locked
High availability domain controllers - noob questions about possible problems. RRS feed

  • Question

  • Just yesterday I was "awarded" with a honor to completely reconfigure domain controllers in my medium size organization.  One of the main concerns is to provide some high availability features.

    I even started to read "learn active directory management in a month of lunches", premise of this book quite colorfully describes my situation).

    Because I work in a medium size company with limited resources I will have following hardware:

    2 physical servers OR

    1 physical server and one virtual machine on deployed on Hyper-V (but I have some concerns about it)



    In the most basic form if a server (domain controller) goes down users shouldn't  notice any difference.



    Because I have absolutely zero experience with windows servers I will ask some really stupid questions:

    1) What are important things to do when configuring two domain controllers?

    2) I have heard that there are some problems with FSMO when one of the servers suddenly goes down. How to properly resolve this situations?

    3) Also as far as I know if downtime exceeds 4 minutes a desynchronization occurs.. How to resolve this?


    Tuesday, July 21, 2020 6:58 AM

Answers

  • Hello martinenko_Edward,

    Thank you for posting here.

    Here are the answers for our questions.

    Q1: What are important things to do when configuring two domain controllers?
    A1: I think the main points are as follows:
    1.Each DC itself is working fine.
    2.AD replication works properly, I mean two DCs are synchronous.
    3.And time on two DCs are synchronous.
    4.SYSVOl replication works fine.
    5.GPO are applied successfully.


    Q2: I have heard that there are some problems with FSMO when one of the servers suddenly goes down. How to properly resolve this situations?
    A2: We can refer to the link below. Especially read the part “Determine when to transfer or seize roles” and “Seizing or transferring FSMO roles”.

    Transferring or seizing FSMO roles in Active Directory Domain Services
    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control


    Q3: Also as far as I know if downtime exceeds 4 minutes a desynchronization occurs.. How to resolve this?
    A3: I am sorry, I do not quite understand what you are talking about, but as Alexey mentioned, Kerberos authentication won't be working if time difference between clients and DCs is more than 5 minutes.

    Q4: Will it entail some problems in the future?
    A4: If it is possible, and if you were able to transfer the roles instead of seizing them, fix the previous role holder. If you cannot fix the previous role holder, or if you seized the roles, remove the previous role holder from the domain.
    Please refer to the link below. Especially read the part “Considerations when repairing or removing previous role holders”. 

    Transferring or seizing FSMO roles in Active Directory Domain Services
    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

    If anything is unclear, please feel free to let us know.

    Tip: we should post our question in DS forum.

    This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Wednesday, July 22, 2020 10:04 AM
  • 1. You need minimum 2 domain controllers with cross DNS for HA. Impact one of them will not bring any affect to employees.

    2. If one of the FSMO holder is unable and you can't (or won't) repair/restore it you have to seize affected FSMO by second DC. But after that in any case don't try bring alive dead DC because you'll have 2 DC with same FSMO, it's unsupported configuration.

    3. Kerberos authentication won't be working if difference between client and DC >= 5 minutes.

    Tuesday, July 21, 2020 7:07 AM
  • But after that in any case don't try bring alive dead DC because you'll have 2 DC with same FSMO, it's unsupported configuration.

    you will never have (there is a protection against this) 2 DC with same FSMO after you bring back a broken DC:

    When a DC that has been acting as a role holder starts to run (for example, after a failure or a shutdown), it does not immediately resume behaving as the role holder. The DC waits until it receives inbound replication for its naming context (for example, the Schema master role owner waits to receive inbound replication of the Schema partition).

    The information that the DCs pass as part of Active Directory replication includes the identities of the current FSMO role holders. When the newly started DC receives the inbound replication information, it verifies whether it is still the role holder. If it is, it resumes typical operations. If the replicated information indicates that another DC is acting as the role holder, the newly-started DC relinquishes its role ownership. This behavior reduces the chance that the domain or forest will have duplicate FSMO role holders

    • Edited by Anahaym Wednesday, July 22, 2020 7:46 PM
    • Marked as answer by martinenko_Edward Friday, July 24, 2020 8:54 AM
    Wednesday, July 22, 2020 1:59 PM
  • Yes, as said above it's unsupportable configuration. While DC is alive you're able to transfer FSMO to another one (not seize).
    Wednesday, July 22, 2020 6:37 AM

  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 24, 2020 5:46 AM

All replies

  • 1. You need minimum 2 domain controllers with cross DNS for HA. Impact one of them will not bring any affect to employees.

    2. If one of the FSMO holder is unable and you can't (or won't) repair/restore it you have to seize affected FSMO by second DC. But after that in any case don't try bring alive dead DC because you'll have 2 DC with same FSMO, it's unsupported configuration.

    3. Kerberos authentication won't be working if difference between client and DC >= 5 minutes.

    Tuesday, July 21, 2020 7:07 AM
  • After seizing FSMO schemes using following commands:

    For the Schema Master role, type seize schema master and press Enter.
    For the Domain Naming Master role, type seize naming master and press Enter.
    For the RID Master role, type seize rid master and press Enter.
    For the PDC Emulator role, type seize pdc and press Enter.
    For the Infrastructure Master role, type seize infrastructure master and press Enter.

    Is it essential to fully reinstall previous DC controller? I have tried it on virtual machines:

    1 - Turned off the first DC.

    2 - Seized all the FSMO roles on the second DC.

    3 - Turned on the first DC again.

    4 - It seems that the first DC correctly guessed who is the owner of FSMO roles..

    Will it entail some problems in the future? 

       

      

    Wednesday, July 22, 2020 5:46 AM
  • Yes, as said above it's unsupportable configuration. While DC is alive you're able to transfer FSMO to another one (not seize).
    Wednesday, July 22, 2020 6:37 AM
  • Hello martinenko_Edward,

    Thank you for posting here.

    Here are the answers for our questions.

    Q1: What are important things to do when configuring two domain controllers?
    A1: I think the main points are as follows:
    1.Each DC itself is working fine.
    2.AD replication works properly, I mean two DCs are synchronous.
    3.And time on two DCs are synchronous.
    4.SYSVOl replication works fine.
    5.GPO are applied successfully.


    Q2: I have heard that there are some problems with FSMO when one of the servers suddenly goes down. How to properly resolve this situations?
    A2: We can refer to the link below. Especially read the part “Determine when to transfer or seize roles” and “Seizing or transferring FSMO roles”.

    Transferring or seizing FSMO roles in Active Directory Domain Services
    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control


    Q3: Also as far as I know if downtime exceeds 4 minutes a desynchronization occurs.. How to resolve this?
    A3: I am sorry, I do not quite understand what you are talking about, but as Alexey mentioned, Kerberos authentication won't be working if time difference between clients and DCs is more than 5 minutes.

    Q4: Will it entail some problems in the future?
    A4: If it is possible, and if you were able to transfer the roles instead of seizing them, fix the previous role holder. If you cannot fix the previous role holder, or if you seized the roles, remove the previous role holder from the domain.
    Please refer to the link below. Especially read the part “Considerations when repairing or removing previous role holders”. 

    Transferring or seizing FSMO roles in Active Directory Domain Services
    https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

    If anything is unclear, please feel free to let us know.

    Tip: we should post our question in DS forum.

    This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Wednesday, July 22, 2020 10:04 AM
  • But after that in any case don't try bring alive dead DC because you'll have 2 DC with same FSMO, it's unsupported configuration.

    you will never have (there is a protection against this) 2 DC with same FSMO after you bring back a broken DC:

    When a DC that has been acting as a role holder starts to run (for example, after a failure or a shutdown), it does not immediately resume behaving as the role holder. The DC waits until it receives inbound replication for its naming context (for example, the Schema master role owner waits to receive inbound replication of the Schema partition).

    The information that the DCs pass as part of Active Directory replication includes the identities of the current FSMO role holders. When the newly started DC receives the inbound replication information, it verifies whether it is still the role holder. If it is, it resumes typical operations. If the replicated information indicates that another DC is acting as the role holder, the newly-started DC relinquishes its role ownership. This behavior reduces the chance that the domain or forest will have duplicate FSMO role holders

    • Edited by Anahaym Wednesday, July 22, 2020 7:46 PM
    • Marked as answer by martinenko_Edward Friday, July 24, 2020 8:54 AM
    Wednesday, July 22, 2020 1:59 PM

  • Hi
    How are things going on your end? Please keep me posted on this issue. 
    If you have any further questions or concerns about this question, please let us know.
    I appreciate your time and efforts.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    "Directory Services" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Directory Services"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 24, 2020 5:46 AM