In production I always move the domain roles prior to
working on a DC or even rebooting a DC. As you mention, the role move is trivial
and if something does dork up you have less to think about and aren't wondering
at what point you should be seizing. I am not so worried about the forest roles
but will usually move them as well.
Dean and I actually chatted about this previously as I put
something like that in the AD3E book and he was like, you *always* move the
domain roles like that and I was like " In production, absolutely". The one time
you don't you seem to get burned and you feel very stupid for not doing it when
you could have. Once in the distant past I had a PDC role machine that
hung up when shutting down (it was just a quick reboot so I figured why bother)
and started acting very fishy and I kicked myself for not moving the roles.
Why risk that?
It is very cheap insurance. At one point I had a CMD file
called something like movefsmo that used NTDSUTIL to move the roles, I
think it took all of about 5 seconds to run to move all roles from one
machine to another.
I agree with Ed in that I consider this
SOP.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles.
If there is opportunity to do so, then why not transfer? It's a trivial task and
will take no time to replicate (assuming the other DC is in the same
site).
More worrying perhaps, is the fact that if clients point to
one (or both) DCs for DNS name resolution, then they may experience issues when
one of the machines is taken down.
Hopefully, the poster has considered this latter
scenario.
hth,
neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: 29 November 2005 15:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Amy,
If it’s
what you need to hear (for peace of mind – or reassurance) leave the FSMO roles
where they are - you’ll be fine. You don’t need to transfer the rolls if
your talking about a timeframe of 2 hours - - -when you bring it back on line -
-I would just leave the other DC online for at least and hour (unless you have
adjusted the replication intervals) to make sure any changes are
replicated. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Amy
Hunter Hi guys, We have two DC's, one which holds the Forest FSMO roles,
the other which holds the domain FSMO roles. I plan to take each server down at different times
so that one of the two servers can provide authentication etc while the
other gets maintained. Initially, I was planning on moving the FSMO roles to
the other DC while maintainance work is carried out and transferring it back
once it's online again. I would then do the same for the other
DC. I was then told that you don't need to move the FSMO
roles when you perform maintenance on a DC holding the
roles. Each server will be down for about
2hrs. Does anyone have advice for me? I would like to move the
roles for peace of mind knowing they are available, but if I don't need to do
that, I won't bother Is there any recommended
practice? Amy To help you stay safe and secure
online, we've developed the all new Yahoo! Security
Centre. PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
|
- RE: [ActiveDir] FSMO role transfer joe
- RE: [ActiveDir] FSMO role transfer David Adner
- RE: [ActiveDir] FSMO role transfer joe
- RE: [ActiveDir] FSMO role transfer Rich Milburn
- RE: [ActiveDir] FSMO role transfer Rich Milburn
- RE: [ActiveDir] FSMO role transfer Thommes, Michael M.
- RE: [ActiveDir] FSMO role transfer Gil Kirkpatrick
- RE: [ActiveDir] FSMO role transfer Rocky Habeeb