Authentication without the FSMO PDC

  • Thread starter Thread starter Henri
  • Start date Start date
H

Henri

Hi,

Occasionally we need to service the FSMO PDC. During the downtime users
cannot logon to the Domain although there is another DC with a replica of
the GC.

I know that I can Transfer the Operation Master role to the other DC, but I
am concern of the time it might take to do this and I do not know if I have
to do it on all three Tabs ( RID, PDC and Infrastructure ). We have two
domain on the same tree, a primary domain with a child domain.

Is there's a way so that users and services with domain account will be able
to stay authenticated while the FSMO is down for maintenance, sometimes is
it only the time of a reboot after applying Microsoft Update patches.

Thanks in advance for you help.

Henri.
 
Hi
Occasionally we need to service the FSMO PDC. During the downtime users
cannot logon to the Domain although there is another DC with a replica of
the GC.
Click to expand...

- Are you running nonware Ad clients?
The primary domain controller (PDC) emulator. The PDC emulator processes all
replication requests from Microsoft Windows NT 4.0 backup domain controllers
and processes all password updates for clients that are not running Active
Directory-enabled client software.
The relative identifier (RID) master. The RID master allocates RIDs to all
domain controllers to ensure that all security principals have a unique
identifier.

The infrastructure master. The infrastructure master for a given domain
maintains a list of the security principals from other domains that are
members of groups within its domain.

The domain naming master, which adds and removes domains to and from the
forest.

The schema master, which governs all changes to the schema.
I know that I can Transfer the Operation Master role to the other DC, but
I
am concern of the time it might take to do this and I do not know if I
have
to do it on all three Tabs ( RID, PDC and Infrastructure ). We have two
domain on the same tree, a primary domain with a child domain.
Click to expand...

No, you can have different FSMO roles in different servers, however you
should take careful with the Infrastructure Master role placement and GC in
some scenarios, check:
FSMO placement and optimization on Active Directory domain controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/


Is there's a way so that users and services with domain account will be
able
to stay authenticated while the FSMO is down for maintenance, sometimes is
it only the time of a reboot after applying Microsoft Update patches.
Click to expand...

Windows 2000 and later Clients don't need PDC to authenticate in the Domain.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
OK, so you have two DCs in the domain and both are a GC... right?

if yes...

are both DCs also a DNS server and are all clients and servers pointing to
BOTH?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Back
Top