Tuesday, November 29, 2005, 5:08:52 PM, you wrote:
First, look at each role and see what it does...
Forest FSMOs
* Schema Master -- needed when updating the schema
* Domain Naming master -- needed when adding or removing domains within the
forest
Domain FSMOs
* PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords,
used for time sync, is used for pwd checking when a user enters an incorrect pwd
at another DC, used by DFS roots to get DFS info
* RID Master -- needed to distribute RID pools to DCs that have exhausted their
current RID pool for 50% (=250 RIDs)
* Infrastructure -- needed to update references between domains in a forest
(does not do anything in a single domain forest)
If you look at this, there is no need to first transfer the FSMO roles to
another DC, just to carry out maintenance activities. It also depends on the
FSMO role. The most used ones in your case will be the RID and the PDC FSMO.
Only if you create more than 500 security principals (users, groups and
computers) during the moment that the DC with the RID FSMO is down, you will
experience a problem on the DC that is left. If you still have legacy clients
and they want to change the password that will not be possible. And if those
clients have the DSClient installed that will not be an issue either.
In short: leave as is. it will be OK for those 2 hours
Cheers,
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005 16:43
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FSMO role transfer
Hi guys,
We have two DC's, one which holds the Forest FSMO roles, the other which holds
the domain FSMO roles.
I plan to take each server down at different times so that one of the two
servers can provide authentication etc while the other gets maintained.
Initially, I was planning on moving the FSMO roles to the other DC while
maintainance work is carried out and transferring it back once it's online
again. I would then do the same for the other DC.
I was then told that you don't need to move the FSMO roles when you perform
maintenance on a DC holding the roles. Each server will be down for about 2hrs.
Does anyone have advice for me? I would like to move the roles for peace of mind
knowing they are available, but if I don't need to do that, I won! 't bother
Is there any recommended practice?
Amy
To help you stay safe and secure online, we've developed the all new Yahoo!
Security Centre.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
I would like to precise that both DC must be Global catalogue, or there will be
troubles during this two hours..
--
Best regards,
Mathieu
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
