FSMO Roles unavailable to some DC's

[Andrew Story]

Hi,

I'm in a situation where we have a small number of AD sites (setup via VPN)
that cannot see all the network, and thus some other AD sites. I need to
move some/all the FSMO roles to a site that cannot be contacted by these
sites connected via VPN sites only (there will be no VPN tunnels to the site
that will have the DC holding the roles) for around 3 weeks. Is it OK to
leave these 2 sites without seeing the FSMO roles for this amount of time,
will I run into issues during this time on these remote sites?

Thanks.

 

[Paul Bergson]

Well depending on a number of things.

Will these remote sites have a lot of change/create/delete activity going on
with in AD? If so the RID pool would need to be replenished. I'm guessing
that won't be necessary.

If you are going to modify the schema you will need to get on the fsmo role
holder but that should matter to the remote site.

If a single domain forest you don;t even need the Infrastructure Master. I
am assuming this since there is no mention one way of the other.

Any creation of new domains? Probably not from this remote site, so you
shouldn't have to worry about the domain naming master.

So the one role that could be an issue is the PDC emulator, especially if
you are in mixed mode. The PDC emulator performs all of the functionality
that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients. So if you have old clients this
could be a big issue.

See KB197132 for more details
http://support.microsoft.com/kb/197132/

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Story]

Paul, thanks for your reply. It's sort of what I imagined tbh. All clients
are predominantly win2k pro, with the odd XP machine thrown in.