Announcement

Collapse
No announcement yet.

Bringing online the FSMO role holder after a crash

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bringing online the FSMO role holder after a crash

    As stated in http://www.petri.com/seizing_fsmo_roles.htm, the role holders RID master, Schema Master and Domain naming master are not adviced to bring online after a crash where seize is performed already to anotehr server. But PDCE and Infrastructure can be brought online.

    I understand its recommendation and best practice. Still am curious to know why cant i bring back those three FSMO role holders? any special reason?

  • #2
    Re: Bringing online the FSMO role holder after a crash

    One reason is Sieze operation. By siezing role you are telling AD that this server is not part of network any more. AD after sieze operation updates its record and mark that the siezed server is offline and will not appear on network again. For security reasons, if you bring server back online. AD will consider it as penetrating or hacking attempt or attack.

    Comment


    • #3
      Re: Bringing online the FSMO role holder after a crash

      If you bring back a RID Master after it's role had been seized, there is a risk of "reanimated" RID master starting hand out RID pools that had already been issued by the new RID master, resulting in possible collision of SIDs

      If you bring back Domain Naming Master, there is a risk of colliding trust or domain partition objects that were created on different DNMs.

      As for Schema, the same stands - you do not want to be in the situation where schema changes were performed on different disconnected Schema masters - having conflict objects in schema is a direct path to forest recovery.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Bringing online the FSMO role holder after a crash

        Thanks guyt and ahmer sahab.

        Comment

        Working...
        X