SBS and FSMO Roles

Discussion in 'Windows Small Business Server' started by LincolnIT, Oct 29, 2006.

  1. LincolnIT

    LincolnIT Guest

    I always thought that SBS can only have 1 DC until I read some articles that
    said otherwise. Now it is also stated that only the SBS server can hold the
    FSMO roles and in the event of a disaster recovery you can seize the roles to
    another DC.

    Hopefully someone can enlighten me on this....If I'm in a DR situation
    because my SBS box is dead then obviously I can't seize the FSMO roles.....so
    whats the purpose of a 2nd DC then?

    The way I look at it is I can't authenticate users when the SBS is down what
    is the 2nd DC actually doing for us?
     
    LincolnIT, Oct 29, 2006
    #1
    1. Advertisements

  2. LincolnIT

    Anna Clark Guest

    But you can.. it is a proceedure that is well documented in the process
    called Swing Migration, and since the owner of that process went to all the
    trouble to figure it out, I will not give away his solution. But he might.
    Contact him at www.sbsmigration.com

    Regards

    Anna Clark
     
    Anna Clark, Oct 29, 2006
    #2
    1. Advertisements

  3. LincolnIT

    Gregg Hill Guest

    Seizing FSMO roles is not something Jeff Middleton designed or owns. He took
    a bunch of Microsoft articles and his knowledge and experience and packaged
    it into an awesome product, the Swing It Kit.

    If you search the Microsoft knowledge base, you can find out how to seize
    the roles.

    To answer the original question, yes, you can have multiple DCs that have
    been made global catalog servers, but the SBS server MUST hold all FSMO
    roles. So if it goes down, you could then seize the FSMO roles using one of
    the secondary DCs. In a standard AD domain with multiple DCs, you could just
    move roles around. It you had a single DC as you would in an SBS domain, and
    that DC went down, you would then go to your secondary DC and force it to
    assume all the FSMO roles. That is what "seizing" the FSMO roles means.

    Gregg Hill
     
    Gregg Hill, Oct 29, 2006
    #3
  4. LincolnIT

    kj Guest

    Be advised that if you sieze a roll the original domain controller can never
    return to the domain. It must be rebuilt from scratch. USN rollback is an
    *ugly* proposition in any AD environment.

    Most FSMO roles can be temporarily unavailable with little to no impact to a
    static environment.

    So, if your SBS server is going to come back to life, DO NOT seize any
    roles.
     
    kj, Oct 29, 2006
    #4
  5. You can authenticate users with a second DC without seizing the roles. You
    will be limited in functionality since the SBS is down and won't have
    Exchange or your data but you some limited Network functionality until the
    SBS server comes back up. As KJ says DON'T seize the roles or you are in
    deep trouble!!!
     
    Frank McCallister SBS MVP, Oct 29, 2006
    #5
  6. Yes, seizing the roles is _only_ appropriate when you know that the former
    server is never coming back. And seriously, you can run quite a while with
    no FSMO roles on the network.
     
    Charlie Russel - MVP, Oct 29, 2006
    #6
  7. as well as other comments.

    There are two processes, 'seizure' and 'transfer'. In a standard AD (ie. non
    SBS) you may _transfer_ FSMO roles between live DC's (pretty much) at will,
    seizing the roles is only done when the role holder is unavailable.

    SO, we have SBS and a 2nd DC. The 2nd DC is only really of value if it is
    also a Global Catalog. If the SBS is down the 2nd DC will allow logon rather
    than cached credentials. Otherwise it's only value is in maintaining the AD.
    There are some limits on what you can change about the AD in the absence of
    an FSMO role holder.

    If your SBS goes down, which it shouldn't, SBS 2003 is a very robust system
    if properly implemented and maintained. There should be one thought in your
    head, 'I need to get SBS back up. I don't want to replace the failed SBS
    with a new one, I want the original _system_ [ie. maybe on different
    hardware] back', having a 2nd DC as a 'safety blanket' is a reasonable idea
    but getting your original SBS back online is normally easier than building a
    replacement.
     
    SuperGumby [SBS MVP], Oct 30, 2006
    #7
  8. LincolnIT

    kj Guest

    Don't think it was mentioned previously, but the "2nd" DC must also be a
    DNS server with the clients configured to use it as a DNS alternate server
    or they won't be able to locate the "2nd" DC to even start authentication.
    That way logon scripts can still run, domain DFS shares can still be
    accessed, network printers located and used, and external web sites and
    resources can be resolved.

    Users won't be Exchange connected, but in cached mode they can still compose
    new, reply to previous messages, and surf the web instead of asking the
    Administrator every 60 seconds "Is it up yet? Is it up yet? Is it up yet"
     
    kj, Oct 30, 2006
    #8
  9. will they not fallback to WINS and eventually 'browser' service for internal
    queries?

    But yes, I'll accept that a 2nd DC should be a DNS peer.

    Of course WINS and the browser service don't help with external queries but
    I'll come back and flog a dead horse, 'I'm trying to fix the server, just
    why is your workstation ON?'.
     
    SuperGumby [SBS MVP], Oct 30, 2006
    #9
  10. LincolnIT

    kj Guest

    Well WINS would be gone since the SBS server is down and a WINS replica on
    the "2nd" server is just going to help locate NETBIOS resources which are
    probably all the SBS server, which is down anyway.

    A good reference and read for logon and locating DC's;
    http://support.microsoft.com/kb/247811/en-us

    ...and the "2nd" DC does help "load share" the logon process and DNS lookups
    when things are normal, but my dead horse is in your camp SG - get the SBS
    server fixed asap. Don't be FSMO'ing around with band-aids, bubble gum and
    baleing wire.

    /kj
     
    kj, Oct 30, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.