Bringing back an offline DC that was a FSMO role holder

Q. I had to seize a particular FSMO role to a new domain controller. Is it OK to bring the original role holder back online once its fixed?

A. Domain controllers should be considered cattle rather than pets. If a domain controller has a problem that is not easily fixed and its going to be offline then destroy it and create a new one in its place, think tin solders, if one falls, stand another in its place. If it held FSMO roles the roles can be seized by another DC if the role could not be cleanly moved before the previous role holder went offline.

It is important to never have two domain controllers hosting the same FSMO roles as major problems could occur (even though improvements have been made with each version of AD to protect AD from problems but there are still risks). Therefore if you have seized a FSMO role from an offline DC never bring that DC back online. Instead wipe the OS instance and create a new DC in its place. This is confirmed at https://technet.microsoft.com/en-us/library/cc816741(v=ws.10).aspx.

Considering how quickly new domain controllers can be created using technologies such as DC cloning and install from media (IFM) there is no reason to not take the approach of creating new DCs in the place of failed DCs. It is also for this reason that DCs should only be DCs and not host other roles as this would complicate the methodology of simply replacing failed DCs with new ones.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish