AD restore on DC with FSMO

[OregonSteve]

Greetings-

W2Ksp2; Single Forest, Single Domain. About 500 users. Currently we have
2 DCs. A consultant suggested that we should have 3 DCs, one that didn't do
anything but replication; no FSMOs, no GC. He said that in the event that
we had to restore AD, it would be easier to do it to a DC that didn't have
any FSMOs on it.

Yes, No, Maybe?

Thanx
OregonSteve

 

[Benoit Boudeville]

FSMO roles are just roles, now if you restore AD, you have to perform this while the
DC you restore on is offline (understand, you're in AD recovery mode, you don't have any AD
features....). So that obviously make the roles the server is holding completely unreachable.

Now since it's a good idea to split RID/Intra/PDC on one DC and DNM/SM (+GC) on one other, then
yes it's a good idea to have a 3rd DC available because that'll ensure your forest and domain
are still "living" while you are restoring (minimum annoyances users-side). But you can still
restore on the DNM/SM since those roles are not often used. The only problem is that you'll have
your GC down also, which will prevent logons if you're in native mode...

 

[Edward B. Hethcote]

One other thing - After SP3, restoring the Rid Master can cause problems
because the Rid Master will not initialize untial after it successfully
replicates with a partner. This is just to ensure that another DC has not
been given the role and prevent having to clean up a duplicate SID scenario.
Until replication takes place, no user or machine accounts, groups etc can
be created (unable to verify the uniqueness.......)

BH