If the forest root domain dies..

[Illoosion]

Hello, I am working for a company which has a Forest root domain
(root.ad) and another domain i will call "mydomain.com". My senior IT
people are all WINNT administrators and do not understand the
architechure of win2k and AD. I keep preaching to them that we
absolutely must protect the two DC's in the forest root, however, they
just don't get it! All they see is two DC's sitting there doing
virtually nothing. They have already pulled one of them out and
redeployed it without demoting it. I had to rebuild another one and
hack the old one it out of AD. Good thing too because the primary DC
died shortly there after. This being said, they just don't see the
need to put two DC's there. They do not understand the importance of
it. Can anyone give me a good desription/explanation of why it is
necessary, and why if the forest root domain dies, your whole AD
structure will be permamnetly hosed. I know AD pretty well, but maybe
i am not using the right words to get it through their heads. If
anyone can assist me, please send responses to email if possible.

(e-mail address removed)

please help!!!!

thanks

 

[Ace Fekay [MVP]]

In

Hello, I am working for a company which has a Forest root domain
(root.ad) and another domain i will call "mydomain.com". My senior IT
people are all WINNT administrators and do not understand the
architechure of win2k and AD. I keep preaching to them that we
absolutely must protect the two DC's in the forest root, however, they
just don't get it! All they see is two DC's sitting there doing
virtually nothing. They have already pulled one of them out and
redeployed it without demoting it. I had to rebuild another one and
hack the old one it out of AD. Good thing too because the primary DC
died shortly there after. This being said, they just don't see the
need to put two DC's there. They do not understand the importance of
it. Can anyone give me a good desription/explanation of why it is
necessary, and why if the forest root domain dies, your whole AD
structure will be permamnetly hosed. I know AD pretty well, but maybe
i am not using the right words to get it through their heads. If
anyone can assist me, please send responses to email if possible.

(e-mail address removed)

please help!!!!

thanks

This is usually a given. The forest root domain is the top of the hierarchal
upside-down tree )so to speak, hence where the name 'root' comes from, The
forest root domain holds two extermely critical FSMO roles, the Schema
Master and the Domain Name Master. The Schema Master is the machine that
holds the writable copy of the Schema. You can't put that on any other
domain's DC other than the root. Same with the Domain Name Master. Not as
critical, but you can't add or remove domains if that guy doesn't exist.

http://www.windowsnetworking.com/articles_tutorials/Managing-Active-Directory-FSMO-Roles.html

Quote below taken from:
http://www.samspublishing.com/articles/article.asp?p=26896&seqNum=5&rl=1
"If a forest root domain is lost and cannot be recovered by tape backup, the
Enterprise Administrators and Schema Administrators groups will be
permanently lost. A forest root domain cannot be reinstalled or delegated to
another domain. As a result, the Active Directory forest will be, for all
purposes, inoperable."

I guess the only thing is to do, if they are that ignorant, is to let them
lose their root domain and let them see what happens. It will give you
additional billable time to rebuild their ENTIRE infrastructure.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================