3

It appears that it is relatively easy to have multiple (even all) AD servers equipped with a copy of the Global Catalog. However, is it possible to do the same for FSMO roles?

If not, is it possible to create a failover protocol that will automatically transfer the FSMO roles to another AD server?

toolshed
  • 227
  • 4
  • 15

1 Answers1

5

No to both questions. While it is possible to "split" the FSMO roles between Domain Controllers, it isn't possible for two (or more) Domain Controllers to hold the same FSMO role (or roles) simultaneously. If the FSMO role holder goes down there's no automatic process for transferring the FSMO roles to another Domain Controller.

In the event that the Domain Controller holding the FSMO roles goes down, the domain will function normally for a short period of time, certainly long enough to seize the FSMO roles to another Domain Controller and hopefully long enough to resolve the issue with the DC originally holding the FSMO roles. Note that your first step should be to resolve the issue with the Domain Controller originally holding the FSMO roles and if unsuccessful then to seize the FSMO roles. Once that has been undertaken the original Domain Controller should be left disconnected from the network and the domain permanently and should be manually purged from AD. Have a read here, especially the Loss Implications table:

https://www.petri.com/seizing_fsmo_roles

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks Joe. Out of curiosity, why is it possible to have multiple copies of the Global Catalog then? – toolshed Oct 24 '16 at 03:03
  • The GC isn't a "role" and as such, performs no domain related functions like the FSMO role holder does. in Microsoft's own words; `The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest.` - https://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx - https://www.petri.com/understanding_fsmo_roles_in_ad – joeqwerty Oct 24 '16 at 03:07
  • So, it's essentially just an index of the objects within AD derived from AD itself? – toolshed Oct 24 '16 at 03:13
  • @toolshed in big if the FSMO's server crash your user will be still able to logging for X day (I seen 90 days delay in my past experience). If the GC was only in that FSMO server, then your user can't log anymore. So I suggest at least two DC with the GC. In resume, you need the GC for any login, but the FSMO's role can be missing for short period of time – yagmoth555 Oct 24 '16 at 03:24