FSMO Roles Where should the master roles be "In House" or at "DR"

Here is some background first
42 users
16 servers (most not important for this discussion)
2 Domain Controllers in house and 1 at DR Site Connected over VPN at all times
all Domain Controllers are also global catalogs
exchange with about 100 mailboxes, total database size around 50 gigs in
four stores

Our consultants are telling us dr is the right place for all the master roles.

this seems against everything i've learned.
I belived that PDC, RID, Infrastructure Should allways be kept close to the
users and not off site.

i can see housing scheme master off site but not the rest.

What do you guys feel am i missing something.

i would love to hear what you guys think.

Thanks

_GF

 

IMHO, DR is for well, disaster situations. For day to day usage, use your
regular DCs for the roles.
Those roles are not a lot of overhead for the most part, and in the event of
a DR, you'll need to seize/transfer the roles. No big deal, because the
only reason those roles exist is because those 5 functions couldn't be
handled by multiple hosts at the same time. They are functions that must be
handled by a single directory host.

I wouldn't put it on the DR servers either unless a DR was called and it
needed to be done.

Al

 

All I am completely with you on this, and this is what i always beleived but
the reason that i am being given is that in case we had to fail over that
seizing the roles would be an extra process. that would have to be remembered.

Is there anyway of trully testing performance to see if the location of the
master roles is effecting our network.

is anyone aware of any good test. also how much does exchange interact with
role master on a daily basis is it minimal.

Thanks guys.

 

I completely agree with Al and further (some say I am much meaner than
Al) would question whether or not you really should be listening to
those consultants. What company are they from? I would like to know as I
would like to keep that company in mind. Doesn't matter if they are
Microsoft partners or not, I have several friends in MSFT who regularly
go out to sites to correct things dorked up by partners companies.

As to how much the roles being out there will impact your network, shut
off the connection and see what happens. That will give you an idea of
what daily traffic is going that way. Alternatively you could do a trace
on the network line and watch all of the traffic and try to work out
what it is. There are many functions that home in on the PDC and if the
PDC isn't easily reached, causes possible confusion and greater chance
of collision of changes. Unless you have set AvoidPDCOnWan (generally a
stupid thing to do) then every time an account password is incorrect
packets are sent to the DR site to verify passwords.

Seizing roles is almost a no-brainer. You go into NTDSUTIL and you just
do it. Takes all of about 60 seconds and would require a half page
writeup for your DR run book which should have for your DR site. I would
question how often you feel you will be failing over into a DR mode?


Personally I think a DR site IMO should generally be something that can
be and possibly should be disconnected for weeks at a time. That way
corruption in the directory will not automatically replicate to the DR
site right away. In fact, in one of my positions I formerly held for a
large financial company, hot replication of the domain to a remote site
would not constitute DR, it would constitute Business Resumption (BR)
which is done when a site becomes unuseable, not when you have an actual
disaster. DR (Disaster Recovery) was done from a completely cold site
from the ground up to a known good configuration.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

Joe thanks alot for your feedback.

can you get possible give me some speciefic of what would happen if we lost
the link to our DR site.

Thanks

-Greg

 

My suggestion is to read up on FSMO roles. What they are and what they do.
Then think about what situations you'd find yourself using those roles.
Mistyped passwords is one that joe mentioned regarding the PDCe so you're
already one up.

As joe mentioned, a DR site and a BC site can and in most cases should be
different sites used for different purposes with different triggers and
conditions of success. In your case, you pretty much do have a BC site vs. a
DR site although the line is blurry. Why bring that up? Because you're
talking about keeping the roles across a WAN link for no other reason than
to save a few keystrokes in the event you had to invoke a DR/BC scenario!
That's silly. It takes what it takes to bring up a DR site. No more and no
less.

If it's that important to the consultant, have them prove to you what
they're reasoning is and the impact it will have. That's what they get paid
to do. In addition, ask why you should put it across the WAN in a DR/BC
site vs. creating a cmd file or scipt that does it for you in one of two
given scenarios. Is that too much effort in case a trigger event gets
tripped? A "Push this button in case of X or this button in case of Y" type
of script?

You might want to ask what happens if your DR/BC site goes away? Does that
constitute a trigger if it happens? Most sites consider those important
although secondary. If the hosts in those sites go away, they're not
usually considered mission critical until you lose the production site.
What's the stance in your plan? Is it important to maintain an additional
site and if it goes away with critical single function roles, is it truly a
DR/BC site? Or is it now part of your operational sites and in need of yet
another site to fail over to?

What about bandwidth? Is there enough bandwidth to handle the traffic over
that VPN link? Redundancy?

Like I said in the beginning, putting the roles on a secondary server in a
site that only exists for DR/BC reasons, is not what I call a good idea. It
makes no sense to me to run normally in that state.

 

Exactly. Al went and spelled out what one of the things I was trying to
get you to think about when I said to shut off the site. The fact that
you have production roles at that site makes that site production, not a
recovery site. Think how stupid you would feel (and look) if someone
needed to work on the DR site and asked if they could shut down the line
and you said sure it is only DR and then bad things started happening
(as to what... it depends).

I think Al and I have both basically stated that your consultants should
be considered to be spouting propaganda until they are proven accurate.
Again I would be curious as to what company as I know folks in lots of
different companies and would not hesitate to light these consultants up
if I knew someone who could light them up. If they are MCS I would love
to hear that too as I would be all over that.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

Also you should consider what should happen to DC's that have had the roles
seized (not transferred).

I'd much rather rebuild a DR offsite DC than one or more of my onsite DC's
unless absolutely required.