none
Some questions on AD.

    Question

  • Hi,

    I have looked at this article re fsmo role placement (http://support.microsoft.com/kb/223346). Some questions which have arised from it :


    1) The article says add more replicas, but then also says, reduce the number of replication partners. Is this not contradictory?

    2) If I remove the global catalog role from a server, does this in any way change replication behaviour?

    3) The article mentions to have a standby role holder. Would this just a be an ordinary Windows Server and if I need to transfer roles, I promote this server to a DC and transfer the role?

    Some other questions:

    4) If I stop the ntds service on a DC, say for example on a PDCe DC, should I move this role to a new server? Does stopping this service take the server out of replication?

    5) What's the reasoning for comparing USNs on DCs being pointless?

    Sorry for the random questions!


    • Edited by GSS1 Friday, July 26, 2013 3:56 PM
    Friday, July 26, 2013 3:28 PM

Answers

  • I can see why that article can be a looking confusing. Basically, you want the roles available domain and forest wide, depending on the role. By turning off the NTDS service, you are eliminating that DC from servicing and affecting more than just the roles. For example, if it's the PDCe, then you've affected multiple services, such as the time service, password sync, GPO editing, and more. It's not something that we do.  More on what happens when a FSMO role is down and how it affects things are in my blog, that Sandesh posted.

    To add on other points that have already been addressed, as for the GC, removing the GC role can affect applications and lookups. For example, if you have Exchange, and you removed the GC role, you may affect Exchange and Outlook clients. Removing the GC role has to be planned out looking at all possible ramifications. If replication is the only thing you're worried about, it's really a small amount of traffic if you have a WAN link with sufficient bandwidth. The only time I see that you want to reduce GC traffic, you can enable Universal group membership caching at the site with the slow WAN link. Either way, you MUST have at least one GC at a site, otherwise, that will cause additional query and logon traffic, and if a GC is not available, you will be denied logon, because you may be part of a universal group that has been denied access on something, therefore the system just denies it. Here's more on universal group membership caching:

    Enabling Universal Group Membership Caching in a Site
    http://technet.microsoft.com/en-us/library/cc816797(v=ws.10).aspx

    And note, it's recommended to make all DCs a GC, because there is a conflict with a GC being on the IM role. The IM role just shuts itself down if it sees that DC is a GC. The GC has info about all info in a forest, and the IM will create phantom references for objects in other domains in the forest. Since the GC has that info, the IM has nothing to do. But making all DCs a GC overcomes that limitation.

    -

    And to add about USNs, or Update Sequence Numbers, the way I explain it to my class, is that each DC has it's own USN sequence generation since the first time it was promoted. Every DC has it's own USN generation and is unique to each DC. Every and any change made on a DC, bumps up the USN by that number of changes. For example, if I add a user, it bumps it up by one. If I make a change to a user account, the USN is bumped by one, etc. Other DCs are aware of other DCs' USN values. When a change is seen by it's downstream partners, the partner if it's within the same AD Site, in 15 seconds, will ask that DC for the change, hence a replication request. All replication requests are "pull" requests. There are no such thing as a push request. If there are multiple DCs and they are partnered in a mesh , then replication dampening jumps in place, where if A is partnered to B, and B to C, and C to A, if a change is made on A, and B grabs it first, then C second, then C sees a USN change for A on B, it will see that it already has the change, and therefore will not request it.

    Replication between AD Sites is default 180 minutes, minimum 15 minutes, depending on what you set the replication frequency to on the site link.

    The KCC (knowledge consistency checker) auto-creates the partners in a Site, and the ISTG (intersite topology generator) works with the KCC to create partners (bridgeheads) between sites.

    Sandesh's link on replication provides more detail on how the whole thing works.

    -

    GSS1,

    Is there anything that you are concerned about prompting these questions, such as a design scenario? If yes, please post them and we'll be glad to assist.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by GSS1 Saturday, July 27, 2013 9:14 PM
    Saturday, July 27, 2013 4:20 AM

All replies

  • 3. This would be a domain controller that currently does not host any roles.

    5. USNs are local to the domain controller.

    http://technet.microsoft.com/en-us/library/cc772726(v=WS.10).aspx

    http://blogs.technet.com/b/askds/archive/2012/04/20/friday-mail-sack-drop-the-dope-hippy-edition.aspx#usn

    http://deployhappiness.com/exhausting-the-usns/

    Sorry for the random answers! :) 


    If my answer helped you, check out my blog: DeployHappiness. Subscribe by RSS or email. 

    Friday, July 26, 2013 4:17 PM

  • 1) The article says add more replicas, but then also says, reduce the number of replication partners. Is this not contradictory?

    It depends upon the arhitecture how many dc is needed in the site.It is recommended that at least two DCs in a domain for redundancy.but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication

    Domain controllers # Determining the number of domain controllers you need
    http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx

    How many domain controllers are recommended
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e

    2) If I remove the global catalog role from a server, does this in any way change replication behaviour?

    No,But I will not recommend to remove GC role from server.Configure all DCs with DNS/GC role.

    3) The article mentions to have a standby role holder. Would this just a be an ordinary Windows Server and if I need to transfer roles, I promote this server to a DC and transfer the role?

    You can transfer fsmo role to other server no issu,but ensure that time server role is configured on PDC role holder server.http://support.microsoft.com/kb/816042.Also if the FSMO role server is down and cannot be brought back then you need to sieze the fsmo role on other online DC.
     
    Some other questions:
     
    4) If I stop the ntds service on a DC, say for example on a PDCe DC, should I move this role to a new server? Does stopping this service take the server out of replication?
     
    If you stop NTDS service AD will be down and replication will fail.There is no need to transfer role if you are doing some mentainance work other DC will server the purpose.

    If you FSMO role holder server is down for few minutes/hrs then there should be no impact.However if it down for many hour then you can have impact.You need to understand the consequences of FSMO role failure.If the FSMO role holder cannot be bring back you can seize the role on other DC.There's some info on FSMOs and what would happen if any specific FSMO is down for any length of time, permanently or termporarily.
     
    Active Directory FSMO Roles Explained and What Happens When They Fail and Why you may not be able to keep a DC up once roles were seized.
    http://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx
     
    But if non fsmo role server is down assuming that dns and GC role is enabled on all site DC then there will be no major impact.


    5) What's the reasoning for comparing USNs on DCs being pointless?
    http://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 27, 2013 12:53 AM
  • I can see why that article can be a looking confusing. Basically, you want the roles available domain and forest wide, depending on the role. By turning off the NTDS service, you are eliminating that DC from servicing and affecting more than just the roles. For example, if it's the PDCe, then you've affected multiple services, such as the time service, password sync, GPO editing, and more. It's not something that we do.  More on what happens when a FSMO role is down and how it affects things are in my blog, that Sandesh posted.

    To add on other points that have already been addressed, as for the GC, removing the GC role can affect applications and lookups. For example, if you have Exchange, and you removed the GC role, you may affect Exchange and Outlook clients. Removing the GC role has to be planned out looking at all possible ramifications. If replication is the only thing you're worried about, it's really a small amount of traffic if you have a WAN link with sufficient bandwidth. The only time I see that you want to reduce GC traffic, you can enable Universal group membership caching at the site with the slow WAN link. Either way, you MUST have at least one GC at a site, otherwise, that will cause additional query and logon traffic, and if a GC is not available, you will be denied logon, because you may be part of a universal group that has been denied access on something, therefore the system just denies it. Here's more on universal group membership caching:

    Enabling Universal Group Membership Caching in a Site
    http://technet.microsoft.com/en-us/library/cc816797(v=ws.10).aspx

    And note, it's recommended to make all DCs a GC, because there is a conflict with a GC being on the IM role. The IM role just shuts itself down if it sees that DC is a GC. The GC has info about all info in a forest, and the IM will create phantom references for objects in other domains in the forest. Since the GC has that info, the IM has nothing to do. But making all DCs a GC overcomes that limitation.

    -

    And to add about USNs, or Update Sequence Numbers, the way I explain it to my class, is that each DC has it's own USN sequence generation since the first time it was promoted. Every DC has it's own USN generation and is unique to each DC. Every and any change made on a DC, bumps up the USN by that number of changes. For example, if I add a user, it bumps it up by one. If I make a change to a user account, the USN is bumped by one, etc. Other DCs are aware of other DCs' USN values. When a change is seen by it's downstream partners, the partner if it's within the same AD Site, in 15 seconds, will ask that DC for the change, hence a replication request. All replication requests are "pull" requests. There are no such thing as a push request. If there are multiple DCs and they are partnered in a mesh , then replication dampening jumps in place, where if A is partnered to B, and B to C, and C to A, if a change is made on A, and B grabs it first, then C second, then C sees a USN change for A on B, it will see that it already has the change, and therefore will not request it.

    Replication between AD Sites is default 180 minutes, minimum 15 minutes, depending on what you set the replication frequency to on the site link.

    The KCC (knowledge consistency checker) auto-creates the partners in a Site, and the ISTG (intersite topology generator) works with the KCC to create partners (bridgeheads) between sites.

    Sandesh's link on replication provides more detail on how the whole thing works.

    -

    GSS1,

    Is there anything that you are concerned about prompting these questions, such as a design scenario? If yes, please post them and we'll be glad to assist.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by GSS1 Saturday, July 27, 2013 9:14 PM
    Saturday, July 27, 2013 4:20 AM
  • Hi guys,

    Great answers.

    I will start by answering the very last point (Ace Fekay). The reason why I raise some of these things is because I was looking at some video training, which covered the defragmentation aspect (amongst other things). But I wondered on the implications of this, as the video did not expect what effect this has on the larger environment (which is explained well in this thread).

    So with the USNs being pointless to compare, my understanding is that they are not a global value (ie think global in coding sense), so one DC has 2 updates, USN increments by 2, and then likewise for the other DCs, whereas that 2 is not a "shared" value.

    What does "partnered in a mesh" mean?

    I read a good blog post by an MVP on the IM/GC clash. Good thing to know.

    In my case, I now have 3 hypervisors, so will be setting up 3 domain controllers per domain, so with that sort of architecture, I am thinking about how best to optimise my forests and spreading the FSMO roles in a best-practise manner. I am setting up more member servers too which will increase traffic. One forest is a single-domain forest, the other 2 have 2 child domains. No trusts in place (but I plan to set this up). I plan to setup an additional forest domain to test windows updates etc.

    Saturday, July 27, 2013 9:14 PM
  • "Partnered in a mesh" means when all servers are partners with each other, versus a hub and spoke where one is central and others are all partnered to the one and not each other.

    I also have a blog on the IM/GC conflict, but I didn't post it:

    Global Catalog and FSMO Infrastructure Master Relationship
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 1:05 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/global-catalog-and-fsmo-infrastructure-master-relationship.aspx

    -

    One more thing about the USN, if you were to have virtualized DCs and used the hyper visor's snapshot feature to restore a snapshot, you will wack the USN value, essentially rolling back the USN value to a previous value (hence, USN Rollback errors), and the other DCs will no longer talk to it. This is because all other DCs believe that the DC that was restored with a snapshot has a specific USN, but if the USN is now less than what they believe it should be, they will say essentially, "you should be USN such and such, but you're now less than such and such, therefore something is wrong with you, and we now will no longer talk to you." All other DCs will think this. And the DC that got restored with the snapshot will not even know something is wrong thinking, "Why won't these other guys talk to me? Do I stink or something?"

    Case in point to NEVER use the snapshot feature UNLESS you have 2012 DCs in a 2012 HyperV environment, which now has a new attribute to track USN values. But that's another story...

    :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, July 28, 2013 9:04 PM
  • "Partnered in a mesh" means when all servers are partners with each other, versus a hub and spoke where one is central and others are all partnered to the one and not each other.

    I also have a blog on the IM/GC conflict, but I didn't post it:

    Global Catalog and FSMO Infrastructure Master Relationship
    Published by Ace Fekay, MCT, MVP DS on Oct 1, 2010 at 1:05 PM
    http://msmvps.com/blogs/acefekay/archive/2010/10/01/global-catalog-and-fsmo-infrastructure-master-relationship.aspx

    -

    One more thing about the USN, if you were to have virtualized DCs and used the hyper visor's snapshot feature to restore a snapshot, you will wack the USN value, essentially rolling back the USN value to a previous value (hence, USN Rollback errors), and the other DCs will no longer talk to it. This is because all other DCs believe that the DC that was restored with a snapshot has a specific USN, but if the USN is now less than what they believe it should be, they will say essentially, "you should be USN such and such, but you're now less than such and such, therefore something is wrong with you, and we now will no longer talk to you." All other DCs will think this. And the DC that got restored with the snapshot will not even know something is wrong thinking, "Why won't these other guys talk to me? Do I stink or something?"

    Case in point to NEVER use the snapshot feature UNLESS you have 2012 DCs in a 2012 HyperV environment, which now has a new attribute to track USN values. But that's another story...

    :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    Yep, good advice. Ah yes, the vm gen ID value (IIRC). I forbid snapshots unless on a non domain machine. Business critical apps like Sharepoint also don't support them.

    Sunday, July 28, 2013 9:07 PM
  • Yep, good advice. Ah yes, the vm gen ID value (IIRC). I forbid snapshots unless on a non domain machine. Business critical apps like Sharepoint also don't support them.

    Yep, that's the attribute. Snapshots don't work on anything really, besides, SharePoint, there's SQL, Exchange, SCOM, and everything else. Other than the newly supported VMGenId attribute, snapshots are a no-no. They're only useful in lab, educational and test environments.

    Oh, and even if you have all 2012 DCs on 2012 HyperV, the VMGenID shouldn't be a safe-all. Here's an interesting quote and article by Joe Richards:

    Joe Richards on the new 2012 VMGenID to help prevent USN Rollbacks:
    "... the new VMGENID capability of Windows Server 2012 AD and HV is __NOT__ USN Rollback Protection. It just helps reduce the possible spread of stupid ways in which you can encounter it. ..."
    http://blog.joeware.net/2013/03/04/2679/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 29, 2013 2:49 AM