There is an old saying (well at least it seems old, I recall first hearing it in a programming course at Michigan State University back in 1988 or so) that I have heard various forms of:
If builders made buildings the way programmers wrote programs, the first woodpecker that came along would destroy civilization. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Yeah .... Thanks a lot Gil ! This is all we need to hear and be reminded of. For >YEARS< I have resisted putting a tag line at the end of my email, but I have always had one that I was fond of. Now I just might consider it. I'm trademarking it so don't copy it. "It's all just a house of cards!" RH _______________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gil Kirkpatrick Sent: Tuesday, November 29, 2005 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer By definition, the impact of a maintenance task is expected to be low. But the behavior of a server isn't always predictable after you change the software and/or configuration and reboot it. Sometimes just the power or temperature fluctuation is enough to kick a marginal component over the edge. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case "something" happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f***** up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master --> needed when updating the schema * Domain Naming master --> needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator --> needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master --> needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure --> needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy ________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre <http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http:/ /uk.security.yahoo.com/> . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
