Re: Question regarding restoring DCs of FSMO role holders ...

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/12/09/255.aspx

ALL FSMO can be restored if you want to. If you SEIZE a role, do NOT EVER
bring back the old FSMO role owner back and do not restore it!

In theory (at least, maybe worse) if a RID master gave out a
"block of RIDs" and then was restored to a previous version of
its AD it might give that same block to a DIFFERENT DC and
thus create duplicates.

maybe in the first days, now not anymore!
all FSMO need to meet the initial synchronization requirements ->
http://support.microsoft.com/default.aspx?scid=kb;en-us;305476

however.... in either case...

for the RID master if I would restore it, I would also increase the RID
available pool of the domain!

as soon as you restore AD non-auth on the RID Master.... enable a schedule
to disable AD repl DURING boot...
login...
increase the RID available pool of the domain
enable AD repl
after some time if will issue a RID pool to itself

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:O7RCYN6xGHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2245CA7-F7DA-43FD-9A48-49A373504A0F@xxxxxxxxxxxxxxxx
Hi,

I have a question regarding FSMO role placement and restoration of DCs
with
FSMO roles:

On page 64 of "Active Directory Operations Guide version 1.5", there's
"Recommendations for role placement" as follows:
. Leave the two forest-level roles on a domain controller in the forest
root
domain.
. Place the two forest-level roles on a global catalog server.
. Place the three domain-level roles on the same domain controller.
. Do not place the domain-level roles on a global catalog server.
. Place the domain-level roles on a higher performance domain controller.
. Adjust the workload of the operations master role holder, if necessary.
. Choose an additional domain controller as the standby operations master
for the forest-level roles and choose an additional domain controller as
the
standby for the domain-level roles

On page 29 of "Active Directory Operations Guide version 1.5": Restoring
the
RID Master can result in Active Directory data corruption, so it's not
recommended. Restoreing the Schema Master can result in orphaned
objects, so
it is not recommended.

In general if you SEIZE a role NEVER bring the original role
holder back (directly) online as a DC.

DCPromo (forceremove) it offline, and then bring it online and
re-DCPromo it to DC.

If we follow the role placement recommendation, we'll have two DCs, DC1
with Schema Master and Domain Naming master roles, DC2 with PDC emulator,
RID
master and infrastructure master. Then we actually can NOT restore
either
DC, because we would restore schema master if we restored DC1, we would
restore RID master if we restored DC2.

In theory (at least, maybe worse) if a RID master gave out a
"block of RIDs" and then was restored to a previous version of
its AD it might give that same block to a DIFFERENT DC and
thus create duplicates.

Seize the role and don't restore AD on it but rather do a new
DCPromo.

Are the statements in the document self-contradictory or I actually
didn't
understand it correctly?


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Thanks a lot.

Eric





.

Relevant Pages

  • Re: SAM error
    ... you can restore it from a valid backup.... ... - Perform system state backup of the FSMO -IM DC ... disable outbound replication on the FSMO-IM DC ... are you saying that the IM and RID are on the same DC? ...
    (microsoft.public.windows.server.active_directory)
  • Re: post disaster questions
    ... master database the information about your users database was also restored. ... You will need to shutdown SQL Server and then do the ... Then restore Master from the day befores backup. ...
    (microsoft.public.sqlserver.server)
  • Re: AD Disaster Scenario
    ... SYSVOL are stored in the registry. ... > an option to restore AD & Sysvol information without ... > Master Operations ... we moved the roles to one server in each ...
    (microsoft.public.win2000.active_directory)
  • Re: post disaster questions
    ... >tables within the master database. ... Since SQL needs to be on in order ... Then restore Master from the day befores backup. ...
    (microsoft.public.sqlserver.server)
  • Re: AD Disaster Scenario
    ... 223346 FSMO Placement and Optimization on Windows 2000 Domains: ... 241594 HOW TO: Perform an Authoritative Restore to a Domain Controller: ... Find Servers That Hold Flexible Single Master Operations ... we moved the roles to one server in each domain. ...
    (microsoft.public.win2000.active_directory)