+ Post New Thread
Results 1 to 8 of 8
Windows Server 2000/2003 Thread, FSMO query for MS exam in Technical; I'm studying and have a theoretical question: I know that there are 5 FSMO roles and there should be one ...
  1. #1

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16

    FSMO query for MS exam

    I'm studying and have a theoretical question:

    I know that there are 5 FSMO roles and there should be one instance of each FSMO role (though I think it may be possible to duplicate *some* of them and distribute them amongst DCs). I know that the FSMO roles can be moved from one DC to another, but what if the DC holding one or more of the FSMO roles dies (perhaps there's been a water leak in the server room)? Would I be absolutely st****d? I've heard of seizing the role, but if the hard drive holding the FSMO role is dead, surely I wouldn't be able to seize the role anyway?

    A supplemetary question - what if just the system disk (or partition) of the PDC died? Would I have to reinstall and hope that the BDC would step in to recreate everything for me? Is this a time where I should consider mirroring the system partition on the PDC (and probably the BDC)?

    I hasten to add that I've never faced these scenarios, I'm just thinking laterally about what MS might throw at me in an exam.

  2. #2


    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,273
    Thank Post
    123
    Thanked 345 Times in 284 Posts
    Blog Entries
    4
    Rep Power
    139
    Quote Originally Posted by Ignatius View Post
    I'm studying and have a theoretical question:

    I know that there are 5 FSMO roles and there should be one instance of each FSMO role (though I think it may be possible to duplicate *some* of them and distribute them amongst DCs). I know that the FSMO roles can be moved from one DC to another, but what if the DC holding one or more of the FSMO roles dies (perhaps there's been a water leak in the server room)? Would I be absolutely st****d? I've heard of seizing the role, but if the hard drive holding the FSMO role is dead, surely I wouldn't be able to seize the role anyway?
    This is exactly when you seize the role. Normally transferring the role asks for permission before taking it over. If you seize the role, the new DC just takes over without checking first. The important bit is that you never, ever bring that original DC back online. Once the role has been seized from it the official guidance is to decommission it fully, though you can usually get away with reformatting.

    A supplemetary question - what if just the system disk (or partition) of the PDC died? Would I have to reinstall and hope that the BDC would step in to recreate everything for me? Is this a time where I should consider mirroring the system partition on the PDC (and probably the BDC)?
    Again, seize the role. The important thing is to get the network fully functional again. What you do with the dead server afterwards is secondary.

    Both these answers are just based on what I have been taught, and what I recall as being best practice.

  3. Thanks to jamesb from:

    Ignatius (25th May 2010)

  4. #3

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    That's useful - thank you.

    I think my confusion is in the terminology ... I realise that it's possible to transfer the role to a different DC and I thought that "seize" was a similar process, but I wondered just how that could happen if the original DC was dead. I appreciate that what's really happening is that the new DC is creating a replacement FSMO role.

    A supplementary question then - does the DC with the new FSMO role (let's say the RID Master for example) check around the Forest to examine what's been done before and then make sure that the new one doesn't replicate what's been done before? My logic says that it should ... but I might be wrong!

    Finally, are there any comments (from anyone) about mirroring the system partition. Is it good practice or would anyone say it's really mandatory?

  5. #4

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    afaik In theory the dc that is going to be seizing should know all the information about the domain/forest anyway it does just not control it. This dc is just going to tell the clients/other dc's that it now holds the role and doesn't check and remove the role from the dead domain controller which previously had the role that it is taking it.

    I have done this a couple of times. There is a good Support article about this which is just a step by step guide. Might be work a read. its called something like how to remove active directory data after a failed demotion or something. Its the same procedure as if the server has failed.

  6. #5
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,147
    Thank Post
    319
    Thanked 307 Times in 213 Posts
    Rep Power
    124
    Quote Originally Posted by Ignatius View Post
    Finally, are there any comments (from anyone) about mirroring the system partition. Is it good practice or would anyone say it's really mandatory?
    We used to mirror the OS drive until we got biten hard. I have found that the only problem with mirroring is that if the active drive has a problem then the mirror drive also has a problem so really you have shot yourself in the foot. The way i would do things is to take an image of the C: with something like acronis or something that will create an image while the server is still running, then you are able to dump the image back onto the drive before any of the problems occured. We now had all the drives in a Raid 5 configuration and partition the drives from there. At least then if a drive fails the system will keep running.

  7. #6

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    182
    Quote Originally Posted by Ignatius View Post
    though I think it may be possible to duplicate *some* of them and distribute them amongst DCs
    You cannot duplicate any of them. You merely distribute them as *limited* safety measure.

    A supplemetary question - what if just the system disk (or partition) of the PDC died? Would I have to reinstall and hope that the BDC would step in to recreate everything for me?
    This is the situation in which you seize roles that dead domain controllers were holding.

    (There are no such things as PDCs and BDCs any more, only domain controllers and domain controllers that are responsible for a master role.)

    Is this a time where I should consider mirroring the system partition on the PDC (and probably the BDC)?
    You should be doing that anyway, along with every other backup measure you can think of. Forcibly playing about with DC memberships and master roles is an absolutely last resort.

    Quote Originally Posted by jamesb View Post
    Once the role has been seized from it the official guidance is to decommission it fully, though you can usually get away with reformatting.
    Huh? Why throw the metal away? Wipe the disk and set it back up as a domain controller (preferably with a different name, because of LDAP chaff).

    Quote Originally Posted by Ignatius View Post
    I think my confusion is in the terminology ... I realise that it's possible to transfer the role to a different DC and I thought that "seize" was a similar process, but I wondered just how that could happen if the original DC was dead.
    It's exactly the same process as far as the directory is concerned, the only difference is that the old domain controller still thinks it holds the master role, which is why you never, ever bring it back online once the roles have been seized.

    A supplementary question then - does the DC with the new FSMO role (let's say the RID Master for example)
    It's the same role...

    check around the Forest to examine what's been done before and then make sure that the new one doesn't replicate what's been done before? My logic says that it should ... but I might be wrong!
    Certainly not! Domain controllers, prospective or current, have no business with such things. That's what network administrators are for.

    Finally, are there any comments (from anyone) about mirroring the system partition. Is it good practice or would anyone say it's really mandatory?
    It's mandatory in the sense that you'd be a fool not to.

    Incidentally, you do also have a sufficient supply of global catalogue servers too, don't you?

  8. Thanks to powdarrmonkey from:

    Ignatius (26th May 2010)

  9. #7

    Join Date
    May 2009
    Location
    UK
    Posts
    294
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    Quote Originally Posted by powdarrmonkey View Post
    You cannot duplicate any of them. You merely distribute them as *limited* safety measure.
    Sorry, I was fairly sure that I'd seen an article which suggested that some could be duplicated safely but others MUST be the only one in the forest or domain.

    Quote Originally Posted by powdarrmonkey View Post
    You should be doing that anyway, along with every other backup measure you can think of. Forcibly playing about with DC memberships and master roles is an absolutely last resort.
    timbo343 mentioned not mirroring the system partition in favour of taking an image to restore subsequently. I've seen threads here about such a process and I think that the opinion was to avoid this on a DC (though it's common practice for workstations). I'm somewhat confused but think that I'd go in favour of mirroring the system partition.

    Quote Originally Posted by powdarrmonkey View Post
    Certainly not! Domain controllers, prospective or current, have no business with such things. That's what network administrators are for.
    I think you misunderstood! What I meant is that if the RID Master is seized from a dead DC, would the new RID Master check around the network to examine what IDs have been generated by the original RID Master? The RID Master's role is to ensure that there are no duplicate IDs. Surely if the replacement RID Master didn't check, there's a remote possibility that it might generate an ID which is in use already?

    Quote Originally Posted by powdarrmonkey View Post
    Incidentally, you do also have a sufficient supply of global catalogue servers too, don't you?
    Goodness, I'd forgotten about those!

  10. #8


    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,273
    Thank Post
    123
    Thanked 345 Times in 284 Posts
    Blog Entries
    4
    Rep Power
    139
    Quote Originally Posted by powdarrmonkey View Post
    Huh? Why throw the metal away? Wipe the disk and set it back up as a domain controller (preferably with a different name, because of LDAP chaff).
    As I said, official best practice as far as I was taught - not what actually happens in a real situation.

    You should also be clearing out the LDAP chaff manually anyway, but as you say it's still worth using a different name.



SHARE:
+ Post New Thread

Similar Threads

  1. FSMO Seizing, the downsides
    By ZeroHour in forum Windows
    Replies: 6
    Last Post: 15th July 2008, 11:46 PM
  2. A+ and N+ in the Exam Can you??
    By EduTech in forum Courses and Training
    Replies: 8
    Last Post: 13th May 2008, 07:45 PM
  3. Replies: 3
    Last Post: 4th January 2008, 09:40 AM
  4. Query of existing query data in PHP
    By markwilliamson2001 in forum Web Development
    Replies: 5
    Last Post: 5th October 2007, 09:43 AM
  5. Replies: 28
    Last Post: 28th November 2006, 04:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •