Announcement

Collapse
No announcement yet.

Operations Masters

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Operations Masters

    I had a call in the middle of the night that one of my users could not login to their exchange account. I have 5 domain controllers spread out around the globe. However upon inspection only one machine is configured for all three roles.. RID PDC and Infrastructure, that machine being down took away everyone's ability to authenticate using outlook. What is the best way to distribute these roles to ensure that one dc going down does not cause this type of chaos?

  • #2
    Re: Operations Masters

    Every domain controller is able to athenticate a user at any time.
    Only when the domain controller is unable to verify the account, than that DC will contact the DC holding the PDC role to verify if the account is valid and if the password has been changed, but replications hasn't completed yet.

    Outlook clients do need access to a GC.

    If the SID is missing, which will eventually be noted when you are unable to create new objects. It controls the sequence number for the domain controllers within a domain. It provides a unique sequence of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is assigned a unique security ID consisting of a combination of a domain SID and a RID. The domain SID is a constant ID, whereas the RID is assigned to each object by the domain controller. The domain controller receives the RIDs from the RID Master. When the domain controller has used all the RIDs provided by the RID Master, it requests the RID Master to issue more RIDs for creating additional objects in the domain. When a domain controller exhausts its pool of RIDs, and the RID Master is unavailable, any new object in the domain cannot be created.

    If these roles are missing on the domain, and you know that the servers who where holding those roles will not be returned to the network, you can seeze these roles (Take forcefull ownership) by NTDSUTIL.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: Operations Masters

      What Killerbe said,

      What's your GC placement?

      Comment


      • #4
        Re: Operations Masters

        I have 6 DCs all of which have Global Catalogue checked on when I check them using ADS&S, all of the operations masters roles are an one DC that is located at the head office, I think I would like to move those roles to a server in the main Data Center along with the exchange serve. I have inherited this setup, it was worked on by many people before me and I have experience managing Windows AD but not building it from scratch so I am looking for advice as to the best way to set this up going forward.

        Comment


        • #5
          Re: Operations Masters

          Originally posted by blm76
          I think I would like to move those roles to a server in the main Data Center along with the exchange serve. I have inherited this setup, it was worked on by many people before me and I have experience managing Windows AD but not building it from scratch so I am looking for advice as to the best way to set this up going forward.
          You can move these roles using ntdsutil.exe from the command line to transfer all roles to another server following http://support.microsoft.com/kb/255504. However, this is a fairly drastic measure to take if your AD is currently working fine and the server currently holding those roles has not been demoted without using dcpromo. As was stated before, any DC has the ability to authenticate people, so as long as you aren't having issues with the setup you have now, there probably isn't a reason to move roles to another server - there is a possibility of really messing up your AD by doing so.

          If you do want to do this, just move the Schema, Domain Naming Master, PDC Emulator, RID, and Infrastructure roles to the new machine following the instructions from earlier. Once the transfer is done, AD will update itself with the changes made and everything should go smoothly from there on out.

          EDIT: I may not have been as clear as I should have been. Please be sure to *transfer* the roles and not seize them. Seizing is only used when a server is going offline for good.
          Last edited by eramnes; 22nd April 2009, 02:00.
          Don't fool yourself. If you truly feel passionate about something, you will do whatever it takes. If you don't, you'd better get busy pursuing happiness, because it's all you've got.

          Comment

          Working...
          X