Re: AD Configuration and Disaster Recovery

On Jun 10, 8:52 am, Ryan Hanisco
<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hey tman,

I'll answer your questions by letter to make them clearer...

a. If you have more than one Domain controller -- and you should always have
at least 2 -- you shouldn't have all of your FSMO roles on the same machine.
They are designed to be distributed and you gain nothing by having them on a
single box. If you only have a few DCs, I would make them all GCs and DNS
servers, but remember if one DC fails you can restore the FSMO roles lost.
See the following article for more direction on FSMO placement.http://support.microsoft.com/kb/223346

b. You generally don't have to do restores on your AD if you have more than
one DC. Of course if you are using them as file servers or to keep profiles,
you might need to file restore those. You would simply seize the FSMO roles
to the other machine, remove the other DC in ADU&C and DNS, rebuild it, and
promote it to be a DC again.. From there you just put the DNS and FSMO roles
back. You really only need to worry about restores like that if you lose ALL
of your DCs or if you have serious lag between sites and need to recover
changes).

c. Again, this shouldn't happen as you'll not want to have them on one box.
The most important role from a day to day operation standpoint is the PDCe.
All of them can be transfered or forced using NTDSUTIL. This tool is your
friend and is much easier than is used to be. You'll only need to do a full
restore like that when it really hits the fan. Virus attack, All your DCs are
in one place and you have a fire, newbie administrator deletes the users
container... something like that.

NTDSUTIL to seize or transfer --http://support.microsoft.com/kb/255504

Hope this helps.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.



"tman" wrote:
We just did an upgrade from NT4 to 2003 Active Directory on a 350 node
network. It seemed to go rather smothly. We upgraded a fresh PDC
with Windows 2003 compatilbe hardware then added two new DCs. We then
demoted the upgrade server and it moved its roles to one of the other
new servers.

We now have two DCs running in interim mode with a couple of NT BDCs
Both of the new DCs are Global Catalog Servers. All the FSMO roles
were moved from the upgrade server to one of the new DCs. Both DCs
are DNS servers. The DNS servers are AD integrated.

I have a hard time understanding the Disaster Recovery information
that I have read so far. I thought oe of yo could net it out for me.

a. Is me config good fro disaster recovery e.g., all the FSMO roles on
on DC?

b. I think I know how to recover if I lose the DC that does not have
the FSMO roles. I could restore the system state and do an
unauthoritative restore, reboot and get averything I need from the
other DC via replication. I this accurate?

c.What to do if I lose the DC that has all the FSMO roles? Restore
the system state and do an authoritative restore?

Thanks- Hide quoted text -

- Show quoted text -

Thanks a lot for your clear responses to my questions. I understand
it clearly. One other question comes to mind, one that I have never
seen spelled out. In the scenario where, you have two DCs and some
FSMO roles are on one DC and some on the other DC and one of the DCs
fails. Now you will want to seize the roles from the failed DC to the
one that is still up. Where are they seized from. Does each DC have
all rolls but they are only active on one DC?

Thanks

.

Relevant Pages

  • RE: AD Configuration and Disaster Recovery
    ... at least 2 -- you shouldn't have all of your FSMO roles on the same machine. ... If you only have a few DCs, I would make them all GCs and DNS ... servers, but remember if one DC fails you can restore the FSMO roles lost. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Configuration and Disaster Recovery
    ... In this scenario once DC01 died and you performed the ... FSMO Roles from one existing Domain Controller to another existing Domain ... Of course if you are using them as file servers or to keep ... of your DCs or if you have serious lag between sites and need to ...
    (microsoft.public.windows.server.active_directory)
  • Re: DCs not responding to logon requests
    ... If I try a DNS query from the workstations with the offending DC turned off ... I get back repsonses that the other two DCs are available as both DCs and GCs. ... Running DCDIAG and NETDIAG from the workstations aimed at the servers I get ... > Sorry if I missed this one - which Domain Controller holds which FSMO Roles? ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Configuration and Disaster Recovery
    ... When using ntdsutil you must be very careful. ... FSMO Roles from one existing Domain Controller to another existing Domain ... Of course if you are using them as file servers or to keep ... of your DCs or if you have serious lag between sites and need to recover ...
    (microsoft.public.windows.server.active_directory)
  • Re: Ad Restore
    ... you probably don't want to restore all DCs. ... Especially when you have seized FSMO roles onto the first restored DCs, the other DCs holding that role cannot be restored. ... Distribute the system state backup to all locations where additional DCs are necessary ...
    (microsoft.public.windows.server.active_directory)
Loading