No announcement yet.

additonal domain controller and FSMO roles

  • Filter
  • Time
  • Show
Clear All
new posts

  • additonal domain controller and FSMO roles


    i have one PDC( in a small LAN.
    i wanted to install additional domain controller as a BACKUP ( i have also installed DNS in it with the same domain name "".
    here is the IP settings..

    PDC: (server01)
    Ip :

    Add DCserver02)
    Ip :

    now i was thinking when PDC goes down Additional DC (ADC) will take PDC`s place..

    at the end it did when i put the PDC down i can see the user still can log in to domain. so it seems successfull..

    but my concern is FSMO roles, and global catalog.
    when i checked it i saw its nota Global catalog and in Operation Masters role ADC has only PDC role, RID and Infrastructures operation masters show "ERROR"
    Domain Naming Operation Master also shows "server01" (PDC)

    first of all, can u please tell me that do i need those roles to promote this ADC to primary domain controller?
    if i do need then how? i tried to used ntdsutil but couldnt seize the roles, because PDC is already down .do i have to be connected to PDC to do this?

    secondly, do i need to change the DNS address of ADC to because PDC is down ?

    thanks in advance
    sorry for my horrible English

  • #2
    Re: additonal domain controller and FSMO roles

    I would recommend the following.

    Make DNS AD integrated, if you haven't already. Install DNS to both servers and have both servers and clents point to the PDC role holder as Primary and the other DC/DNS as secondary.

    Have DHCP on the secondary DC as it wn't be woring as hard as the FSMO role holder.

    Make both servers a GC.

    Should the FSMO role holder go down, the roles would need to be seized. If you decide to seize roles, the failed FSMO role holder should not be joined back to the domain. NTDSUTIL can be used to seize roles. The metadata of the failed DC then needs to removed, any DNS entries and any objects for it in AD Sites and Services.

    The fact that your clients can still log in indicates to me that their logons are cached. PDC is crucial for security of the network, time synchronisation and other tasks such as password changes, so would need to be seized to the other DC.

    DHCP is a straight forward move should you have that. It is a case of rebuilding on another server and authorising it, should it have been installed on the failed server. You could give it the same scope and then set it to ping clients before allocating an address to ensure the old DHCP service had not already allocated the IP.


    • #3
      Re: additonal domain controller and FSMO roles

      thnks for the answer Virtual...

      but the thing is DNS is installed in both servers (PDC and ADC) and as far as i see the replication is working.. as i can see the same AD in ADC.

      Also users can log on to ADC after PDC is down and this is a domain log on not a local log on.( roaming profiles are working i have a separate Xp machine and i put all this roaming profiles and user spaces there..)

      now, why do i need a DHCP server? all machines are configured statically.

      my questions are..

      do i need to promote this ADC to become PDC in case of PDC down..?
      ...... in google search i have found out that it will automatically take the PDC role, but when i check the FSMO roles i see the problem there.. do i need to transfer FSMO roles to ADC? if yes, then how? because the PDC is already down...

      thnks again..


      • #4
        Re: additonal domain controller and FSMO roles

        If your using static IPs then don't worry about DHCP. You don't need to use it.

        In the domain, you have DCs with the AD installed and FSMO role holders. So in your example, the DC you refer to as (PDC), has all 5 FSMO roles. 2 x forest and 3 x domain roles. One of the domain roles is PDC.

        It is good that users can still log on but the PDC is required for other important tasks, so should a FSMO roler holder ever fail, you need to seize roles to another DC. If you have a multi-domain network, the Infraststructure Master role must then be placed on a DC that isn't a GC unless all DCs are GCs.

        If you want to perform a test, you could transfer FSMO roles to your other DC and then power off the main one and check that you can reset passwords etc. In fact, you could try that now. You may not be able to do so without a PDC on the domain.


        • #5
          Re: additonal domain controller and FSMO roles

          thnks again Virtual...

          finally i have sorted it out...

          when i made the ADC to seize the roles and also changed ADC`s DNS address to itsef.. i was suspicious at this point , i thought it may gave an error.. but it didnt.. its working..

          now ADC has all the roles except infrastructure role.. and thats how it should be. and also i did as u said and changed the password of a user and tried to log in.. and i was able to.. successfull.. i suppose now its PDC..

          thanks a million..


          • #6
            Re: additonal domain controller and FSMO roles

            Glad to help. It must be PDC now. You need to make sure the infrastructure master role is also on a DC in the domain and now you have seized roles from the other DC, make sure it doesn't join back to the domain and is reinstalled. You then need to clean the metadata for it, any DNS entries and any items for it in AD Sites and Services.