FSMO Roles Where should the master roles be "In House" or at "DR"

Discussion in 'Active Directory' started by Greg, Jun 14, 2006.

  1. Greg

    Greg Guest

    Here is some background first
    42 users
    16 servers (most not important for this discussion)
    2 Domain Controllers in house and 1 at DR Site Connected over VPN at all times
    all Domain Controllers are also global catalogs
    exchange with about 100 mailboxes, total database size around 50 gigs in
    four stores

    Our consultants are telling us dr is the right place for all the master roles.

    this seems against everything i've learned.
    I belived that PDC, RID, Infrastructure Should allways be kept close to the
    users and not off site.

    i can see housing scheme master off site but not the rest.

    What do you guys feel am i missing something.

    i would love to hear what you guys think.


    Greg, Jun 14, 2006
    1. Advertisements

  2. Greg

    Al Mulnick Guest

    IMHO, DR is for well, disaster situations. For day to day usage, use your
    regular DCs for the roles.
    Those roles are not a lot of overhead for the most part, and in the event of
    a DR, you'll need to seize/transfer the roles. No big deal, because the
    only reason those roles exist is because those 5 functions couldn't be
    handled by multiple hosts at the same time. They are functions that must be
    handled by a single directory host.

    I wouldn't put it on the DR servers either unless a DR was called and it
    needed to be done.

    Al Mulnick, Jun 14, 2006
    1. Advertisements

  3. Greg

    Greg Guest

    All I am completely with you on this, and this is what i always beleived but
    the reason that i am being given is that in case we had to fail over that
    seizing the roles would be an extra process. that would have to be remembered.

    Is there anyway of trully testing performance to see if the location of the
    master roles is effecting our network.

    is anyone aware of any good test. also how much does exchange interact with
    role master on a daily basis is it minimal.

    Thanks guys.
    Greg, Jun 14, 2006
  4. I completely agree with Al and further (some say I am much meaner than
    Al) would question whether or not you really should be listening to
    those consultants. What company are they from? I would like to know as I
    would like to keep that company in mind. Doesn't matter if they are
    Microsoft partners or not, I have several friends in MSFT who regularly
    go out to sites to correct things dorked up by partners companies.

    As to how much the roles being out there will impact your network, shut
    off the connection and see what happens. That will give you an idea of
    what daily traffic is going that way. Alternatively you could do a trace
    on the network line and watch all of the traffic and try to work out
    what it is. There are many functions that home in on the PDC and if the
    PDC isn't easily reached, causes possible confusion and greater chance
    of collision of changes. Unless you have set AvoidPDCOnWan (generally a
    stupid thing to do) then every time an account password is incorrect
    packets are sent to the DR site to verify passwords.

    Seizing roles is almost a no-brainer. You go into NTDSUTIL and you just
    do it. Takes all of about 60 seconds and would require a half page
    writeup for your DR run book which should have for your DR site. I would
    question how often you feel you will be failing over into a DR mode?

    Personally I think a DR site IMO should generally be something that can
    be and possibly should be disconnected for weeks at a time. That way
    corruption in the directory will not automatically replicate to the DR
    site right away. In fact, in one of my positions I formerly held for a
    large financial company, hot replication of the domain to a remote site
    would not constitute DR, it would constitute Business Resumption (BR)
    which is done when a site becomes unuseable, not when you have an actual
    disaster. DR (Disaster Recovery) was done from a completely cold site
    from the ground up to a known good configuration.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---

    Joe Richards [MVP], Jun 14, 2006
  5. Greg

    Greg Guest

    Joe thanks alot for your feedback.

    can you get possible give me some speciefic of what would happen if we lost
    the link to our DR site.


    Greg, Jun 14, 2006
  6. Greg

    Al Mulnick Guest

    My suggestion is to read up on FSMO roles. What they are and what they do.
    Then think about what situations you'd find yourself using those roles.
    Mistyped passwords is one that joe mentioned regarding the PDCe so you're
    already one up.

    As joe mentioned, a DR site and a BC site can and in most cases should be
    different sites used for different purposes with different triggers and
    conditions of success. In your case, you pretty much do have a BC site vs. a
    DR site although the line is blurry. Why bring that up? Because you're
    talking about keeping the roles across a WAN link for no other reason than
    to save a few keystrokes in the event you had to invoke a DR/BC scenario!
    That's silly. It takes what it takes to bring up a DR site. No more and no

    If it's that important to the consultant, have them prove to you what
    they're reasoning is and the impact it will have. That's what they get paid
    to do. In addition, ask why you should put it across the WAN in a DR/BC
    site vs. creating a cmd file or scipt that does it for you in one of two
    given scenarios. Is that too much effort in case a trigger event gets
    tripped? A "Push this button in case of X or this button in case of Y" type
    of script?

    You might want to ask what happens if your DR/BC site goes away? Does that
    constitute a trigger if it happens? Most sites consider those important
    although secondary. If the hosts in those sites go away, they're not
    usually considered mission critical until you lose the production site.
    What's the stance in your plan? Is it important to maintain an additional
    site and if it goes away with critical single function roles, is it truly a
    DR/BC site? Or is it now part of your operational sites and in need of yet
    another site to fail over to?

    What about bandwidth? Is there enough bandwidth to handle the traffic over
    that VPN link? Redundancy?

    Like I said in the beginning, putting the roles on a secondary server in a
    site that only exists for DR/BC reasons, is not what I call a good idea. It
    makes no sense to me to run normally in that state.
    Al Mulnick, Jun 14, 2006
  7. Exactly. Al went and spelled out what one of the things I was trying to
    get you to think about when I said to shut off the site. The fact that
    you have production roles at that site makes that site production, not a
    recovery site. Think how stupid you would feel (and look) if someone
    needed to work on the DR site and asked if they could shut down the line
    and you said sure it is only DR and then bad things started happening
    (as to what... it depends).

    I think Al and I have both basically stated that your consultants should
    be considered to be spouting propaganda until they are proven accurate.
    Again I would be curious as to what company as I know folks in lots of
    different companies and would not hesitate to light these consultants up
    if I knew someone who could light them up. If they are MCS I would love
    to hear that too as I would be all over that.


    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---

    Joe Richards [MVP], Jun 15, 2006
  8. Greg

    kj Guest

    Also you should consider what should happen to DC's that have had the roles
    seized (not transferred).

    I'd much rather rebuild a DR offsite DC than one or more of my onsite DC's
    unless absolutely required.
    kj, Jun 15, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.