Re: [ActiveDir] FMSO roles split, patch question.
Perfect World= clone all servers, workstations, users (especially the stupid ones that break things all the time anyway) Install patches on the identical cloned network, when cloned users break things beat them so they never do the stupid act again. (okay so maybe this is just a network admin's view of a perfect cloning experiment --- it might be better to beat the real users come to think of it...) Best = set up a test network with real hardware that replicates the types/kinds of equipment you have Better = test up test network with mixtures of real/virtual Good = test network is virtual, recreate apps, etc. Better than nothing option 1= users that are "canaries".. they get patches first... they die so that others will live Better than nothing option 2= break the mirror, patch the main, ensure all is well remirror (I'm personally not a fan of this...but...) Bottom line even in testing ...you won't find everything. True story: I patched for a chm help file patch back in 2005, all looked fine, and I deployed the patch. Two weeks later someone pinged me that they couldn't get into the Tax software help file it was suddenly blank. When I right mouse clicked on the suddenly blank page I realized it was a chm file and went oh...hang on there was a patch... Contacted the vendor and sure 'nuff, they already knew about it and had a workaround. So just plan on the fact that somethings just won't be noticeable until it's in a live network and deal with it. joe wrote: It isn't the best test environment but it is infinitely better than no test environment. If you have a QA environment that matches production then I am perfectly fine with an entirely virtual test environment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rocky Habeeb *Sent:* Saturday, August 19, 2006 10:36 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. Oh ... So virtual is where my test environment should be ... And that will adequately equate to a "real" production environment? ["Hmm ..." he wonders, "Could it be true?"] _ -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Deji Akomolafe *Sent:* 17 August, 2006 4:45 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Gordon Pegue *Sent:* Thu 8/17/2006 1:31 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... Thanks Gordon Pegue System Administrator Chavez Grieves Consulting Engineers Albuquerque, NM www.cg-engrs.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 11:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. T
Re: [ActiveDir] FMSO roles split, patch question.
Just don't try to do NetWare on Virtual Server -- ouch... other OSes seem to behave better - Chuck
RE: [ActiveDir] FMSO roles split, patch question.
It isn't the best test environment but it is infinitely better than no test environment. If you have a QA environment that matches production then I am perfectly fine with an entirely virtual test environment. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Saturday, August 19, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. Oh ... So virtual is where my test environment should be ... And that will adequately equate to a "real" production environment? ["Hmm ..." he wonders, "Could it be true?"] _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 17 August, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about
RE: [ActiveDir] FMSO roles split, patch question.
Oh ... So virtual is where my test environment should be ... And that will adequately equate to a "real" production environment? ["Hmm ..." he wonders, "Could it be true?"] _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Deji AkomolafeSent: 17 August, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or
RE: [ActiveDir] FMSO roles split, patch question.
Title: Message "I am drinking my second Labatt's not having to make any difficult decisions" now thats funny! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 17 Aug 2006 20:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That is fine Deji, you can completely disagree as much you want, it wouldn't be the first time we haven't agreed. :) BTW, I never said Best Practice, I said this is what I do and I agree with Jorge. But in the end, I don't care about best practices, I do what I think is right and the least likely to cause me issues balanced by my efficiency of doing things. You could test something to within an inch of its existence and something still go wrong in production, there is no way to guarantee no issues will occur, that is why we test in the first place. If it could be guaranteed, MSFT would have already done so. So you can put your faith in god all you want but it is prudent to row away from the rocks as well. I am confused as to what disadvantage there is to moving roles? You seem to be saying since it isn't troublesome to seize them you shouldn't tranfer them. That is cracked. Note that I don't say do this just for patching, any reboot or machine specific core change and I will move the roles. It could be something completely unrelated to a patch that caused a failure, especially in a reboot situation. It is such an innocuous thing to do that can save concern and work in the event of a failure. I think if it is easy to do up front, it seems outright stupid to not move the roles and remove all possibility of an issue around them. If I had a DC fail while doing maintenance work, I don't want to have to have made up issues for me to deal with around it, just get the DC working again. I can guarantee you several large companies that I have done work for would all question the process if I didn't do everything I could to limit possible issues up front. I would argue, and have in the past argued, that a seize is not as good as a tranfer regardless of your thoughts on the topic. If that weren't the case, it is probably likely there wouldn't be two methods in the first place. Even now there doesn't really need to be two methods, you could have one method for transfer and if that fails it does the seize but they specifically want you realizing you are seizing. Even if this weren't the case, I would STILL move the roles because it is simple and innocuous and fast. In the end, you can do anything you want to to manage your environments as you see fit, but any environment I run will be handled as I indicated. I see it as such free insurance that is silly not to buy. Let me leave you with a scenario, feel free not to respond if you want. You and I are working on our enterprise environments. We need to patch or do something else which will require a reboot. I go ahead and quickly move the roles and you just go forward in patching, I am slow that day so it takes 30 seconds instead of 15 seconds to move roles and then I am patching. You obviously hit reboot first, uh no, the reboot hangs up or the server doesn't reboot or doesn't even POST. 30 seconds later I see the same thing... Assuming we built out Domain Controller Architecture properly what happens next? I go, well that sucks, I will have to fix that at some time and determine when I will make time for it and decide if I will troubleshoot and correct or just wipe and reload. You go, *&[EMAIL PROTECTED]. Do I fix this or do I seize the roles and you think about it while I am getting in my jeep and driving to meet friends or have lunch or dinner. (or alternately maybe some more junior admin makes the WRONG decision without you there..) Once you finally decide what direction you go, you then know what you can properly do. In the meanwhile, your decision may get pushed as users and admins start noticing things aren't as they should be. The GPO management tools are bitching about which machine they should talk to. Users changing passwords via tools using legacy API (yes they still exist even if clients don't) are all breaking. Password chaining isn't working for anyone that changed their passwords. Who knows what else is going on, you get to figure it out. I am drinking my second Labatt's not having to make any difficult decisions. All over a 15 second process handled by a batch file that took what maybe 30-60 minutes to write. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED]
RE: [ActiveDir] FMSO roles split, patch question.
Not having followed the tread all the way from the beginning I just thought I'd add my 2 cents, although it's probably worth less than that due to the SA Rand to Dollar exchange rate :) :). I was always under the impression that a role seize should only be done if the server that originally held the role was never going to be re-introduced and an ntdsutil was done to clean up. In fact I have a policy to never re-use DC names just as a CMA process. Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 17 August 2006 17:48 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: > the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : > > > > From: [EMAIL PROTECTED] on behalf of John Strongosky > Sent: Thu 2006-08-17 16:55 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. > > john > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de > Sent: Thursday, August 17, 2006 4:33 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > in addition to that > DC1 having FSMOset1 and DC2 having FSMOset2 > transfer FSMOset1 from DC1 to DC2 > apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) > if everything OK! > transfer FSMOset1 and FSMOset2 from DC2 to DC1 > apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) > if everything OK! > transfer FSMOset2 from DC1 to DC2 > voila (that's french)...done! ;-) > > jorge > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe > Sent: Wednesday, August 09, 2006 01:52 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > It doesn't matter. > > > > Sincerely, > _ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ >) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com - we know IT > -5.75, -3.23 > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon > > > > From: John Strongosky > Sent: Tue 8/8/2006 4:49 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] FMSO roles split, patch question. > > > We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? > > 1. Remote DC/GC's first > 2. no. 1 > 3. then no 2. > > > thanks > > > > > > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.
RE: [ActiveDir] FMSO roles split, patch question.
Exactly. :) I just don't understand the reluctance to move the roles. You would think we were advocating swapping a single RAID drive from the two machines involved. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 18, 2006 3:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. My client would sack (fire) me on the spot if I patched servers without having clearly shown due diligence beforehand. If a DC hosting say the RID master role died during a patch which resulted in issues (where admins were unable to create user objects), the business would ask 'why were proper measures not put in place to cater for such an issue?' and also further state 'We lost millions of £/$ due to this outage!' I would try to respond and explain and then be duly sacked (fired). Why would you NOT perform due diligence? My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: 17 August 2006 16:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. This will be one of the rare occassions I disagree with Jorge. I see no usefulness in this ping pong exercise. DC dies in the process of patching and it is the one holding a specific FSMO role. So what? Just seize the role and wipe the server and do your cleanup and reinstall. Due dilligence is to test your patches and ensure that they don't take your servers/infrastructure down before you proceed with deploying them on your live environment. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Almeida Pinto, Jorge deSent: Thu 8/17/2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John StrongoskySent: Thu 2006-08-17 16:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised
RE: [ActiveDir] FMSO roles split, patch question.
Definitely good to help with testing. However, obviously, you can still run into issues that are specific to your hardware platform/configuration (drivers comes to mind) plus what if you hit an issue that is a virtualization issue only? Could be a lot of work for something you never see in production. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it
RE: [ActiveDir] FMSO roles split, patch question.
My client would sack (fire) me on the spot if I patched servers without having clearly shown due diligence beforehand. If a DC hosting say the RID master role died during a patch which resulted in issues (where admins were unable to create user objects), the business would ask 'why were proper measures not put in place to cater for such an issue?' and also further state 'We lost millions of £/$ due to this outage!' I would try to respond and explain and then be duly sacked (fired). Why would you NOT perform due diligence? My 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: 17 August 2006 16:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. This will be one of the rare occassions I disagree with Jorge. I see no usefulness in this ping pong exercise. DC dies in the process of patching and it is the one holding a specific FSMO role. So what? Just seize the role and wipe the server and do your cleanup and reinstall. Due dilligence is to test your patches and ensure that they don't take your servers/infrastructure down before you proceed with deploying them on your live environment. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Almeida Pinto, Jorge deSent: Thu 8/17/2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John StrongoskySent: Thu 2006-08-17 16:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.a
RE: [ActiveDir] FMSO roles split, patch question.
I agree with Jorge. Seizing is not a for the faint-hearted, as Brett's post from a while back shows... http://www.mail-archive.com/activedir@mail.activedir.org/msg39683.html Tony -- Original Message -- From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 17 Aug 2006 17:02:12 +0200 the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FMSO roles split, patch question.
What he said. Because who are they going to blame when 06-040 gets inside an unpatched network and nails Windows 2000 boxes and DOS's 2k3's? Do they not let you patch at all...or not let you test patches? How are you deploying or mitigating issues now? If I.. little SBSer that I am... can build a test bed... have patch canaries at the office have a patch process... and all that There is no "won't allow" when there is a California law on the books that requires said management to "take reasonable measures to secure client data". (AB1950 affecting data of California residents on 'any' computer). That means patching in my book (among many things) Then you build a patch testing process around your management. Patch some of the machines at a time. Choose people in your office that get patches first. But you build a change management process around second Tuesday of the month and get those machines at risk in a safe and protected, patched, mitigated, protected, whatevered state as fast as you can. Brian Desmond wrote: *Time to find a new manager* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Gordon Pegue *Sent:* Thursday, August 17, 2006 4:59 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. Sorry- You just don't get it do you... I'll be as blunt as possible: Management won't allow it! Gordon *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 2:45 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Gordon Pegue *Sent:* Thu 8/17/2006 1:31 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... Thanks Gordon Pegue System Administrator Chavez Grieves Consulting Engineers Albuquerque, NM www.cg-engrs.com <http://www.cg-engrs.com> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 11:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be
RE: [ActiveDir] FMSO roles split, patch question.
Time to find a new manager Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Thursday, August 17, 2006 4:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. Sorry- You just don't get it do you... I'll be as blunt as possible: Management won't allow it! Gordon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, August 17, 2006 2:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon Pegue Sent: Thu 8/17/2006 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... Thanks Gordon Pegue System Administrator Chavez Grieves Consulting Engineers Albuquerque, NM www.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, August 17, 2006 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Thu 8/17/2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMOprior to an update of a machine than to have to seize the role laterregardless of the reason of it going down. Especially when you have a scriptthat applies the NTSUTIL commands to move the roles. A move of all roles ina properly scripted environment is a procedure that takes all of about 10-15seconds. A seize on the other hand isn't something you should just quicklythink about doing, you need to work out the consequences and make adetermination in most cases whether or not you will ever bring that DC backup as it stands now. It is, IMO, a no-brainer if you have multiple DCs as itis isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machinespecific updates. I never assume a server is going to come back up after Isay restart or in fact even
RE: [ActiveDir] FMSO roles split, patch question.
Sorry- You just don't get it do you... I'll be as blunt as possible: Management won't allow it! Gordon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 2:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you h
Re: [ActiveDir] FMSO roles split, patch question.
VPC and VMware is freeand you watch the gang on www.patchmanagement.org report issues and share information. I patch at home first, watch the listserves, make sure I have a good backup and let 'er rip. If you have a good backup..and a DR strategy already in place, patches are not a big thing IMHO. Know this Microsoft does test these patches these days before they come out. Gordon Pegue wrote: What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... Thanks Gordon Pegue System Administrator Chavez Grieves Consulting Engineers Albuquerque, NM www.cg-engrs.com *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 11:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* joe *Sent:* Thu 8/17/2006 9:31 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDi
Re: [ActiveDir] FMSO roles split, patch question.
IMHO the important thing is you are patched. However you do it is your process. Now if one of these processes are slowing you down reevaluate. But if you can patch within a reasonable about of time (06-040) and you have a process for patching (06-040)... who cares? (btw ... we ARE starting to see folks with 06-040 exploit attacks on their boxes... please get 'em patched) Kevin Brunson wrote: Let’s look at the roles for a minute…. Domain Naming Master: Okay, so in a large environment there may be people creating domains on a regular basis. But is it really a crisis that will leave someone in a panic if that role holder goes down for a few hours? Schema: Hopefully this is one that can stay down with no real consequences, except for Exchange upgrades and the like. If it is down, it will not cause panic, it can be moved. RID: I could see this being a problem, if a large number of objects are being created. But even in the biggest environments there aren’t a whole lot of times that 1000s of objects are being created simultaneously. Infrastructure: Yeah, if this is down you will certainly see some issues in a large network. Over time. It seems like it would be a while before the info in the domains got stale enough for this to really matter. PDC: As Joe mentioned, there would be some real headaches here if you’ve got old (needs to be retired) computers running NT or anything in the 9x realm. Hopefully that is not the case. Older softer is much more likely, and as Joe said, could present some major crises. And passwords would be a given. Since there is such disagreement amongst the brethren (and sistren), perhaps we could all agree that the PDCEm would be a real bear if it was gone for a few hours. Perhaps we don’t all agree that we should change our patching plans based on that, but I can certainly see the wisdom in moving that one. The others seem just as disposable as any other dc, since they could probably be gone a while with no adverse consequences. Kevin *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Deji Akomolafe *Sent:* Thursday, August 17, 2006 3:04 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. I always try to frame my responses around the requested info. In tis case, the OP wanted to know the folloing: After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. The simple and logical answer is "it does not matter". The order of your patching and rebooting your DC is NOT depepndent on the roles they hold. Everything else you've written in your response is all well and good. Nice to have, if I must say. I still stand by the original response. You do NOT have to put a lot of thoughts into playing chess with your roles just to figure out which one to reboot first. DCs are dispensable, even the role-holding ones - as long as there are others in the environment. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT **-5.75, -3.23** Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* joe *Sent:* Thu 8/17/2006 12:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FMSO roles split, patch question. That is fine Deji, you can completely disagree as much you want, it wouldn't be the first time we haven't agreed. :) BTW, I never said Best Practice, I said this is what I do and I agree with Jorge. But in the end, I don't care about best practices, I do what I think is right and the least likely to cause me issues balanced by my efficiency of doing things. You could test something to within an inch of its existence and something still go wrong in production, there is no way to guarantee no issues will occur, that is why we test in the first place. If it could be guaranteed, MSFT would have already done so. So you can put your faith in god all you want but it is prudent to row away from the rocks as well. I am confused as to what disadvantage there is to moving roles? You seem to be saying since it isn't troublesome to seize them you shouldn't tranfer them. That is cracked. Note that I don't say do this just for patching, any reboot or machine specific core change and I will move the roles. It could be something completely unrelated to a patch that caused a failure, especially in a reboot situation. It is such an innocuous thing to do that can save concern and work in the event of a failure. I think if it is easy to do up front, it seems outright stupid to not move the ro
RE: [ActiveDir] FMSO roles split, patch question.
That argument went out the window when the following happened: Dell started selling desktops with jillion gigabyte drive space for under $1000 Microsoft started giving away Virtual Server with very liberal Windows Server 2003 licenses. Us poor admins no longer needed bazillion dollars to create "test environments". Sorry, try another one :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon PegueSent: Thu 8/17/2006 1:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. A
RE: [ActiveDir] FMSO roles split, patch question.
What about us poor admins, who for a variety of reasons outside their control, don't have a "test" environment? I'm just a little guy, supporting a small business that doesn't have kilobucks to spare for non-production equipment. I sweat bullets every time MS issues updates and I spend a lot of time researching each and every one of them before I apply... ThanksGordon PegueSystem AdministratorChavez Grieves Consulting EngineersAlbuquerque, NMwww.cg-engrs.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: > the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infr
RE: [ActiveDir] FMSO roles split, patch question.
I always try to frame my responses around the requested info. In tis case, the OP wanted to know the folloing: After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter?1. Remote DC/GC's first2. no. 13. then no 2. The simple and logical answer is "it does not matter". The order of your patching and rebooting your DC is NOT depepndent on the roles they hold. Everything else you've written in your response is all well and good. Nice to have, if I must say. I still stand by the original response. You do NOT have to put a lot of thoughts into playing chess with your roles just to figure out which one to reboot first. DCs are dispensable, even the role-holding ones - as long as there are others in the environment. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 12:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. That is fine Deji, you can completely disagree as much you want, it wouldn't be the first time we haven't agreed. :) BTW, I never said Best Practice, I said this is what I do and I agree with Jorge. But in the end, I don't care about best practices, I do what I think is right and the least likely to cause me issues balanced by my efficiency of doing things. You could test something to within an inch of its existence and something still go wrong in production, there is no way to guarantee no issues will occur, that is why we test in the first place. If it could be guaranteed, MSFT would have already done so. So you can put your faith in god all you want but it is prudent to row away from the rocks as well. I am confused as to what disadvantage there is to moving roles? You seem to be saying since it isn't troublesome to seize them you shouldn't tranfer them. That is cracked. Note that I don't say do this just for patching, any reboot or machine specific core change and I will move the roles. It could be something completely unrelated to a patch that caused a failure, especially in a reboot situation. It is such an innocuous thing to do that can save concern and work in the event of a failure. I think if it is easy to do up front, it seems outright stupid to not move the roles and remove all possibility of an issue around them. If I had a DC fail while doing maintenance work, I don't want to have to have made up issues for me to deal with around it, just get the DC working again. I can guarantee you several large companies that I have done work for would all question the process if I didn't do everything I could to limit possible issues up front. I would argue, and have in the past argued, that a seize is not as good as a tranfer regardless of your thoughts on the topic. If that weren't the case, it is probably likely there wouldn't be two methods in the first place. Even now there doesn't really need to be two methods, you could have one method for transfer and if that fails it does the seize but they specifically want you realizing you are seizing. Even if this weren't the case, I would STILL move the roles because it is simple and innocuous and fast. In the end, you can do anything you want to to manage your environments as you see fit, but any environment I run will be handled as I indicated. I see it as such free insurance that is silly not to buy. Let me leave you with a scenario, feel free not to respond if you want. You and I are working on our enterprise environments. We need to patch or do something else which will require a reboot. I go ahead and quickly move the roles and you just go forward in patching, I am slow that day so it takes 30 seconds instead of 15 seconds to move roles and then I am patching. You obviously hit reboot first, uh no, the reboot hangs up or the server doesn't reboot or doesn't even POST. 30 seconds later I see the same thing... Assuming we built out Domain Controller Architecture properly what happens next? I go, well that sucks, I will have to fix that at some time and determine when I will make time for it and decide if I will troubleshoot and correct or just wipe and reload. You go, *&[EMAIL PROTECTED]. Do I fix this or do I seize the roles and you think about it while I am getting in my jeep and driving to meet friends or have lunch or dinner. (or alternately maybe some more junior admin makes the WRONG decision without you there..) Once you finally decide what direction you go, you then know what you can properly do. In the meanwhile, your decis
RE: [ActiveDir] FMSO roles split, patch question.
That is fine Deji, you can completely disagree as much you want, it wouldn't be the first time we haven't agreed. :) BTW, I never said Best Practice, I said this is what I do and I agree with Jorge. But in the end, I don't care about best practices, I do what I think is right and the least likely to cause me issues balanced by my efficiency of doing things. You could test something to within an inch of its existence and something still go wrong in production, there is no way to guarantee no issues will occur, that is why we test in the first place. If it could be guaranteed, MSFT would have already done so. So you can put your faith in god all you want but it is prudent to row away from the rocks as well. I am confused as to what disadvantage there is to moving roles? You seem to be saying since it isn't troublesome to seize them you shouldn't tranfer them. That is cracked. Note that I don't say do this just for patching, any reboot or machine specific core change and I will move the roles. It could be something completely unrelated to a patch that caused a failure, especially in a reboot situation. It is such an innocuous thing to do that can save concern and work in the event of a failure. I think if it is easy to do up front, it seems outright stupid to not move the roles and remove all possibility of an issue around them. If I had a DC fail while doing maintenance work, I don't want to have to have made up issues for me to deal with around it, just get the DC working again. I can guarantee you several large companies that I have done work for would all question the process if I didn't do everything I could to limit possible issues up front. I would argue, and have in the past argued, that a seize is not as good as a tranfer regardless of your thoughts on the topic. If that weren't the case, it is probably likely there wouldn't be two methods in the first place. Even now there doesn't really need to be two methods, you could have one method for transfer and if that fails it does the seize but they specifically want you realizing you are seizing. Even if this weren't the case, I would STILL move the roles because it is simple and innocuous and fast. In the end, you can do anything you want to to manage your environments as you see fit, but any environment I run will be handled as I indicated. I see it as such free insurance that is silly not to buy. Let me leave you with a scenario, feel free not to respond if you want. You and I are working on our enterprise environments. We need to patch or do something else which will require a reboot. I go ahead and quickly move the roles and you just go forward in patching, I am slow that day so it takes 30 seconds instead of 15 seconds to move roles and then I am patching. You obviously hit reboot first, uh no, the reboot hangs up or the server doesn't reboot or doesn't even POST. 30 seconds later I see the same thing... Assuming we built out Domain Controller Architecture properly what happens next? I go, well that sucks, I will have to fix that at some time and determine when I will make time for it and decide if I will troubleshoot and correct or just wipe and reload. You go, *&[EMAIL PROTECTED]. Do I fix this or do I seize the roles and you think about it while I am getting in my jeep and driving to meet friends or have lunch or dinner. (or alternately maybe some more junior admin makes the WRONG decision without you there..) Once you finally decide what direction you go, you then know what you can properly do. In the meanwhile, your decision may get pushed as users and admins start noticing things aren't as they should be. The GPO management tools are bitching about which machine they should talk to. Users changing passwords via tools using legacy API (yes they still exist even if clients don't) are all breaking. Password chaining isn't working for anyone that changed their passwords. Who knows what else is going on, you get to figure it out. I am drinking my second Labatt's not having to make any difficult decisions. All over a 15 second process handled by a batch file that took what maybe 30-60 minutes to write. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, August 17, 2006 1:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite o
RE: [ActiveDir] FMSO roles split, patch question.
Nah, even when you test stuff still can go wrong. It takes so little time to just transfer the roles. I don’t backup/restore, I just reimage/rebuild. DCs are expendable. Last big client I had, the forest roles floated around the enterprise core sites, and the domain roles floated around the sites they belonged in. Frankly I had no firm idea of exactly where they were, just the general idea of where to find the role holders…netdom query fsmo did the trick. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, August 17, 2006 12:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joe Sent: Thu 8/17/2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMOprior to an update of a machine than to have to seize the role laterregardless of the reason of it going down. Especially when you have a scriptthat applies the NTSUTIL commands to move the roles. A move of all roles ina properly scripted environment is a procedure that takes all of about 10-15seconds. A seize on the other hand isn't something you should just quicklythink about doing, you need to work out the consequences and make adetermination in most cases whether or not you will ever bring that DC backup as it stands now. It is, IMO, a no-brainer if you have multiple DCs as itis isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machinespecific updates. I never assume a server is going to come back up after Isay restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world ifyou lost the DC, you have far greater issues than you lost a FSMO role forthe moment. In the world outside of SBS, most people look at DCs asexpendable. You set up 10 of them in front of you and 5 fell down you wouldbe like, crap, I will have to fix those at some point. You set up an SBS DCand it falls over there are skid marks where you were previously standing. joe --O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Thursday, August 17, 2006 11:48 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes.Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote:> the reason is that is a DC dies during the patching you do not have toseize the rolesIMHO, I prefer transfering over seizing> > Met vriendelijke groeten / Kind regards,> Ing. Jorge de Almeida Pinto> Senior Infrastructure Consultant> MVP Windows Server - Directory Se
RE: [ActiveDir] FMSO roles split, patch question.
Minutes to hours. Depends on what exactly is going on. If it was heavy maintanence do it as far as you want in advance, if rolling through applying patches move the role, patch the server, move the role back. Depending on how many patches and the reboot times it could be less than 5 minutes with two FSMO moves in that time frame. The environment will be fine. The worst role to move is the PDC role and that is simply because it is a target for various things but moving the PDC role in 2K is so much incredibly nicer than it was in NT4 and I don't hesitate to move it now. Under NT4 there were many times I would sit there and wonder, what is going to screw up when I do this. And yes, many people will sit back and go huh, there was no problem doing that in NT4... Trust me, in very large NT domains (>60k users[1] and hundreds of WAN based BDCs) it could get tricky. More than once I saw a PDC role transfer result in two hung servers that had to be hard reset. Once you move the role, if you are worried, simply take a peek at the DNS records to make sure the PDC record was updated and make sure the WINS 1B record reflects the new PDC and everything is good. Most legacy functions that need the PDC will ask for the 1B record and then hit the server listed and ask, hey are you the PDC? If the response comes back as negative, the machine will get the entire 1C record and send the request to every DC listed in the 1C record (25 machines) and probably find it that way. If it doesn't the call will fail and you will get, couldn't find the PDC or couldn't find the domain. The one time I recall troubleshooting that for someone they had moved the PDC role to a machine that wasn't properly configured for WINS or it was actually incorrectly running the WINS Service or something like that. It was a dee de dee move on the part of some admin that caused the issue, not anything technical. joe [1] While there was a recommended limit of no more than 40k users in a domain in NT4 I stumbled into an environment that people hadn't been paying attention and had 3 domains over that limit, ~65k, ~85k and ~110k. It works, you just burn a PS/2 Token Ring card every morning in an offering to the IT gods... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Thursday, August 17, 2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. Whets the time interval on moving these before you patch the DC's that the roles were on. john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 17, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find
RE: [ActiveDir] FMSO roles split, patch question.
I am not into restoring from backup unless absolutely required. I like how easy it is to rebuild and repromote. As I mentioned in the other post, I consider DCs to be expendable like individual drives in a RAID Set. Now if I was crazy enough to run a bunch of other services on a DC that were specific to a given DC then I might be a little more likely to look at restores but in the meanwhile I would have kicked my own butt for putting myself in that position in the first place. You don't put extra services on DCs for several reasons, not having to restore them is just a side effect. Primarily you do it to reduce vectors against your security and stability. In the SBS world I would be completely out of sorts with myself over their working conditions. :) Hopefully all of the enterprise customers won't go out of business though. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 17, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. Valid point. But you should [try and] restore from the backup that ran the night before and that you verified successfully completed before you applied the patch... ;-) If you have a document process that goes through the proper change control, then there shouldn't be any reason to do this. The patches should be tested in dev and pre-prod and then applied, only if there's a rollback option, and that should be something like "uninstall patch; restore from last night's successful back if unable to boot and uninstall". --Paul - Original Message - From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> To: Sent: Thursday, August 17, 2006 4:02 PM Subject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List
RE: [ActiveDir] FMSO roles split, patch question.
I completely disagree with you. I understand the thinking behind the move-roles-before-patch stance. I just don't buy into it. Test patch and be sure it doesn't kill things. Test your config changes and be sure it doesn't break things. Test, test and test more before you move into production. Then deploy to production. IF, in spite of all your tests, "something" goes wrong with one DC holding a specific role (or - perish the thought - ALL your roles), it's no big deal. As long as you have other DCs available to assume the roles, the target DCwill not care how they got the roles (graceful transfer or inelegant seizure). It's good to have a script that moves roles as you desire, but this does not fall into the realm of "best practice" in the scheme of things. Your energy should be invested in instituting a comprehensive patch/change management and testing operations practice rather than figuring out where to move roles to in case a patch eats your DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 8/17/2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: > the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : > > > > From: [EMAIL PROTECTED] on behalf of John Strongosky > Sent: Thu 2006-08-17 16:55 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. > > john > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de > Sent: Thursday, August 17, 2006 4:33 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [
Re: [ActiveDir] FMSO roles split, patch question.
NT 4.0? 'nuff said. NT should be killed off. :-) The patching mechanisms of the NT 4.0 era is not the patch mechanisms of today. We've gone from like 8 patch engines down to 2. We didn't have patch Tuesday when NT was built. Paul Williams wrote: I have. When bulk-patching NT 4 servers several died (OS was trashed, not the h/w) and had to be restored from the backup the night before. There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB section of the disk, although that hit workstations more than servers as they'd been build from images and had bigger disks than NT 4 boot loader could cope with . --Paul - Original Message - From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> To: Sent: Thursday, August 17, 2006 4:47 PM Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _(, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendo
Re: [ActiveDir] FMSO roles split, patch question.
Skid marks? More like blood, guts, gore and medics yelling "Triage!" I can tell you though that we've had way more issues installing service packs than patches though. Gimme a patch Tuesday and I don't blink an eye. hand me a service pack and I'm not looking forward to it. SBS 4.5 we lost Internet connectivity on that box with a RRAS patch eons ago and that's .to the best of my knowledge the last time a patch nailed our servers so hard they lost major parts of their job description. Normally if we lose the DC, there's some other fundamental reason for the loss and it's not necessarily patch related. I am seeing desktop and app impact these days... Incidents.org has put up a nice grid tracking the known issues in the patches this month: Microsoft August 2006 Patches: STATUS http://isc.sans.org/diary.php?n&storyid=1611 <http://isc.sans.org/diary.php?n&storyid=1611> So far desktops are getting the worst of it. (as a FYI SBS has to be the PDC, hold the FSMO roles, if the FSMO roles are not held by the SBS box we have this slightly nasty habit of having this sbscore service enforce our limitations and force a shut down every hour on the hour.thus ... while transferring/seizing is best practice for you guys... I'd advise anyone patching SBS networks to not do that) Windows 2003 Small Business Server Shuts Down Unexpectedly; Events 1001, 1013 and 1014 are Logged: http://support.microsoft.com/kb/555087 Also a bit OT: but check out the SCE blog and all the new betas on the renamed MOM stuff... sounding cool if they pull it off... System Center Essentials Product Team Blog: http://blogs.technet.com/caseymck/default.aspx The team is hard at work on the System Center Essentials public beta release. Expect to see a link to the install bits in a few weeks. This public beta enables almost all of our core product scenarios: 1- Comprehensive monitoring of servers and clients 2- Update and Patch Deployment (of Microsoft and Third Party apps) 3- Software Distribution (MSI and EXE-based apps) 4- Software & Hardware Inventory 5- Remote Managed Services (for service providers) Looking forward to customer feedback, feel free to post it to this blog when you can. joe wrote: I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.
Re: [ActiveDir] FMSO roles split, patch question.
I have. When bulk-patching NT 4 servers several died (OS was trashed, not the h/w) and had to be restored from the backup the night before. There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB section of the disk, although that hit workstations more than servers as they'd been build from images and had bigger disks than NT 4 boot loader could cope with . --Paul - Original Message - From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]> To: Sent: Thursday, August 17, 2006 4:47 PM Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _(, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FMSO roles split, patch question.
Valid point. But you should [try and] restore from the backup that ran the night before and that you verified successfully completed before you applied the patch... ;-) If you have a document process that goes through the proper change control, then there shouldn't be any reason to do this. The patches should be tested in dev and pre-prod and then applied, only if there's a rollback option, and that should be something like "uninstall patch; restore from last night's successful back if unable to boot and uninstall". --Paul - Original Message - From: "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> To: Sent: Thursday, August 17, 2006 4:02 PM Subject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FMSO roles split, patch question.
Whets the time interval on moving these before you patch the DC's that the roles were on. john -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 17, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: > the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing > > Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant MVP Windows Server - Directory > Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : > > > > From: [EMAIL PROTECTED] on behalf of John Strongosky > Sent: Thu 2006-08-17 16:55 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > I cornfused is this a standard practice as I thought you did not want > to move the FMSO roles back and forth. > > john > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de > Sent: Thursday, August 17, 2006 4:33 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > in addition to that > DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 > to DC2 apply patches to DC1 and reboot and check everything (event > logs DCdiag, etc) > if everything OK! > transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 > and reboot and check everything (event logs DCdiag, etc) > if everything OK! > transfer FSMOset2 from DC1 to DC2 > voila (that's french)...done! ;-) > > jorge > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe > Sent: Wednesday, August 09, 2006 01:52 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > It doesn't matter. > > > > Sincerely, > _ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ >) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /)
RE: [ActiveDir] FMSO roles split, patch question.
I completely concur with Jorge on his process. It takes a lot less hassle and a lot less feeling of concern to move a FSMO prior to an update of a machine than to have to seize the role later regardless of the reason of it going down. Especially when you have a script that applies the NTSUTIL commands to move the roles. A move of all roles in a properly scripted environment is a procedure that takes all of about 10-15 seconds. A seize on the other hand isn't something you should just quickly think about doing, you need to work out the consequences and make a determination in most cases whether or not you will ever bring that DC back up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it is isn't any real workload or concern to do it. When I am doing production ops I *always* move roles prior to making machine specific updates. I never assume a server is going to come back up after I say restart or in fact even go down properly without hanging. Now I understand the SBS thoughts behind it though... In the SBS world if you lost the DC, you have far greater issues than you lost a FSMO role for the moment. In the world outside of SBS, most people look at DCs as expendable. You set up 10 of them in front of you and 5 fell down you would be like, crap, I will have to fix those at some point. You set up an SBS DC and it falls over there are skid marks where you were previously standing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 17, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: > the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : > > > > From: [EMAIL PROTECTED] on behalf of John Strongosky > Sent: Thu 2006-08-17 16:55 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. > > john > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de > Sent: Thursday, August 17, 2006 4:33 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > in addition to that > DC1 having FSMOset1 and DC2 having FSMOset2 > transfer FSMOset1 from DC1 to DC2 > apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) > if everything OK! > transfer FSMOset1 and FSMOset2 from DC2 to DC1 > apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) > if everything OK! > transfer FSMOset2 from DC1 to DC2 > voila (that's french)...done! ;-) > > jorge > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe > Sent: Wednesday, August 09, 2006 01:52 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] FMSO roles split, patch question. > > > It doesn't matter. > > > > Sincerely, > _ > (, / | /) /) /) > /---| (/_ __ ___// _ // _ >) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ > (_/ /) > (/ > Microsoft MVP - Directory Services > www.akomolafe.com - we know IT > -5.75, -3.23 > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon > > > > From: John Strongosky &
RE: [ActiveDir] FMSO roles split, patch question.
This will be one of the rare occassions I disagree with Jorge. I see no usefulness in this ping pong exercise. DC dies in the process of patching and it is the one holding a specific FSMO role. So what? Just seize the role and wipe the server and do your cleanup and reinstall. Due dilligence is to test your patches and ensure that they don't take your servers/infrastructure down before you proceed with deploying them on your live environment. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Almeida Pinto, Jorge deSent: Thu 8/17/2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John StrongoskySent: Thu 2006-08-17 16:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FMSO roles split, patch question.
As a person who tests/patches a bunch of single DCs I've never seen a "patch" kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FMSO roles split, patch question.
Makes sensehow many dc's do you have in you infrastructure... From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John StrongoskySent: Thu 2006-08-17 16:55To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] FMSO roles split, patch question.
the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] FMSO roles split, patch question.
I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, August 17, 2006 4:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] FMSO roles split, patch question.
in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Wednesday, August 09, 2006 01:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] FMSO roles split, patch question.
Security bulletin 06-040.. out yesterday. Put it on a test priority folks. http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx John Strongosky wrote: 06-040?? What is this? john *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Tuesday, August 08, 2006 5:17 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] FMSO roles split, patch question. The main thing it to test and approve 06-040 and get that one on the fast track IMHO. Deji Akomolafe wrote: It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com> - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* John Strongosky *Sent:* Tue 8/8/2006 4:49 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FMSO roles split, patch question.
06-040?? What is this? john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, August 08, 2006 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FMSO roles split, patch question. The main thing it to test and approve 06-040 and get that one on the fast track IMHO.Deji Akomolafe wrote: It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FMSO roles split, patch question.
The main thing it to test and approve 06-040 and get that one on the fast track IMHO. Deji Akomolafe wrote: It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FMSO roles split, patch question.
It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com - we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John StrongoskySent: Tue 8/8/2006 4:49 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks
[ActiveDir] FMSO roles split, patch question.
We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks