Re: [ActiveDir] FMSO roles split, patch question.

Thu, 17 Aug 2006 10:44:26 -0700 

Skid marks?

More like blood, guts, gore and medics yelling "Triage!"
I can tell you though that we've had way more issues installing service packs than patches though. Gimme a patch Tuesday and I don't blink an eye..... hand me a service pack and I'm not looking forward to it.
SBS 4.5 we lost Internet connectivity on that box with a RRAS patch eons ago.... and that's .....to the best of my knowledge.... the last time a patch nailed our servers so hard they lost major parts of their job description.
Normally if we lose the DC, there's some other fundamental reason for the loss and it's not necessarily patch related. I am seeing desktop and app impact these days... Incidents.org has put up a nice grid tracking the known issues in the patches this month: 

Microsoft August 2006 Patches: STATUS
http://isc.sans.org/diary.php?n&storyid=1611 <http://isc.sans.org/diary.php?n&storyid=1611> 

So far desktops are getting the worst of it.
(as a FYI SBS has to be the PDC, hold the FSMO roles, if the FSMO roles are not held by the SBS box we have this slightly nasty habit of having this sbscore service enforce our limitations and force a shut down every hour on the hour.....thus ... while transferring/seizing is best practice for you guys... I'd advise anyone patching SBS networks to not do that) Windows 2003 Small Business Server Shuts Down Unexpectedly; Events 1001, 1013 and 1014 are Logged: 
http://support.microsoft.com/kb/555087
Also a bit OT: but check out the SCE blog and all the new betas on the renamed MOM stuff... sounding cool if they pull it off... 

System Center Essentials Product Team Blog:
http://blogs.technet.com/caseymck/default.aspx
The team is hard at work on the System Center Essentials public beta release. Expect to see a link to the install bits in a few weeks. 

This public beta enables almost all of our core product scenarios:

1- Comprehensive monitoring of servers and clients
2- Update and Patch Deployment (of Microsoft and Third Party apps)
3- Software Distribution (MSI and EXE-based apps)
4- Software & Hardware Inventory
5- Remote Managed Services (for service providers)
Looking forward to customer feedback, feel free to post it to this blog when you can. 






joe wrote:
I completely concur with Jorge on his process. 
It takes a lot less hassle and a lot less feeling of concern to move a FSMO
prior to an update of a machine than to have to seize the role later
regardless of the reason of it going down. Especially when you have a script
that applies the NTSUTIL commands to move the roles. A move of all roles in
a properly scripted environment is a procedure that takes all of about 10-15
seconds. A seize on the other hand isn't something you should just quickly
think about doing, you need to work out the consequences and make a
determination in most cases whether or not you will ever bring that DC back
up as it stands now. It is, IMO, a no-brainer if you have multiple DCs as it
is isn't any real workload or concern to do it.

When I am doing production ops I *always* move roles prior to making machine
specific updates. I never assume a server is going to come back up after I
say restart or in fact even go down properly without hanging. 
Now I understand the SBS thoughts behind it though... In the SBS world if
you lost the DC, you have far greater issues than you lost a FSMO role for
the moment. In the world outside of SBS, most people look at DCs as
expendable. You set up 10 of them in front of you and 5 fell down you would
be like, crap, I will have to fix those at some point. You set up an SBS DC
and it falls over there are skid marks where you were previously standing. 
 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, August 17, 2006 11:48 AM
To: [email protected]
Subject: Re: [ActiveDir] FMSO roles split, patch question.
As a person who tests/patches a bunch of single DCs.... I've never seen a "patch" kill a server. 

Driver update may and has, yes.
Impair functionality of the server, yes.
But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed.
But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. 

Almeida Pinto, Jorge de wrote:

the reason is that is a DC dies during the patching you do not have to

seize the roles....IMHO, I prefer transfering over seizing
Met vriendelijke groeten / Kind regards, 
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven) 
(   Tel     : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : <see sender address>

________________________________

From: [EMAIL PROTECTED] on behalf of John Strongosky
Sent: Thu 2006-08-17 16:55
To: [email protected]
Subject: RE: [ActiveDir] FMSO roles split, patch question.


I cornfused is this a standard practice as I thought you did not want to
move the FMSO roles back and forth.
john 

________________________________

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de

Sent: Thursday, August 17, 2006 4:33 AM
To: [email protected]
Subject: RE: [ActiveDir] FMSO roles split, patch question.


in addition to that....
DC1 having FSMOset1 and DC2 having FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event logs DCdiag,

etc)

if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to DC1
apply patches to DC2 and reboot and check everything (event logs DCdiag,

etc)

if everything OK!
transfer FSMOset2 from DC1 to DC2
voila (that's french)...done! ;-)
jorge 


________________________________

        From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe

        Sent: Wednesday, August 09, 2006 01:52
        To: [email protected]
        Subject: RE: [ActiveDir] FMSO roles split, patch question.
        
        
        It doesn't matter.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services 
        www.akomolafe.com - we know IT
        -5.75, -3.23
        Do you now realize that Today is the Tomorrow you were worried about

Yesterday? -anon

________________________________

        From: John Strongosky
        Sent: Tue 8/8/2006 4:49 PM
        To: [email protected]
        Subject: [ActiveDir] FMSO roles split, patch question.
        
        
        We have our FMSO roles split between 2 dc's. They are Schema

Master/Domain Tree Operator on 1 and on 2,  the roles PDC Emulator/Rid
Pool/Intrastate on the other. After I apply the patches from Microsoft what
is the beat practices for the boot order...or does it matter?
1. Remote DC/GC's first 
        2. no. 1
        3. then no 2.
thanks 


This e-mail and any attachment is for authorised use by the intended

recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.




--
Letting your vendors set your risk analysis these days? http://www.threatcode.com 

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to