RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI I used to use LDIFDE (I imagine that still works) ... oops, typo'd it again ... what I meant to say was "I use toADmod.exe" (he's sensitive you know ;o) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, December 15, 2005 9:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Bite me Wells. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, December 17, 2005 3:40 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] FSMO Role Transfer GUI I used to use LDIFDE (I imagine that still works) ... oops, typo'd it again ... what I meant to say was "I use toADmod.exe" (he's sensitive you know ;o) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, December 15, 2005 9:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Raerrr. Cat fight. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, December 17, 2005 3:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI Bite me Wells. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, December 17, 2005 3:40 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] FSMO Role Transfer GUI I used to use LDIFDE (I imagine that still works) ... oops, typo'd it again ... what I meant to say was "I use toADmod.exe" (he's sensitive you know ;o) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, December 15, 2005 9:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] FSMO Role Transfer GUI
Come on, you two, can't we all just get along? ;-) On 12/17/05, joe [EMAIL PROTECTED] wrote: Bite me Wells. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, December 17, 2005 3:40 PM To: Send - AD mailing list Subject: RE: [ActiveDir] FSMO Role Transfer GUI I used to use LDIFDE (I imagine that still works) ... oops, typo'd it again ... what I meant to say was I use to ADmod.exe (he's sensitive you know ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, December 15, 2005 9:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI You can't transfer the schema or domain naming fsmo's from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you don't do this often it might be useful to have a central point of control. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 15, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty ßà Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Neil, Essentially, you are correct. There's not a lot of difference. It does allow you to select the DC to transfer the role to where the ADUC just tells you where it's going to end up. That's the only thing I can think of that might have appeal and is different between the two interfaces. In my environment, ADUC takes time to open, so there's some value to me in having the single source tool. Want to measure that value? Probably need a nanometer. Time saved by the few times a year we'd need to do the role change vs. the time spent working up the app probably leads to an ROI in a galaxy far far away. At any rate, it was a learning opportunity for me. If anyone derives utility from it, so much the better! Thanks, JD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 15, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D. Sent: 14 December 2005 17:27 To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI Thanks. I didn't want to appear negative - I simply wanted to understand the motives for writing such a tool. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 15 December 2005 17:04To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] FSMO Role Transfer GUI Neil, Essentially, you are correct. There's not a lot of difference. It does allow you to select the DC to transfer the role to where the ADUC just tells you where it's going to end up. That's the only thing I can think of that might have appeal and is different between the two interfaces. In my environment, ADUC takes time to open, so there's some value to me in having the single source tool. Want to measure that value? Probably need a nanometer. Time saved by the few times a year we'd need to do the role change vs. the time spent working up the app probably leads to an ROI in a galaxy far far away. At any rate, it was a learning opportunity for me. If anyone derives utility from it, so much the better! Thanks, JD From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI ... but this (new) tool cannot transfer the forest roles either. Hence my question. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 15 December 2005 17:05To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI You cant transfer the schema or domain naming fsmos from ADUC. Personally I just use ntdsutil and know the syntax off the top of my head, but, if you dont do this often it might be useful to have a central point of control. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 15, 2005 3:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO Role Transfer GUI What are the advantages/benefits of this UI vs UC? I can transfer all domain roles from that UI today? Thanks, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: 14 December 2005 17:27To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO Role Transfer GUI
Title: FSMO Role Transfer GUI We could make it available as a download at ActiveDir.org if you like. I'm sure a lot of people would be interested. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS, J.D.Sent: Thursday, 15 December 2005 6:27 a.m.To: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] FSMO Role Transfer GUI Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy. Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the McAfee sees some of the .net code as buffer overflows and keeps text from showing up in combo-boxes. That was fun. I'd rate the app towards the novelty side of the Novelty Useful continuum. But hey, it's a better use of email and time than Elf Bowling! Works in both my test and production environment. Oh, also only transfers the domain roles. Does not transfer the schema owner or domain role owner, but does list the DCs holding those roles. Thanks, JD
RE: [ActiveDir] FSMO role transfer
Pita? Yes please, with some nice lamb and garlic sauce and... oh wait, now I get it hehe ;-) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer PITA Rich... ;o) I will see if I can dig up the CMD file I used to use. It is just a couple of commands sent into NTDSUTIL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, December 01, 2005 9:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer ...Why not one click?... If you script it all up, you can add a one-click button to a custom msc. Use input boxes for server names instead of passing them as parameters or hard-coding. Or better yet, put it into an hta and launch that from a button. I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, November 30, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It can be. It's easily scripted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer That's my point. If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click? Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled
RE: [ActiveDir] FSMO role transfer [going further OT...]
Lots of great stuff posted here, including a salary schedule that, for us folks in non-profits, would be enough for me to retire right now! What happens here, especially lately, is the person who was hired so I can offload stuff like printers, FAX servers, etc., so I can concentrate on our several email servers, gets laid off, so I get to do all that stuff again. Then, the fellow who was our AD/Windows Server guru quits of his own accord, and presto, I'm the new AD/Windows Server guy. Of course, I get a whopping zero percent pay increase to go with all this increased workload. I asked management to double it, and they did. Somehow, the figure did not increase. But, at least I'm becoming more and more valuable to the company. Unless we outsource everything or go bankrupt, that is. --Larry
RE: [ActiveDir] FSMO role transfer
I think I will go towards my original plan of moving the FSMO roles. It takes hardly anytime to do and seems good practice. In this instance, I am replacing hardware, so there are always risks involved. thanks to everyone for their input, it's appreciated.Amy[EMAIL PROTECTED] wrote: I would rather, as stated earlier, assess the risk and then actappropriately. The original poster never defined 'maintenance' indetail.The original post did state that the box would be down for ~2 hours formaintenance. This is clearly more than a patch and a reboot. We've beenover that scenario and concluded that it carries a lesser risk.As joe said, if the maintenance all goes badly wrong, do you want to bepulled into a dark room and questioned as to why you did not prepare forthat eventuality?neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: 30 November 2005 15:29To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transferOkay define maintenance please?Patching?Service Pack?Applying QFEs?Performance tuning?What?Is there a level of maintenance that would cause you to move FSMO's andnot?Like for example, if I'm patching, I've tested the patch, I'm reasonablyexpecting a favorable outcome otherwise I wouldn't be deploying, I havea backup.[EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rich Milburn *Sent:* Tuesday, November 29, 2005 4:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer Yeah but having "seize the FSMOs instead of moving them" as your fallback plan is like making sure you have a current backup in case "yanking the power cord instead of Start Shutdown Restart" causes file system corruption J//---/// ///Rich Milburn/// ///MCSE, Microsoft MVP - Directory Services/// Sr Network Analyst, Field Platform Development Applebee's International, Inc.// //4551 W. 107th St// //Overland Park//, KS 66207// //913-967-2819--// ///"I love the smell of red herrings in the morning" - anonymous// -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Tuesday, November 29, 2005 11:56 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck /-
RE: [ActiveDir] FSMO role transfer
...Why not one click?... If you script it all up, you can add a one-click button to a custom msc. Use input boxes for server names instead of passing them as parameters or hard-coding. Or better yet, put it into an hta and launch that from a button. I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, November 30, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It can be. It's easily scripted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer That's my point. If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click? Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original
RE: [ActiveDir] FSMO role transfer
Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered a bad value for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I was helping actually told me I was wrong when I said it was set and it was in fact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust it that much. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir
RE: [ActiveDir] FSMO role transfer
I am not completely on board with a seize being trivial. Sure it is trivial in the act of doing it, but do you fully understand what is going on under the covers? With a FSMO transfer you are going from a known state to a known state in a controlled fashion. The new roleholder can talk to the old roleholder and understand EXACTLY what is going on so have a seamless move. A seize is going from an unknown state to a known state. For a role that doesn't have a state to worry about which is most of them, that is fine. But the RID master definitely has state and to a lesser extent so does the PDC master. Seizing a role isn't just a simple matter of popping in a value into an attribute and saying Done!. Well it could be, but you could get burned if that is all you do. I agree that it will be tough to convince one group to do something the other way. I do hope though that people think about what has been written and don't think seizing a role is trivial because the command to do it is easy to run. I am glad it is easy, the last thing you want is for a hard process to be required to rescue your system when you have issues. On the comment that transferring roles isn't a normal operating procedure. Maybe not in some places but it is a perfectly normal operating procedure, certainly more standard or normal than a seize. Transferring the PDC role in NT could be a bit painful at times but it is easy as pie in AD. I recall having a couple of occasions in the very beginning (first half 2000) where I got a trifle nervous at first from previous NT issues but quickly got over it. I don't think twice about moving roles. Heck we didn't even have to submit change control for that, we would just move the roles and send an email to the change list saying it had been done. It was considered SOP for maintaining domain operations. Finally and the last I will say about it... for the longest time and maybe even still I haven't looked lately MS said that the seize was the course of last resort, use it when the transfer fails. I realize MS warns about a lot of things but usually they have some basis for doing so. And if that isn't enough... if seizing roles was such a non-item, why wouldn't you just have a seize operation? Why have a transfer and a seize and cause this confusion? If they were the same, wouldn't you just have a single move the role button and no other mechanism whatsoever? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Wednesday, November 30, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I think what was meant about the trivial part is around the seizing of the roles not the transfer. I would love to have much of the ntdsutil functionality built into the UI, even if at some point it requires you to reboot/restore, whatever. I don't think either camp is going to convince the other that you should or shouldn't transfer roles prior to some maintenance. It is almost a personality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that something goes drastically wrong that I can not recover from before the role is actually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a long time that I never meant to. Also, I don't consider transferring roles around part of the normal operating procedures. But that's just me. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Wednesday, November 30, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit
RE: [ActiveDir] FSMO role transfer
joe, I can't believe you said this. Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. I stopped reading after this. Sorry. But I've got to cool down first. I've no argument with anything above this line and I concur and understand. BUT This is flat out wrong. Sorry. YMYMYM RH ___- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, December 01, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered a bad value for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I was helping actually told me I was wrong when I said it was set and it was in fact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust it that much. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO
Re: [ActiveDir] FSMO role transfer
through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts.Understanding scripting makes you more valuable both because you can operatemore efficiently and because you tend to have a better grasp of how thingswork because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have moreoptions to you. I recently ran into an issue where someone entered a badvalue for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I washelping actually told me I was wrong when I said it was set and it was infact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust itthat much.joe-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Wednesday, November 30, 2005 5:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferSusan,THANK YOU!!! There are a LOT of people on this list that do not believe that realAdmins use the GUI.Some believe that you're not a real Admin if you do.Ido.I have to.I can't allocate time to learn scripting right now because I'm overworked as is.I'll just leave it at that.RH__-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Wednesday, November 30, 2005 4:09 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transferstupid question alertIf the task is that trivialIf the benefit is so great Why isn't it part of the AD snap ins as a one button task?sincerely, who needs scripting when you can ask for a gui/wizard or buttoninsteadDavid Adner wrote: I'm not debating the effort it takes to make the change.I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case.And if that case happened, the corrective action is also a trivial process.And again, I'm not saying I don't see your point; I justdon't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself.It does not take much to transfer the roles before you conduct maintenance on a server.Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master.Sounds like a stitch in nine saves time concept to me.I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem.If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that.If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine.I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process.This is obviously a matter of personal preference so I'm not trying to convince others to change.I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29
RE: [ActiveDir] FSMO role transfer [going further OT...]
admins earning over $240k ??!! I guess we need to define the word admin coz I'm not paying what I consider to be an admin that kinda money :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 01 December 2005 14:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered a bad value for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I was helping actually told me I was wrong when I said it was set and it was in fact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust it that much. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't
RE: [ActiveDir] FSMO role transfer
Once you are known for your automation capabilities (WSH, MONAD, programming tools, Perl, whatever), believe me there are companies (usually with large deployments) that are more than happy to hire you on a project. I cannot say that it is the case for all companies (it is also a question of awareness), but as far as I'm concerned, all my professional experience has been made this way because of scripting/automation (from CMD to any kind of programming and automation technique). Once they know how much time they can save, how fast things can be done, they are more than happy to pay to price to get this type of knowledge on board. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, December 01, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer While I agree with the scripting making you a better admin part, I've never worked for an employer who offered me more $$ because of scripting. Or any interview or employer who cared other than thats cool attitude when i wrote a script to automate something. maybe i'm working for the wrong people. I've just been teaching myself VBScript in the past few months and I've written some scripts for my employer alone and with the help of this list(alot of help) and lately i've been gainng the confidence no to rely on this list as much, but my scripting is more for my own personal benfit and knowldge rather than $$ driven because my employer has never indicated that the ability to script was something that was a real value in his/her mind. Scripting, to the employers i've worked for seems more like knowing about this list- a personal resource that you as an employee chose to use to perform your job better or gain more info, but not something that in and of itself is valued, it seems. Again, i could be working for the wrong people. Also, ironically, i've yet to work in a Windows shop where i met someone who knew how to script. In fact, in Joe's salary chart of $35,000 to $240,000, I fall in the next to last category. I started at the first/lowest range and in less than 4 years got to ~ the next to last one without knowing any scripting at all. i guess thats a sign of the lack of uniformity in the industry. on the other hand, i think you should know how to script to be a good admin and i've been busting my butt of late to do just that. but like i said, its just for my own knowldge that i choose to do so. i don't expect any $$ for it or advance in my career just my random thoughts... On 12/1/05, joe [EMAIL PROTECTED] wrote: Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used
RE: [ActiveDir] FSMO role transfer
Rocky - keep in mind that a typical Admin job in a big company is user administration, computer account administration, patching member servers, checking backup logs, and various other routine administration (hence Admin) - and tricky things get passed up the chain to level 2. In a mid-size or small company, some jobs titled Admin should really be titled Engineer or Analyst because they do things like Exchange troubleshooting, replication troubleshooting, hardware upgrade planning, etc as well as the occasional user account issue, etc. He's talking (forgive me Joe if I misinterpret here) about the former, your classic Admin who hopefully doesn't have much rights and takes day-to-day administrative tasks. There are probably not a lot of those people on this list. There is the possibility though that some admin Admins do spend the whole day in deep concentration over creating and modifying individual user accounts, etc... nuff said about that. But for the do-all mis-titled Admin/Engineer, if you're spending all your time handling routine admin tasks and can't be proactive with more of the engineering stuff - well eventually (and more commonly nowadays) you are going to need to pick up scripting or some way of automating things (as Tom has found), or someone else will get hired who can. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, December 01, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer joe, I can't believe you said this. Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. I stopped reading after this. Sorry. But I've got to cool down first. I've no argument with anything above this line and I concur and understand. BUT This is flat out wrong. Sorry. YMYMYM RH ___- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, December 01, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some
RE: [ActiveDir] FSMO role transfer [going further OT...]
Yeah I was going to ask who paid Sys Admins that kind of money because I'm clearly not working for the right company :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 01, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer [going further OT...] admins earning over $240k ??!! I guess we need to define the word admin coz I'm not paying what I consider to be an admin that kinda money :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 01 December 2005 14:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered a bad value for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I was helping actually told me I was wrong when I said it was set and it was in fact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust it that much. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30
RE: [ActiveDir] FSMO role transfer
A further note to add - when's the last time you browsed through senior infrastructure jobs and counted how many want some programming skills along with W2K3, E2K3, etc? Enough to think one of these days I might need to bite the bullet and take some classes... once you start scripting you definitely see the advantages of the dark side and can't imagine how you functioned without it :) Fortunately though I'm not looking for work - the rumors of our demise are greatly exaggerated :) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Thursday, December 01, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Once you are known for your automation capabilities (WSH, MONAD, programming tools, Perl, whatever), believe me there are companies (usually with large deployments) that are more than happy to hire you on a project. I cannot say that it is the case for all companies (it is also a question of awareness), but as far as I'm concerned, all my professional experience has been made this way because of scripting/automation (from CMD to any kind of programming and automation technique). Once they know how much time they can save, how fast things can be done, they are more than happy to pay to price to get this type of knowledge on board. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, December 01, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer While I agree with the scripting making you a better admin part, I've never worked for an employer who offered me more $$ because of scripting. Or any interview or employer who cared other than thats cool attitude when i wrote a script to automate something. maybe i'm working for the wrong people. I've just been teaching myself VBScript in the past few months and I've written some scripts for my employer alone and with the help of this list(alot of help) and lately i've been gainng the confidence no to rely on this list as much, but my scripting is more for my own personal benfit and knowldge rather than $$ driven because my employer has never indicated that the ability to script was something that was a real value in his/her mind. Scripting, to the employers i've worked for seems more like knowing about this list- a personal resource that you as an employee chose to use to perform your job better or gain more info, but not something that in and of itself is valued, it seems. Again, i could be working for the wrong people. Also, ironically, i've yet to work in a Windows shop where i met someone who knew how to script. In fact, in Joe's salary chart of $35,000 to $240,000, I fall in the next to last category. I started at the first/lowest range and in less than 4 years got to ~ the next to last one without knowing any scripting at all. i guess thats a sign of the lack of uniformity in the industry. on the other hand, i think you should know how to script to be a good admin and i've been busting my butt of late to do just that. but like i said, its just for my own knowldge that i choose to do so. i don't expect any $$ for it or advance in my career just my random thoughts... On 12/1/05, joe [EMAIL PROTECTED] wrote: Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced
Re: [ActiveDir] FSMO role transfer
it was set and it was infact set incorrectly because the GUI said it wasn't set. That is kind ofscary to me. The GUI is an interpretation of what is there. Don't trust it that much.joe-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Wednesday, November 30, 2005 5:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Susan,THANK YOU!!!There are a LOT of people on this list that do not believe that real Admins use the GUI.Some believe that you're not a real Admin if you do.Ido.I have to.I can't allocate time to learn scripting right now becauseI'm overworked as is.I'll just leave it at that. RH__-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPAaka Ebitz - SBS Rocks [MVP]Sent: Wednesday, November 30, 2005 4:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transferstupid question alertIf the task is that trivialIf the benefit is so greatWhy isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or buttoninsteadDavid Adner wrote: I'm not debating the effort it takes to make the change.I'm saying Idon't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case.And if that case happened, the corrective action is also a trivial process.And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself.It does not take much to transfer the roles before you conduct maintenance on a server.Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master.Sounds like a stitch in nine saves time concept to me.I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem.If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that.If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine.I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process.This is obviously a matter of personal preference so I'm not trying to convince others to change.I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur
RE: [ActiveDir] FSMO role transfer
Hi I have to agree with Joe. Most of the time we (my colleagues and I :) ) are dealing with the mundane, which scripting makes interesting. :) Also, a previous poster mentioned career $'s being linked to scripting. Correct me if I'm wrong, but I think the point being made was that the process of learning something like scripting forces you to think about what's actually going on under the bonnet - reading far more technical articles than you may possibley have otherwise (well for me anyway :) ). That move up the curve is what opens door's to $'s not scripting in itself (not for me though! :) ). Cheers Danny joe, I can't believe you said this. Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. I stopped reading after this. Sorry. But I've got to cool down first. I've no argument with anything above this line and I concur and understand. BUT This is flat out wrong. Sorry. YMYMYM RH ___- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, December 01, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where
RE: [ActiveDir] FSMO role transfer
Hey Rich - no need to script one yourselfRobbie's cookbook recipe 3.25 and 3.26 deal nicely with FSMO roles. 3.26 contains VBScript and Perl to transfer FSMO roles. http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/src/03.25-find_fsmos.vbs.txt http://www.rallenhome.com/books/adcookbook/src/03.26-transfer_fsmo.vbs.txt r/ Lou -Original Message- I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FSMO role transfer [going further OT...]
I wanna meat the admin making $240K AND the CTO foolish enough to pay an Admin that money :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 01, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer [going further OT...] admins earning over $240k ??!! I guess we need to define the word admin coz I'm not paying what I consider to be an admin that kinda money :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 01 December 2005 14:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered a bad value for a DL expansion server. The value was so bad the GUI didn't even display it, instead it said the DL had no expansion server. The admin I was helping actually told me I was wrong when I said it was set and it was in fact set incorrectly because the GUI said it wasn't set. That is kind of scary to me. The GUI is an interpretation of what is there. Don't trust it that much. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM
RE: [ActiveDir] FSMO role transfer [going further OT...]
You probably already know them! I dont see those kinds of numbers for fortune 50 salaried IT jobs but as a consultant its not unreasonable to bill them at $125+ per hour which would put you in the 240 range. Craig Cerino [EMAIL PROTECTED] wrote: I wanna meat the admin making $240K AND the CTO foolish enough to pay anAdmin that money :)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: Thursday, December 01, 2005 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer [going further OT...]admins earning over $240k ??!!I guess we need to define the word "admin" coz I'm not paying what Iconsider to be an admin that kinda money :)neil -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 01 December 2005 14:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferWow I feel heat directed at me :o)A non-scripting admin can not survive very well if at all in a large orgunless the org is willing to spend a lot of money for extra admins tocover the overhead of wading through the GUI. Take my last ops positionas an example. Three people handling a Fortune 5 AD. Couldn't feasiblydone with the GUI. How long does it take you to enter 100 new subnets?What if you need to expire 8,000 users a day until you have expired all200,000 users?Is that real admin work or is it clerk work if you are simply clickingon something in a GUI? If I were a manager of a business, I would ratherpay a contractor or other service $10 or $15 an hour to click buttonsfor something like that than pay $40,$60,$100, $150 an hour to someonewho is supposed to keep things running.So back to the 100 subnets question. How long in Sites and Services?Hours?What are the chances of a mistake? High? Now you write a script to doit, how long? Maybe hours to write it and then seconds to minutes to runfor ever after? Chances of a mistake? Low for entry, also severelyreduced for supplied data if script has sanity checks in it? Also oncein script form it is that much easier to say put on a web site anddelegate to others to do by entering basic answers to basic questions ina form.Don't create 100 subnets in small org? What other items do you do thatare no-brainer work that could be scripted. If you didn't have thatworkload how much other work could you get done? Rarely are admins everreally doing hard admin type thinking/troubleshooting work constantlyexcept for the folks who take on escalations from lower level admins.Possibly this is different in the SBS world and there is no repetitivework being done that isn't better served by a script, I don't have thatexperience, I would expect however that there is quite a bit that couldbe scripted or else Susan wouldn't have the I would rather see somethingsafe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is thatyou can't be too busy cutting down trees to sharpen your axe. It appliesboth to training and scripting. If you are too busy to do nothing butthe work in front of you, you will never see the edge of the forest asyou get slower and slower at doing what you are doing. At some point youhave to step back and spend some time to make yourself more informed ormore efficient. The more time you spend getting more efficient, the moretime you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working,using the GUI doesn't. Trying to script processes forces a person tolearn more about the product they are supporting and could very likelyget them to learn enough that the next time they encounter a failure,they fully or at least more fully troubleshoot versus changing things inthe GUI until it works. If you look at an admin making $35k a year versus one making $60k a yearversus one making $80k a year versus one making $150k a year versus onemaking over $240k a year you are probably not looking at a raise insalary because someone knows the GUI better than the others. If you seesomeone who rose through those salary ranks in say 5 years, it isn'tbecause they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you canoperate more efficiently and because you "tend" to have a better graspof how things work because you are forced to learn the details which arecovered by the GUI. Not only that, you can troubleshoot better becauseyou have more options to you. I recently ran into an issue where someoneentered a bad value for a DL expansion server. The value was so bad theGUI didn't even display it, instead it said the DL had no expansionserver. The admin I was helping actually told me I was wrong when I saidit was set and it was in fact set incorrectly because the GUI said itwasn't set. That is kind of scary to me. The GUI is an interpretation ofwhat is there. Don'
RE: [ActiveDir] FSMO role transfer [going further OT...]
Often this is called a consultant. $125 * 2000hr = $25. There are eight people on my team, all of us admins or engineers responsible for a very large AD, Exchange, and Sharepoint deployment. You can do the math - we're all consultants. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Thursday, December 01, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer [going further OT...] I wanna meat the admin making $240K AND the CTO foolish enough to pay an Admin that money :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 01, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer [going further OT...] admins earning over $240k ??!! I guess we need to define the word admin coz I'm not paying what I consider to be an admin that kinda money :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 01 December 2005 14:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from someone in the backroom attitude. A saying I have used here in the past that I always used at work is that you can't be too busy cutting down trees to sharpen your axe. It applies both to training and scripting. If you are too busy to do nothing but the work in front of you, you will never see the edge of the forest as you get slower and slower at doing what you are doing. At some point you have to step back and spend some time to make yourself more informed or more efficient. The more time you spend getting more efficient, the more time you have to keep yourself informed and get even more efficient. Finally scripting requires understanding of how things are working, using the GUI doesn't. Trying to script processes forces a person to learn more about the product they are supporting and could very likely get them to learn enough that the next time they encounter a failure, they fully or at least more fully troubleshoot versus changing things in the GUI until it works. If you look at an admin making $35k a year versus one making $60k a year versus one making $80k a year versus one making $150k a year versus one making over $240k a year you are probably not looking at a raise in salary because someone knows the GUI better than the others. If you see someone who rose through those salary ranks in say 5 years, it isn't because they knew the GUI keyboard shortcuts. Understanding scripting makes you more valuable both because you can operate more efficiently and because you tend to have a better grasp of how things work because you are forced to learn the details which are covered by the GUI. Not only that, you can troubleshoot better because you have more options to you. I recently ran into an issue where someone entered
RE: [ActiveDir] FSMO role transfer
Your links did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Thursday, December 01, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Hey Rich - no need to script one yourselfRobbie's cookbook recipe 3.25 and 3.26 deal nicely with FSMO roles. 3.26 contains VBScript and Perl to transfer FSMO roles. http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/src/03.25-find_fsmos.vbs.txt http://www.rallenhome.com/books/adcookbook/src/03.26-transfer_fsmo.vbs.txt r/ Lou -Original Message- I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FSMO role transfer
Joe, the comment was that TRANSFERRING the roles would be something trivial to do, not seizing the roles. I also agree, scripting is the difference between an admin who knows where to click, and an admin who knows what is going on when he clicks, when his mouse takes focus in the window, when the cursor hovers over a selection, etc, etc. Scripting may be like in the end of the Matrix when Neo sees all the green and black monochrome code when he looks around, a point in time where you can see the world around you for the code it is, and then you are able to master all aspects of it. It all depends on what pill these admins want to swallow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I am not completely on board with a seize being trivial. Sure it is trivial in the act of doing it, but do you fully understand what is going on under the covers? With a FSMO transfer you are going from a known state to a known state in a controlled fashion. The new roleholder can talk to the old roleholder and understand EXACTLY what is going on so have a seamless move. A seize is going from an unknown state to a known state. For a role that doesn't have a state to worry about which is most of them, that is fine. But the RID master definitely has state and to a lesser extent so does the PDC master. Seizing a role isn't just a simple matter of popping in a value into an attribute and saying Done!. Well it could be, but you could get burned if that is all you do. I agree that it will be tough to convince one group to do something the other way. I do hope though that people think about what has been written and don't think seizing a role is trivial because the command to do it is easy to run. I am glad it is easy, the last thing you want is for a hard process to be required to rescue your system when you have issues. On the comment that transferring roles isn't a normal operating procedure. Maybe not in some places but it is a perfectly normal operating procedure, certainly more standard or normal than a seize. Transferring the PDC role in NT could be a bit painful at times but it is easy as pie in AD. I recall having a couple of occasions in the very beginning (first half 2000) where I got a trifle nervous at first from previous NT issues but quickly got over it. I don't think twice about moving roles. Heck we didn't even have to submit change control for that, we would just move the roles and send an email to the change list saying it had been done. It was considered SOP for maintaining domain operations. Finally and the last I will say about it... for the longest time and maybe even still I haven't looked lately MS said that the seize was the course of last resort, use it when the transfer fails. I realize MS warns about a lot of things but usually they have some basis for doing so. And if that isn't enough... if seizing roles was such a non-item, why wouldn't you just have a seize operation? Why have a transfer and a seize and cause this confusion? If they were the same, wouldn't you just have a single move the role button and no other mechanism whatsoever? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Wednesday, November 30, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I think what was meant about the trivial part is around the seizing of the roles not the transfer. I would love to have much of the ntdsutil functionality built into the UI, even if at some point it requires you to reboot/restore, whatever. I don't think either camp is going to convince the other that you should or shouldn't transfer roles prior to some maintenance. It is almost a personality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that something goes drastically wrong that I can not recover from before the role is actually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a long time that I never meant to. Also, I don't consider transferring roles around part of the normal operating procedures. But that's just me. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Wednesday, November 30, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure
RE: [ActiveDir] FSMO role transfer
The links might have wrapped...a casualty of the mail system - in either case go direct to rallenhome.com and follow the hyperlinks from there down to the book's source code, and then to those recipes. Hope that helps! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Thursday, December 01, 2005 1:46 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] FSMO role transfer Your links did not work -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Thursday, December 01, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Hey Rich - no need to script one yourselfRobbie's cookbook recipe 3.25 and 3.26 deal nicely with FSMO roles. 3.26 contains VBScript and Perl to transfer FSMO roles. http://www.rallenhome.com/books/adcookbook/code.html http://www.rallenhome.com/books/adcookbook/src/03.25-find_fsmos.vbs.txt http://www.rallenhome.com/books/adcookbook/src/03.26-transfer_fsmo.vbs.txt r/ Lou -Original Message- I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] FSMO role transfer
Actually, I wanted to ask, how messy it can become in a scenario where admin didn't transfer the roles, and went about maintenance, found it didn't work out and time is running out, so let me seize the role, (its only trivial command). And meanwhile, the first role holder is back into network and declaring the ownership. And this ownership war went unnoticed by admin for a day or two. What kind of trouble we can expect? anything role specific? on replication ? on authentication ? on overall health of AD? I think, asking answering questions along the same line, would surely put the decision into more perspective. - Kamlesh ~~~ Fortune and Love befriend the bold ~~~On 12/1/05, joe [EMAIL PROTECTED] wrote: I am not completely on board with a seize being trivial.Sure it is trivial in the act of doing it, but do you fully understand whatis going on under the covers? With a FSMO transfer you are going from aknown state to a known state in a controlled fashion. The new roleholder can talk to the old roleholder and understand EXACTLY what is going on so have aseamless move. A seize is going from an unknown state to a known state. Fora role that doesn't have a state to worry about which is most of them, that is fine. But the RID master definitely has state and to a lesser extent sodoes the PDC master. Seizing a role isn't just a simple matter of popping ina value into an attribute and saying Done!. Well it could be, but you could get burned if that is all you do.I agree that it will be tough to convince one group to do something theother way. I do hope though that people think about what has been writtenand don't think seizing a role is trivial because the command to do it is easy to run. I am glad it is easy, the last thing you want is for a hardprocess to be required to rescue your system when you have issues.On the comment that transferring roles isn't a normal operating procedure. Maybe not in some places but it is a perfectly normal operating procedure,certainly more standard or normal than a seize. Transferring the PDC role inNT could be a bit painful at times but it is easy as pie in AD. I recall having a couple of occasions in the very beginning (first half 2000) where Igot a trifle nervous at first from previous NT issues but quickly got overit. I don't think twice about moving roles. Heck we didn't even have to submit change control for that, we would just move the roles and send anemail to the change list saying it had been done. It was considered SOP formaintaining domain operations.Finally and the last I will say about it... for the longest time and maybe even still I haven't looked lately MS said that the seize was the course oflast resort, use it when the transfer fails. I realize MS warns about a lotof things but usually they have some basis for doing so. And if that isn't enough... if seizing roles was such a non-item, why wouldn't you just have aseize operation? Why have a transfer and a seize and cause this confusion?If they were the same, wouldn't you just have a single move the role button and no other mechanism whatsoever?-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Figueroa, JohnnySent: Wednesday, November 30, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I think what was meant about the trivial part is around the seizing of theroles not the transfer. I would love to have much of the ntdsutilfunctionality built into the UI, even if at some point it requires you to reboot/restore, whatever.I don't think either camp is going to convince the other that you should orshouldn't transfer roles prior to some maintenance. It is almost apersonality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that somethinggoes drastically wrong that I can not recover from before the role isactually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a longtime that I never meant to. Also, I don't consider transferring roles aroundpart of the normal operating procedures.But that's just me. Thanks-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Cace, AndrewSent: Wednesday, November 30, 2005 2:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferIt is available in the AD snap-ins.In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-inin tree-view and choosing Operations Master.In ADUC, right-click the nameof the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters.In the Schema Management snapin, you can transferthe Schema master by right-clicking Active Directory Schema and choosingOperations Master.Next question...Why isn't there a single place to click all
RE: [ActiveDir] FSMO role transfer
PITA Rich... ;o) I will see if I can dig up the CMD file I used to use. It is just a couple of commands sent into NTDSUTIL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, December 01, 2005 9:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer ...Why not one click?... If you script it all up, you can add a one-click button to a custom msc. Use input boxes for server names instead of passing them as parameters or hard-coding. Or better yet, put it into an hta and launch that from a button. I was curious to see, with all these posts, no one ponied up with a real script to help out all these folks who are 1) not scripters and 2) amazed that moving the roles could be that easy. (I would post one but I have not actually scripted this... it's not currently my job :) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, November 30, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It can be. It's easily scripted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer That's my point. If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click? Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead
RE: [ActiveDir] FSMO role transfer
Exactly, and Alain is another person used to working with big customers, both prevously at HP and now with MS. Consider savings to a company who can hire one person whose automation capabilities means you can hire 2 less people on a normally 10 person team, or 7 less people... Or solves issues much quicker because they use scripts to filter down the problem from large sets of data that you would almost never find a solution in manually. I have seen folks take hundreds of MBs of network trace logs and write a script to parse it down to 2k of critical information that blows the issue wide open and makes it totally obvious that NEVER would have been found by looking at them in Ethereal or anything else. We are computer people but we don't always use the computers to our advantage. Don't let people do work that computers can do all by themselves. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Thursday, December 01, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Once you are known for your automation capabilities (WSH, MONAD, programming tools, Perl, whatever), believe me there are companies (usually with large deployments) that are more than happy to hire you on a project. I cannot say that it is the case for all companies (it is also a question of awareness), but as far as I'm concerned, all my professional experience has been made this way because of scripting/automation (from CMD to any kind of programming and automation technique). Once they know how much time they can save, how fast things can be done, they are more than happy to pay to price to get this type of knowledge on board. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, December 01, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer While I agree with the scripting making you a better admin part, I've never worked for an employer who offered me more $$ because of scripting. Or any interview or employer who cared other than thats cool attitude when i wrote a script to automate something. maybe i'm working for the wrong people. I've just been teaching myself VBScript in the past few months and I've written some scripts for my employer alone and with the help of this list(alot of help) and lately i've been gainng the confidence no to rely on this list as much, but my scripting is more for my own personal benfit and knowldge rather than $$ driven because my employer has never indicated that the ability to script was something that was a real value in his/her mind. Scripting, to the employers i've worked for seems more like knowing about this list- a personal resource that you as an employee chose to use to perform your job better or gain more info, but not something that in and of itself is valued, it seems. Again, i could be working for the wrong people. Also, ironically, i've yet to work in a Windows shop where i met someone who knew how to script. In fact, in Joe's salary chart of $35,000 to $240,000, I fall in the next to last category. I started at the first/lowest range and in less than 4 years got to ~ the next to last one without knowing any scripting at all. i guess thats a sign of the lack of uniformity in the industry. on the other hand, i think you should know how to script to be a good admin and i've been busting my butt of late to do just that. but like i said, its just for my own knowldge that i choose to do so. i don't expect any $$ for it or advance in my career just my random thoughts... On 12/1/05, joe [EMAIL PROTECTED] wrote: Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied
RE: [ActiveDir] FSMO role transfer
Yep, you picked that out of what I said Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Thursday, December 01, 2005 11:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Rocky - keep in mind that a typical Admin job in a big company is user administration, computer account administration, patching member servers, checking backup logs, and various other routine administration (hence Admin) - and tricky things get passed up the chain to level 2. In a mid-size or small company, some jobs titled Admin should really be titled Engineer or Analyst because they do things like Exchange troubleshooting, replication troubleshooting, hardware upgrade planning, etc as well as the occasional user account issue, etc. He's talking (forgive me Joe if I misinterpret here) about the former, your classic Admin who hopefully doesn't have much rights and takes day-to-day administrative tasks. There are probably not a lot of those people on this list. There is the possibility though that some admin Admins do spend the whole day in deep concentration over creating and modifying individual user accounts, etc... nuff said about that. But for the do-all mis-titled Admin/Engineer, if you're spending all your time handling routine admin tasks and can't be proactive with more of the engineering stuff - well eventually (and more commonly nowadays) you are going to need to pick up scripting or some way of automating things (as Tom has found), or someone else will get hired who can. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, December 01, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer joe, I can't believe you said this. Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. I stopped reading after this. Sorry. But I've got to cool down first. I've no argument with anything above this line and I concur and understand. BUT This is flat out wrong. Sorry. YMYMYM RH ___- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Thursday, December 01, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Wow I feel heat directed at me :o) A non-scripting admin can not survive very well if at all in a large org unless the org is willing to spend a lot of money for extra admins to cover the overhead of wading through the GUI. Take my last ops position as an example. Three people handling a Fortune 5 AD. Couldn't feasibly done with the GUI. How long does it take you to enter 100 new subnets? What if you need to expire 8,000 users a day until you have expired all 200,000 users? Is that real admin work or is it clerk work if you are simply clicking on something in a GUI? If I were a manager of a business, I would rather pay a contractor or other service $10 or $15 an hour to click buttons for something like that than pay $40,$60,$100, $150 an hour to someone who is supposed to keep things running. So back to the 100 subnets question. How long in Sites and Services? Hours? What are the chances of a mistake? High? Now you write a script to do it, how long? Maybe hours to write it and then seconds to minutes to run for ever after? Chances of a mistake? Low for entry, also severely reduced for supplied data if script has sanity checks in it? Also once in script form it is that much easier to say put on a web site and delegate to others to do by entering basic answers to basic questions in a form. Don't create 100 subnets in small org? What other items do you do that are no-brainer work that could be scripted. If you didn't have that workload how much other work could you get done? Rarely are admins ever really doing hard admin type thinking/troubleshooting work constantly except for the folks who take on escalations from lower level admins. Possibly this is different in the SBS world and there is no repetitive work being done that isn't better served by a script, I don't have that experience, I would expect however that there is quite a bit that could be scripted or else Susan wouldn't have the I would rather see something safe from MS than a script from
RE: [ActiveDir] FSMO role transfer [going further OT...]
I knew a guy back in about 97 or so who made about 300k a year doing random Windows consulting (he was an outside consultant for CompuWare) and he drove an Escort GT. He arrived late, left early, usually demanded to be let out of the contracts prior to their time frame termination but with full payout because he already had the final solution. Very bright guy, extremely pig-headed and a serious pain in the butt. Other than that, I can say I have known high level Ops admins making 250k, at least one very well. Keep in mind these are people that when they do things well can literally save a company millionsor more a year. When they are called in for a problem with 50,60,150 thousand users or entire manufacturing plants hard down they get things corrected fast. Failure to do so and the company is losing salary as well as unnamed other things that add up very very quickly. I know this one admin who worked his normal 12 hour shift, went home, mowed his 1 acre lawn with a walk behind mower (48 inch deck), sat down with a lemonaide and was called back into work (35 mile drive one way) to work all night on combatting the "I love you" virus because it had literally ground the Fortune 5 company to a near dead halt. His scripted and executable solutions he whipped together combined with his deep knowledge of the environment had them back up and running the next morning. When he left at 10AM the next morning, he was still covered in grass clippings. You don't often get that work quality out ofan Admin making 40k. If you want to pay your admins 40k, you deserve whatever it is you get. Especially if you have a list as long as my arm of all of the skills and deep knowledge that the person is supposed to have combined with a degree or two. I outright laugh at about 80% of the headhunters that contact me when I see the list of requirements and then see the salary being offered. Ops can be extremely stressful and difficult. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete HowardSent: Thursday, December 01, 2005 1:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer [going further OT...] You probably already know them! I dont see those kinds of numbers for fortune 50 salaried IT jobs but as a consultant its not unreasonable to bill them at $125+ per hour which would put you in the 240 range.Craig Cerino [EMAIL PROTECTED] wrote: I wanna meat the admin making $240K AND the CTO foolish enough to pay anAdmin that money :)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: Thursday, December 01, 2005 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer [going further OT...]admins earning over $240k ??!!I guess we need to define the word "admin" coz I'm not paying what Iconsider to be an admin that kinda money :)neil -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 01 December 2005 14:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transferWow I feel heat directed at me :o)A non-scripting admin can not survive very well if at all in a large orgunless the org is willing to spend a lot of money for extra admins tocover the overhead of wading through the GUI. Take my last ops positionas an example. Three people handling a Fortune 5 AD. Couldn't feasiblydone with the GUI. How long does it take you to enter 100 new subnets?What if you need to expire 8,000 users a day until you have expired all200,000 users?Is that real admin work or is it clerk work if you are simply clickingon something in a GUI? If I were a manager of a business, I would ratherpay a contractor or other service $10 or $15 an hour to click buttonsfor something like that than pay $40,$60,$100, $150 an hour to someonewho is supposed to keep things running.So back to the 100 subnets question. How long in Sites and Services?Hours?What are the chances of a mistake? High? Now you write a script to doit, how long? Maybe hours to write it and then seconds to minutes to runfor ever after? Chances of a mistake? Low for entry, also severelyreduced for supplied data if script has sanity checks in it? Also oncein script form it is that much easier to say put on a web site anddelegate to others to do by entering basic answers to basic questions ina form.Don't create 100 subnets in small org? What other items do you do thatare no-brainer work that could be scripted. If you didn't have thatworkload how much other work could you get done? Rarely are admins everreally doing hard admin type thinking/troubleshooting work constantlyexcept for the folks who take on escalations from lower level admins.Possibly this is different in the SBS world and there is no repetitivework being done that isn't better served
RE: [ActiveDir] FSMO role transfer
I still respectfully disagree. Something *is* broke and *does* need to be fixed and how can we all be certain that the downtime will actually be 2 hours? Transferring a role is a trivial task which we have all tested and performed in prod many times. Seizing needs more thought and testing, but transfers are much less of an issue. I don't see the big issue with spending 5 mins of time transferring roles and thus buying yourself peace of mind. If the downtime window needs to be 2 days rather than 2 hours, then you know you've moved the roles gracefully and avoided the nasty FSMO seizure process. proactive, rather than reactive :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: 29 November 2005 17:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Going by the If it aint broke dont fix it adage or the idea of Dont mess with the production environment while IN production I would still say leave the FSMO roles where they are. If you want to try or tinker with or test transferring or (actually) seizing FSMO roles set up a test environment and give it a whirl ( if you have the resources.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: 29 November 2005 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand
RE: [ActiveDir] FSMO role transfer
I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours.That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitelytransfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different -if one were to perform arisk analysisthe actions taken to mitigate those risks would be suitably different. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: 29 November 2005 23:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, November 29, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code
RE: [ActiveDir] FSMO role transfer
Yeah Thanks a lot Gil ! This is all we need to hear and be reminded of. For YEARS I have resisted putting a tag line at the end of my email, but I have always had one that I was fond of. Now I just might consider it. I'm trademarking it so don't copy it. It's all just a house of cards! RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gil Kirkpatrick Sent: Tuesday, November 29, 2005 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer By definition, the impact of a maintenance task is expected to be low. But the behavior of a server isn't always predictable after you change the software and/or configuration and reboot it. Sometimes just the power or temperature fluctuation is enough to kick a marginal component over the edge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case something happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f* up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http:/ /uk.security.yahoo.com/ . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject
RE: [ActiveDir] FSMO role transfer
Yeah my fault, I brought up the reboot. I would and do move roles in production for reboots. Same logic you stateonly role moves take seconds so no reason not to do it for a reboot as well as maintenance. Something else I was thinking about last night about this post when I was doing some photoartwork for this year'sholiday cardwas that the environments I have done ops for are probably a bit different from a majority of this list. These are environments that put you in Change Control meetings for hours a week while you listen to every change that is going to happen on machines from PC Servers up through Numerical Intensive Computing on Super Clusters and very high end SGI, Cray's, and Mainframes to make sure there is nothing that could possibly impact you. An environment where you are lucky to get a schema modification (even something as silly as linking Drink to a user) tested and approved in the course of 6 months. Basically, there really is not time allocated for any domain/forest functions to be down. Doesn't mean machines can't be down, but all functions of the domain/forest that could possibly be needed by anyone anywhere need to be up. Given that, the forest roles aren't critical because they were owned and used only by our group of 3 people. However roles like say the PDC which *is used* for far more than legacy password changes must be available if only for poorly written apps (or even good apps like GPOtools) that look for the PDC and use it. Keep in mind that one large function of the PDC is the handling of PDC Chaining which is pretty important in a large environment. With the PDC down, a password change can take the domain wide replication latency convergence period to be fully operational (say 30 minutes toan houran15 minutes if changed in a spoke of a hub and spoke environment with intersite replication reduced to 15 minutes) where with the PDC in place it is fully operational immediately. This isn't trivial because there are thousands of password changes daily just from normal password expiration churn. Also RID Master functionally could be needed at any time as we are talking hundreds of thousands of users and machines and again, normal churn. Creation of a batch of several hundred users or computers off of a single DC in a very short time frame would certainly not be unheard of. Now lets say there is an issue, no matter how small. If it impacted anyone, you have to A) Fix it B) Work outwhy it happened and why and how it won't happen again C) Stand in a series of meetings that could very easily drag on for hours and hours over the course of a couple of months explaining to the nth degree A and B to high level management who last did anything truly technical when mainframes were the only computing environment. All of that being said, I think moving the FSMO roles any time the FSMO role holder will be unavailable for any period of time is a good solid exercise. It is such a simple painless exercise when scripted. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, November 30, 2005 3:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours.That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitelytransfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different -if one were to perform arisk analysisthe actions taken to mitigate those risks would be suitably different. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: 29 November 2005 23:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require
RE: [ActiveDir] FSMO role transfer
There is an old saying (well at least it seems old, I recall first hearing it in a programming course at Michigan State University back in 1988 or so) that I have heard various forms of: If builders made buildings the way programmers wrote programs, the first woodpecker that came along would destroy civilization. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 8:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Yeah Thanks a lot Gil ! This is all we need to hear and be reminded of. For YEARS I have resisted putting a tag line at the end of my email, but I have always had one that I was fond of. Now I just might consider it. I'm trademarking it so don't copy it. It's all just a house of cards! RH ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gil Kirkpatrick Sent: Tuesday, November 29, 2005 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer By definition, the impact of a maintenance task is expected to be low. But the behavior of a server isn't always predictable after you change the software and/or configuration and reboot it. Sometimes just the power or temperature fluctuation is enough to kick a marginal component over the edge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case something happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f* up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like
RE: [ActiveDir] FSMO role transfer
Sorry I had to express myself here. Love the analogy. Well said. From: joeSent: Tue 29/11/2005 9:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Actually I make all DCs that have a possibility of being the forest root PDC synchronize from an external source. I haven't ever run DNS on DCs so I can't say anything to that, however if I did, I might consider it. There really is nothing to moving FSMO roles. Have you had a FSMO role move failure that makes you giddy about them? I was serious when I said that moving the roles was a 5 second operation. It doesn't take regular failures (hardware, software, or other)to have one just occur at any random time. It is just like house insurance, you don't buy it because you want to use it or even expect to use it, you buy it to cover you in the event something does happen. Everyone has to make a judgement call as to whether the insurance costs outweigh the impact of whatever it is the insurance protects against. Moving FSMO roles would be insurance, the thing it is protecting against is the possibility of some dorked up issue coming up when the server is going down or coming up or if it doesn't come up at all. If you use the manual steps, the overhead is minutes, if you use scripts the overhead is seconds. That is better than the pennies a day used to sell people on other insurance. I would be afraid if my customers were so weak on procedure that moving a FSMO role was considered hard or dangerous. Obviously this is something that everyone is going to have different feelings on. I certainly don't care what people do on their owns, my process and what I recommend is to move the roles. I much rather move roles than seize them. Seizing is when I get concerns such as RID pools and now you are locked into what you are doing with the offline DC. Overall I would say that a vast majority of the reboots and maintanence work I have done didn't appear after the fact to need the FSMO move. But I figure thefew minutes spent over the years wasn't an excessive administrative cost to do the FSMO moves. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Tuesday, November 29, 2005 6:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, November 29, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client
RE: [ActiveDir] FSMO role transfer
I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rich Milburn *Sent:* Tuesday, November 29, 2005 4:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J //-- -/// ///Rich Milburn/// ///MCSE, Microsoft MVP - Directory Services/// Sr Network Analyst, Field Platform Development Applebee's International, Inc.// //4551 W. 107th St// //Overland Park//, KS 66207// //913-967-2819// //-- // ///I love the smell of red herrings in the morning - anonymous// -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of [EMAIL PROTECTED] *Sent:* Tuesday, November 29, 2005 11:56 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE
RE: [ActiveDir] FSMO role transfer
Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rich Milburn *Sent:* Tuesday, November 29, 2005 4:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J
RE: [ActiveDir] FSMO role transfer
That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your
Re: [ActiveDir] FSMO role transfer
Mr pedantic here, That's a stitch in time saves nine. -Original Message- From: Bahta Nathaniel V Contractor NASIC/SCNA [EMAIL PROTECTED] Date: Wed, 30 Nov 2005 13:32:13 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical
RE: [ActiveDir] FSMO role transfer
I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE
RE: [ActiveDir] FSMO role transfer
Perhaps 'six of one or half a dozen of the other' would apply to this thread. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, November 30, 2005 12:52 PM To: ActiveDir.org Subject: Re: [ActiveDir] FSMO role transfer Mr pedantic here, That's a stitch in time saves nine. -Original Message- From: Bahta Nathaniel V Contractor NASIC/SCNA [EMAIL PROTECTED] Date: Wed, 30 Nov 2005 13:32:13 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you
Re: [ActiveDir] FSMO role transfer
stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very different - if one were to perform a risk analysis the actions taken to mitigate those risks would be suitably different. neil -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *David Adner *Sent:* 29 November 2005 23:26 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I
RE: [ActiveDir] FSMO role transfer
You're referring to seizing roles? Perhaps it's not in the GUI because it's not a task that needs to be performed on a regular basis. In fact, it should be a very rare situation and isn't something that you want to accidentally stumble upon. I'm not a developer, but I would suspect the frequency of a task is one of the primary factors in determining if it's included in the base GUI. If you're talking about transferring roles, then that's already in the GUI. I'm not sure what you mean by if the benefit is so great with regards to if it's better to transfer or seize FSMO roles... As to who needs scripting vs GUI/wizard... That debate would most likely dwarf this one. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I
RE: [ActiveDir] FSMO role transfer
It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly
Re: [ActiveDir] FSMO role transfer
That's my point. If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click? Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs
RE: [ActiveDir] FSMO role transfer
It can be. It's easily scripted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer That's my point. If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click? Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance
RE: [ActiveDir] FSMO role transfer
I think what was meant about the trivial part is around the seizing of the roles not the transfer. I would love to have much of the ntdsutil functionality built into the UI, even if at some point it requires you to reboot/restore, whatever. I don't think either camp is going to convince the other that you should or shouldn't transfer roles prior to some maintenance. It is almost a personality thing. I prefer not to transfer the role and deal with the possibility that I may need to seize it, on the rare case that something goes drastically wrong that I can not recover from before the role is actually needed. You architected the roles on specific DCs for a reason, if I forget to move it back I may end up with a DC hosting a role for a long time that I never meant to. Also, I don't consider transferring roles around part of the normal operating procedures. But that's just me. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Wednesday, November 30, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe
Re: [ActiveDir] FSMO role transfer
A lot more isgoing on behind the scenes when transferring FSMOs besides checking boxes -- Also there's more to moving to Domain Naming Master -- Chuck -Original Message-From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wed, 30 Nov 2005 13:38:43 -0800Subject: Re: [ActiveDir] FSMO role transfer That's my point.If this is .according to some of the threads on this, it is normal, regular, and part of a risk management process to just move these roles around, yes? Why not one click?Cace, Andrew wrote: It is available in the AD snap-ins. In AD Domains Trusts, you can transfer the Domain Naming master by right-clicking the name of the snap-in in tree-view and choosing Operations Master. In ADUC, right-click the name of the domain and choose Operations Master to transfer the RID, PDC, and Infrastructure masters. In the Schema Management snapin, you can transfer the Schema master by right-clicking Active Directory Schema and choosing Operations Master. Next question...Why isn't there a single place to click all of these? -Andrew t; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change . I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it.-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Adner& gt; Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matte r of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: Activ [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching,
RE: [ActiveDir] FSMO role transfer
Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED] wrote: I think we've missed the essence of the original post :) The DCs are not just being rebooted, they are being 'maintained' and will be down for ~ 2 hours. That means to me, that either a s/w or h/w change is going to occur which could go horribly wrong. Faced with this situation, I would definitely transfer the roles. If the DC were merely being rebooted and nothing else is scheduled to occur, I would not transfer roles. The above 2 scenarios are very
RE: [ActiveDir] FSMO role transfer
Well, I just think that most of the people in the command line and/or scripting camp like to encourage others to learn to use them simply because they feel it's to your benefit. I don't think they really like to promote the you're not a real admin... sentiment. Or at least I hope not :-) Right now in my org, I'm in the minority using the CLI. I just prefer working that way and don't knock my colleagues for their methods, but rather show them other ways to get at the info they need. CLI and scripting fosters your knowledge of what's happening in the background, helps you learn the product and truly is a great way to automate tasks! (if not THE way) For the longest time I've been meaning to learn VBscript, but haven't devoted enough time to go for it yet. From what I've seen so far, it scares me :-P but I still intend to give it a shot. I've been getting by with Perl and CMD shell for now (I came from a KSH/*nix background). Have you seen some of the sample command shell scripts Dean has put together? Or the stuff that Alain Lissoir can do with WMI? Wow! Anyway, this topic has drifted further now, but I'm going to resist the urge to change the subject line. The last time I did that, we had a little side bit just on the fact that the subject line changed! :-D -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original
RE: [ActiveDir] FSMO role transfer
Real admins do what they need to do, however works for them. I use GUI tools when available convenient, and cmdline when convenient. Generally, I would prefer to not have any GUI at all on most of my servers, but that's just me. Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 3:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, November 30, 2005 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Any proper maintenance plan has a backout plan and a recovery plan, so I am preparing for the possibility of an unexpected problem. If I'm pulled into a dark room because something goes wrong then I should feel confident I'll leave that room with my hide mostly intact; it may be slightly singed, but I can live with that. If management isn't the reasonable type then that's a different issue. If your philosophy is to take every proactive measure ahead of time possible, then that's fine. I just don't see the point with regards to FSMO roles when the recovery action is a relatively trivial process. This is obviously a matter of personal preference so I'm not trying to convince others to change. I just found the concept unusual so I thought I'd share. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I would rather, as stated earlier, assess the risk and then act appropriately. The original poster never defined 'maintenance' in detail. The original post did state that the box would be down for ~2 hours for maintenance. This is clearly more than a patch and a reboot. We've been over that scenario and concluded that it carries a lesser risk. As joe said, if the maintenance all goes badly wrong, do you want to be pulled into a dark room and questioned as to why you did not prepare for that eventuality? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 30 November 2005 15:29 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer Okay define maintenance please? Patching? Service Pack? Applying QFEs? Performance tuning? What? Is there a level of maintenance that would cause you to move FSMO's and not? Like for example, if I'm patching, I've tested the patch, I'm reasonably expecting a favorable outcome otherwise I wouldn't be deploying, I have a backup. [EMAIL PROTECTED
Re: [ActiveDir] FSMO role transfer...sorta wandering off into Scripting
But why reinvent the wheel individually when we should be asking Microsoft to either fix the wheel or build us a wheel in the first place? If it's a task that is repetitively done, has value, is used over and over again, I'd rather trust a gui wizard/console/button that's gone through beta testing by various testers that lays down an audit log file than a home grown script [no offense guys] that I'd have to go get interpreted. Take the Security configuration wizard for example.. versus your own home grown version of the same. I'll take the SCW because I can see and confirm the resulting XML file, the program has been through beta testing process so in my brain I assign it a bit of lesser testing resources. For my space, I trust the gui way more than I do a script from a web site that possibly wasn't built with SBS in mind. But the gang that does Scripting drools over Monad. So get ready for Scripting on steriods. http://www.microsoft.com/downloads/details.aspx?FamilyID=2ac59b30-5a44-4782-b0b7-79fe2efd1280displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=8a3c71d1-18e5-49d7-952a-c55d694ecee3displaylang=en David Cliffe wrote: Well, I just think that most of the people in the command line and/or scripting camp like to encourage others to learn to use them simply because they feel it's to your benefit. I don't think they really like to promote the you're not a real admin... sentiment. Or at least I hope not :-) Right now in my org, I'm in the minority using the CLI. I just prefer working that way and don't knock my colleagues for their methods, but rather show them other ways to get at the info they need. CLI and scripting fosters your knowledge of what's happening in the background, helps you learn the product and truly is a great way to automate tasks! (if not THE way) For the longest time I've been meaning to learn VBscript, but haven't devoted enough time to go for it yet. From what I've seen so far, it scares me :-P but I still intend to give it a shot. I've been getting by with Perl and CMD shell for now (I came from a KSH/*nix background). Have you seen some of the sample command shell scripts Dean has put together? Or the stuff that Alain Lissoir can do with WMI? Wow! Anyway, this topic has drifted further now, but I'm going to resist the urge to change the subject line. The last time I did that, we had a little side bit just on the fact that the subject line changed! :-D -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contractor NASIC/SCNA Sent: Wednesday, November 30, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer That process is trivial in itself. It does not take much to transfer the roles before you conduct maintenance on a server. Why not do it? It will save you cleaning up metadata after you seize a role of a failed operations master. Sounds like a stitch in nine saves time concept to me. I do not intend on taking every proactive measure either, but when it comes to the small and quickly implemented measures that could save plenty of time, I try to utilize all of them available. Is that agreeable? Nathaniel Vincent Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent
RE: [ActiveDir] FSMO role transfer...sorta wandering off into Scripting
There is no way for MS to think of every eventuality and to support every possibility that a customer (or even a large group of customers) may want and/or desire. At NT4 and before, if that was the case, you were pretty much SOL; unless you could do some pretty heavy C-or-C++ coding. Starting with Windows 2000, greatly improved with Windows Server 2003, and [drool] revolutionally improved with Monad -- you could script things yourself without having to be a rocket-scientist. I'll take a script, that I can review and correct if necessary, before a wizard written by someone with SBS in mind. :-) M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, November 30, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer...sorta wandering off into Scripting But why reinvent the wheel individually when we should be asking Microsoft to either fix the wheel or build us a wheel in the first place? If it's a task that is repetitively done, has value, is used over and over again, I'd rather trust a gui wizard/console/button that's gone through beta testing by various testers that lays down an audit log file than a home grown script [no offense guys] that I'd have to go get interpreted. Take the Security configuration wizard for example.. versus your own home grown version of the same. I'll take the SCW because I can see and confirm the resulting XML file, the program has been through beta testing process so in my brain I assign it a bit of lesser testing resources. For my space, I trust the gui way more than I do a script from a web site that possibly wasn't built with SBS in mind. But the gang that does Scripting drools over Monad. So get ready for Scripting on steriods. http://www.microsoft.com/downloads/details.aspx?FamilyID=2ac59b30-5a44-4 782-b0b7-79fe2efd1280displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=8a3c71d1-18e5-4 9d7-952a-c55d694ecee3displaylang=en David Cliffe wrote: Well, I just think that most of the people in the command line and/or scripting camp like to encourage others to learn to use them simply because they feel it's to your benefit. I don't think they really like to promote the you're not a real admin... sentiment. Or at least I hope not :-) Right now in my org, I'm in the minority using the CLI. I just prefer working that way and don't knock my colleagues for their methods, but rather show them other ways to get at the info they need. CLI and scripting fosters your knowledge of what's happening in the background, helps you learn the product and truly is a great way to automate tasks! (if not THE way) For the longest time I've been meaning to learn VBscript, but haven't devoted enough time to go for it yet. From what I've seen so far, it scares me :-P but I still intend to give it a shot. I've been getting by with Perl and CMD shell for now (I came from a KSH/*nix background). Have you seen some of the sample command shell scripts Dean has put together? Or the stuff that Alain Lissoir can do with WMI? Wow! Anyway, this topic has drifted further now, but I'm going to resist the urge to change the subject line. The last time I did that, we had a little side bit just on the fact that the subject line changed! :-D -DaveC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, November 30, 2005 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Susan, THANK YOU !!! ! !!! There are a LOT of people on this list that do not believe that real Admins use the GUI. Some believe that you're not a real Admin if you do. I do. I have to. I can't allocate time to learn scripting right now because I'm overworked as is. I'll just leave it at that. RH __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 30, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer stupid question alert If the task is that trivial If the benefit is so great Why isn't it part of the AD snap ins as a one button task? sincerely, who needs scripting when you can ask for a gui/wizard or button instead David Adner wrote: I'm not debating the effort it takes to make the change. I'm saying I don't see the point in devoting whatever amount of effort it takes for something that's going to provide benefit only, IMO, an extremely rare case. And if that case happened, the corrective action is also a trivial process. And again, I'm not saying I don't see your point; I just don't agree with it. -Original Message- From: [EMAIL PROTECTED
RE: [ActiveDir] FSMO role transfer
First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] FSMO role transfer
Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: 29 November 2005 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO role transfer
It probably depends on what youre doing during those 2 hours. If I were installing SP1 on a DC that had problems rebooting/booting in the past, or has known HW issues, or for some odd reason the machine is not on a UPS when installing a Service Pack, I think it would be easier to move the FSMO roles in the case of failure so that you dont have to seize the roles and clean stuff up so quickly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] FSMO role transfer
Going by the If it aint broke dont fix it adage or the idea of Dont mess with the production environment while IN production I would still say leave the FSMO roles where they are. If you want to try or tinker with or test transferring or (actually) seizing FSMO roles set up a test environment and give it a whirl ( if you have the resources.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: 29 November 2005 15:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] FSMO role transfer
You can have the servers down for 2 hours with the Forest FSMO roles and/or the Domain FSMO roles for cleanup without concern. It would become more of an issue if for a day or more. Also bear in mind what each FSMO roles does since each is unique to a domain or the entire forest so that you don't rely on those things at the time of the cleanup. One other consideration is that the three domain roles are easier to transfer but don't worry about them for scheduled maintenance of as short as 2 hours. Chuck Gafford Systems ArchitectUnisys
Re: [ActiveDir] FSMO role transfer
If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck
RE: [ActiveDir] FSMO role transfer
OK, I've been witing for this one. If we have yet to move our 2K3 FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns like "No one being able to log on", would you move the roles first (ie: Off the Forest Root FSMO and the Child Domain FSMO)? Is that prudent? A better question would be, how many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc. etc., apologies to any other in the Heavyweight class not explicitly mentioned) [1] Did not move the roles, [2] Upgraded to SP1, [3] Went home to dinner with "NO" problems? Thanks. RH __- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. LongSent: Tuesday, November 29, 2005 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer It probably depends on what youre doing during those 2 hours. If I were installing SP1 on a DC that had problems rebooting/booting in the past, or has known HW issues, or for some odd reason the machine is not on a UPS when installing a Service Pack, I think it would be easier to move the FSMO roles in the case of failure so that you dont have to seize the roles and clean stuff up so quickly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, November 29, 2005 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] FSMO role transfer
I'm not a heavyweight by any stretch of the imagination (at least not in the context of this thread) but I would move the roles prior to maintenance, since it takes about two minutes to do, there's a credible up-side and no real down-side. I'm rather surprised that there's all this agonizing over what I've always considered to be a routine procedure. Ed Crowley MCSE+Internet MVP (Exchange, NOT AD)Freelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, November 29, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer OK, I've been witing for this one. If we have yet to move our 2K3 FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns like "No one being able to log on", would you move the roles first (ie: Off the Forest Root FSMO and the Child Domain FSMO)? Is that prudent? A better question would be, how many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc. etc., apologies to any other in the Heavyweight class not explicitly mentioned) [1] Did not move the roles, [2] Upgraded to SP1, [3] Went home to dinner with "NO" problems? Thanks. RH __- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. LongSent: Tuesday, November 29, 2005 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer It probably depends on what youre doing during those 2 hours. If I were installing SP1 on a DC that had problems rebooting/booting in the past, or has known HW issues, or for some odd reason the machine is not on a UPS when installing a Service Pack, I think it would be easier to move the FSMO roles in the case of failure so that you dont have to seize the roles and clean stuff up so quickly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, November 29, 2005 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised
RE: [ActiveDir] FSMO role transfer
Amy, You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices: 1. install base os and do a full system restore from the tapes of the old server. or 2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment. Good Luck Y From: Amy HunterSent: Tue 29/11/2005 11:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer So are these FSMO rolesstored in some sort of configuration partition in AD? if not, where are they stored? I plan to replacemy DC hardware next year, as long as I bring the new server up withthesame IP/Name etcconfiguration etc, I won't need to move the FSMO roles to another DC when Ireplace the hardware? Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience) thank you for your help, Amy ;o) "Almeida Pinto, Jorge de" [EMAIL PROTECTED] wrote: First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre.
RE: [ActiveDir] FSMO role transfer
If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case something happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f* up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http://uk.security.yahoo.com/ . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] FSMO role transfer
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller: http://support.microsoft.com/kb/255504 And XPs and Outlook 2003 will use cached credentials and cached storage of Outlook so even if the DC is down, Exchange is horked, even in a single DC setting your end users aren't freaking too much. We're starting to do more of this temp dc, move the roles, break the connection, build a new final box, push the FSMO roles back on the new box method down here in SBSland to keep from ripping out desktops and user profiles. [that's just one of many KBs that are followed in the procedure] AD wrote: Amy, You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices: 1. install base os and do a full system restore from the tapes of the old server. or 2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment. Good Luck Y *From:* Amy Hunter *Sent:* Tue 29/11/2005 11:46 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] FSMO role transfer So are these FSMO roles stored in some sort of configuration partition in AD? if not, where are they stored? I plan to replace my DC hardware next year, as long as I bring the new server up with the same IP/Name etc configuration etc, I won't need to move the FSMO roles to another DC when I replace the hardware? Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience) thank you for your help, Amy ;o) */Almeida Pinto, Jorge de [EMAIL PROTECTED]/* wrote: First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Amy Hunter *Sent:* Tuesday, November 29, 2005 16:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new *Yahoo! Security Centre* http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http://uk.security.yahoo.com/. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained
RE: [ActiveDir] FSMO role transfer
In production I always move the domainroles prior to working on a DC or even rebooting a DC. As you mention, the role move is trivial and if something does dork up you have less to think about and aren't wondering at what point you should be seizing. I am not so worried about the forest roles but will usually move them as well. Dean and I actually chatted about this previously as I put something like that in the AD3E book and he was like, you *always* move the domain roles like that and I was like " In production, absolutely". The one time you don't you seem to get burned and you feel very stupid for not doing it when you could have. Once in the distant past Ihad a PDC role machinethat hung up when shutting down (it was just a quick reboot so I figured why bother) and started acting very fishy and Ikicked myself for not moving the roles. Why risk that? It is very cheap insurance. At one point I had a CMD file called something like movefsmothat used NTDSUTIL to move the roles, I think it took all of about 5 seconds to run to move all roles fromone machine to another. I agree with Ed in that I consider this SOP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: 29 November 2005 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] FSMO role transfer
Since you specifically mentioned me. I always move the roles for reboots and maintenance. Brett don't much care about roles, ESE doesn't care about them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Tuesday, November 29, 2005 1:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer OK, I've been witing for this one. If we have yet to move our 2K3 FFL DCs (Both Root Domain and Child Domain) to SP1 because of small concerns like "No one being able to log on", would you move the roles first (ie: Off the Forest Root FSMO and the Child Domain FSMO)? Is that prudent? A better question would be, how many of you heavyweights (joe, Dean, Al, Guido, Rick, Jorge, Deji, Brett, etc. etc., apologies to any other in the Heavyweight class not explicitly mentioned) [1] Did not move the roles, [2] Upgraded to SP1, [3] Went home to dinner with "NO" problems? Thanks. RH __- -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. LongSent: Tuesday, November 29, 2005 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer It probably depends on what youre doing during those 2 hours. If I were installing SP1 on a DC that had problems rebooting/booting in the past, or has known HW issues, or for some odd reason the machine is not on a UPS when installing a Service Pack, I think it would be easier to move the FSMO roles in the case of failure so that you dont have to seize the roles and clean stuff up so quickly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, November 29, 2005 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 16:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and a
RE: [ActiveDir] FSMO role transfer
Amy the easiest path for your new hardware comment is Ys #2 below new server, dcpromo, AND MOVE FSMOs, and then decom the old one. Note that if there is DNS involved, and DHCP, and WINS, theres a bit more to it computer names etc you can get around those issues by demoting the old box, removing it from the domain, and then building the new server with the same IP and name, dcpromo, etc. But as several people pointed out, do move the FSMOs first if there are any on that server. Much easier to move them while both servers are up, than seize them when the FSMO holder is down. This isnt a step by step guide for hardware replacement but hopefully it gives you some ideas in the right direction. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Tuesday, November 29, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Amy, You will not be able to do that. Creating a new machine with the same name and same ip will not automatically add your new server to the domain. You will have two choices: 1. install base os and do a full system restore from the tapes of the old server. or 2. install base os and run dcpromo, install new DC to existing domain and then remove old server from environment. Good Luck Y From: Amy Hunter Sent: Tue 29/11/2005 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer So are these FSMO rolesstored in some sort of configuration partition in AD? if not, where are they stored? I plan to replacemy DC hardware next year, as long as I bring the new server up withthesame IP/Name etcconfiguration etc, I won't need to move the FSMO roles to another DC when Ireplace the hardware? Sorry if these seems junior questions, this is my first job in IT (i'm doing this for free for experience) thank you for your help, Amy ;o) Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo
RE: [ActiveDir] FSMO role transfer
Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] FSMO role transfer
If the insurance is guarding against apps/services/etc that may need the FSMO holders while they're offline, then I can agree with this. If it's out of fear that something unexpected will happen that takes out the FSMO holders completely, then I don't think it's worth the effort. If the latter does happen then you just seize the roles. I would say that many of the customers I've visited have little experience and even less confidence in how FSMO roles are transferred or seized. The thought of them touching the roles for every reboot is making my hair fall out even faster. :/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, November 29, 2005 2:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer In production I always move the domainroles prior to working on a DC or even rebooting a DC. As you mention, the role move is trivial and if something does dork up you have less to think about and aren't wondering at what point you should be seizing. I am not so worried about the forest roles but will usually move them as well. Dean and I actually chatted about this previously as I put something like that in the AD3E book and he was like, you *always* move the domain roles like that and I was like " In production, absolutely". The one time you don't you seem to get burned and you feel very stupid for not doing it when you could have. Once in the distant past Ihad a PDC role machinethat hung up when shutting down (it was just a quick reboot so I figured why bother) and started acting very fishy and Ikicked myself for not moving the roles. Why risk that? It is very cheap insurance. At one point I had a CMD file called something like movefsmothat used NTDSUTIL to move the roles, I think it took all of about 5 seconds to run to move all roles fromone machine to another. I agree with Ed in that I consider this SOP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: 29 November 2005 15:54To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, November 29, 2005 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of com
RE: [ActiveDir] FSMO role transfer
Hi David, Im with you on this one! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Tuesday, November 29, 2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If the insurance is guarding against apps/services/etc that may need the FSMO holders while they're offline, then I can agree with this. If it's out of fear that something unexpected will happen that takes out the FSMO holders completely, then I don't think it's worth the effort. If the latter does happen then you just seize the roles. I would say that many of the customers I've visited have little experience and even less confidence in how FSMO roles are transferred or seized. The thought of them touching the roles for every reboot is making my hair fall out even faster. :/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, November 29, 2005 2:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer In production I always move the domainroles prior to working on a DC or even rebooting a DC. As you mention, the role move is trivial and if something does dork up you have less to think about and aren't wondering at what point you should be seizing. I am not so worried about the forest roles but will usually move them as well. Dean and I actually chatted about this previously as I put something like that in the AD3E book and he was like, you *always* move the domain roles like that and I was like In production, absolutely. The one time you don't you seem to get burned and you feel very stupid for not doing it when you could have. Once in the distant past Ihad a PDC role machinethat hung up when shutting down (it was just a quick reboot so I figured why bother) and started acting very fishy and Ikicked myself for not moving the roles. Why risk that? It is very cheap insurance. At one point I had a CMD file called something like movefsmothat used NTDSUTIL to move the roles, I think it took all of about 5 seconds to run to move all roles fromone machine to another. I agree with Ed in that I consider this SOP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Sorry, but for peace of mind, I *would* transfer the roles. If there is opportunity to do so, then why not transfer? It's a trivial task and will take no time to replicate (assuming the other DC is in the same site). More worrying perhaps, is the fact that if clients point to one (or both) DCs for DNS name resolution, then they may experience issues when one of the machines is taken down. Hopefully, the poster has considered this latter scenario. hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: 29 November 2005 15:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer Amy, If its what you need to hear (for peace of mind or reassurance) leave the FSMO roles where they are - youll be fine. You dont need to transfer the rolls if your talking about a timeframe of 2 hours - - -when you bring it back on line - -I would just leave the other DC online for at least and hour (unless you have adjusted the replication intervals) to make sure any changes are replicated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down atdifferent times so thatone of the two servers can provide authentication etc while the other getsmaintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when youperformmaintenance on a DC holding the roles.Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further
RE: [ActiveDir] FSMO role transfer
By definition, the impact of a maintenance task is expected to be low. But the behavior of a server isn't always predictable after you change the software and/or configuration and reboot it. Sometimes just the power or temperature fluctuation is enough to kick a marginal component over the edge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case something happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f* up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http:/ /uk.security.yahoo.com/ . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
Re: [ActiveDir] FSMO role transfer
I've not worried about transferring the FSMO roles for general maintenance such as defragmentation or updating SPs, etc. It's up to how flaky or solid the DCs are -- if they are that flaky then maybe it's time to buy some newer hardware ... Chuck
RE: [ActiveDir] FSMO role transfer
I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, November 29, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] FSMO role transfer
Actually I make all DCs that have a possibility of being the forest root PDC synchronize from an external source. I haven't ever run DNS on DCs so I can't say anything to that, however if I did, I might consider it. There really is nothing to moving FSMO roles. Have you had a FSMO role move failure that makes you giddy about them? I was serious when I said that moving the roles was a 5 second operation. It doesn't take regular failures (hardware, software, or other)to have one just occur at any random time. It is just like house insurance, you don't buy it because you want to use it or even expect to use it, you buy it to cover you in the event something does happen. Everyone has to make a judgement call as to whether the insurance costs outweigh the impact of whatever it is the insurance protects against. Moving FSMO roles would be insurance, the thing it is protecting against is the possibility of some dorked up issue coming up when the server is going down or coming up or if it doesn't come up at all. If you use the manual steps, the overhead is minutes, if you use scripts the overhead is seconds. That is better than the pennies a day used to sell people on other insurance. I would be afraid if my customers were so weak on procedure that moving a FSMO role was considered hard or dangerous. Obviously this is something that everyone is going to have different feelings on. I certainly don't care what people do on their owns, my process and what I recommend is to move the roles. I much rather move roles than seize them. Seizing is when I get concerns such as RID pools and now you are locked into what you are doing with the offline DC. Overall I would say that a vast majority of the reboots and maintanence work I have done didn't appear after the fact to need the FSMO move. But I figure thefew minutes spent over the years wasn't an excessive administrative cost to do the FSMO moves. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Tuesday, November 29, 2005 6:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer I would only agree if you told me your DC's regularly fail to come back after a reboot. And if you did tell me that I'd have to say you're doing something wrong. I suppose I don't consider rebooting a DC to be quite the dangerous act as others do. To what degree is this taken? If it holds a standard Primary zone do you transfer that role, too? If it's the PDCE of the forest root domain and you transfer the role, do you also reconfigure the new PDCE to manually synchronize time from an authoritative source? I mean, if we're going to work under the assumption that a reboot is a regularly catastrophic causing event then it's probably time to switch OS's. Is it possible something unexpectedly horrible can happen as part of a reboot? Sure. But it better be the exception. And with regards to FSMO roles, which, barring some specific technical requirement they be readily available, the temporary outage of them is typically a transparent event and shouldn't require added administrative overhead in transferring them back and forth. Accepting that a catastrophic event is an exception, then you follow your documented and tested activities to recover from that exception; ie: you seize the roles, restore from backup, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, November 29, 2005 4:26 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] FSMO role transfer Yeah but having seize the FSMOs instead of moving them as your fallback plan is like making sure you have a current backup in case yanking the power cord instead of Start Shutdown Restart causes file system corruption J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, November 29, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] FSMO role transfer If something went wrong you could still seize the FSMO roles as an option rather than doing a transfer. Of course the procedures for all of these for the 5 FSMOs should be documented just in case needed.. Chuck ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney