RE: [ActiveDir] FSMO role transfer

[joe]

In production I always move the domain roles prior to working on a DC or even rebooting a DC. As you mention, the role move is trivial and if something does dork up you have less to think about and aren't wondering at what point you should be seizing. I am not so worried about the forest roles but will usually move them as well.   Dean and I actually chatted about this previously as I put something like that in the AD3E book and he was like, you *always* move the domain roles like that and I was like " In production, absolutely". The one time you don't you seem to get burned and you feel very stupid for not doing it when you could have. Once in the distant past I had a PDC role machine that hung up when shutting down (it was just a quick reboot so I figured why bother) and started acting very fishy and I kicked myself for not moving the roles. Why risk that?   It is very cheap insurance. At one point I had a CMD file called something like movefsmo that used NTDSUTIL to move the roles, I think it took all of about 5 seconds to run to move all roles from one machine to another.   I agree with Ed in that I consider this SOP.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site).   More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down.   Hopefully, the poster has considered this latter scenario.   hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: 29 November 2005 15:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Amy,   If it’s what you need to hear (for peace of mind – or reassurance) leave the FSMO roles where they are  - you’ll be fine. You don’t need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer   Hi guys,   We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles.   I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained.    Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC.   I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs.   Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother   Is there any recommended practice?   Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.