FISMO Roles within a Domain

[Richard]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

In a windows 2000 server environment, i am planning a disaster recovery site.
The disaster recovery site is in another office and its main purpose is to
provide users with an alternate office to work in the event that our main
office network is offline...

As this alternate site is going to be configured to replicate with our main
office (exchange servers, citrix, sql etc), what happens in the event that
our Primary Domain Controller (in our main office) goes offline?

As the disaster recovery site will have secondary domain controllers which
will be replication partners, but what will happen to the 5 FISMO roles? can
you promote a server to a certain role?


kind regards;

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Richard" <Richard@discussions.microsoft.com> wrote in message
news032A276-7879-4D08-BDDB-3216AF6AA269@microsoft.com...
> Hello,
>
> In a windows 2000 server environment, i am planning a disaster recovery
site.
> The disaster recovery site is in another office and its main purpose is to
> provide users with an alternate office to work in the event that our main
> office network is offline...
>
> As this alternate site is going to be configured to replicate with our
main
> office (exchange servers, citrix, sql etc), what happens in the event that
> our Primary Domain Controller (in our main office) goes offline?
>
> As the disaster recovery site will have secondary domain controllers which
> will be replication partners, but what will happen to the 5 FISMO roles?
can
> you promote a server to a certain role?

Yes, but it is called "transferring" (which should always
be preferred) if the old role holder is online, and "seize"
(try to avoid) if the old role holder is OFFLINE.

(Rather than "promote".)

You must NEVER "seize" a role unless the 'old role holder'
will NEVER be brought back online.

So during a disaster plan execution, you will seize roles only
if you must (e.g., don't expect a fairly rapid repair of the problems).

Once you seize the role(s) you are committing to DCPromo the
old holder (to non-DC), after which you may DCPromo it again
to DC.

Do NOT have any Enterprise Certificate Servers holding such
roles since they cannot afford to be DCPromo 'cycled'.

Only the PDC Emulator (there is no true PDC in AD domains)
is likely to become a problem rapidly.

Then the RID master (but only if you must add large number
of users.)

Missing the PDC emulator will cause "cross subnet browsing"
and "cross domain browsing" will stop working during the
next hour.

Time will eventually drift and Kerberos authentication may
suffer -- but that is not likely to happen rapidly.

Replication to BDCs will stop but you probably don't have
any of those unless you are still in mixed mode.

A few minor problems may occur but you won't likely
notice.