trouble with domain-wide time synchronization (since its the root of an NT5DS time hierarchy), just make sure your new DC's time is correct.

    The worst thing that would happen is either it would fail and roll back during the DCPROMO process, or that the DCPROMO would complete, but Active Directory would fail to startup fully on the new DC (no NETLOGON/SYSVOL shares).

    With that said, I always suggest having a roll back plan, breaking the mirror by pulling one of the drives would be an excellent method (although if you do have a problem you may need to manually cleanup AD - but that's rare and we can walk you through it if it does happen for some reason).
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks