How long can a DC be offline before it begins to affect the entire AD topology?
we have 2 windows 2008 r2 servers, both acting dcs , gcs, 1 acting exchange server (i know bad practice. i inherited infrastructure admin no longer client.)
i have need add third server (windows 2012) domain act dc/gc, after it's been added domain have requirement take down , move building. during move, there's network procedure between buildings take 24-48 hours complete.
if 1 of windows 2008 r2 servers fsmo owner domain (single flat site topology), how long can windows 2012 server offline in domain before begins create problems? don't plan on having windows 2012 server being basic dc/gc server until moved new building , brought online again.
technically can offline long tombstone lifetime (tsl).
the kcc acts following optimize replication topology when detects dc (replication partner) unavailable:
<snip>
the kcc automatically rebuilds replication topology when recognizes domain controller has failed or unresponsive.
the criteria kcc uses determine when domain controller not responsive depend upon whether server computer within site or not. 2 thresholds must reached before domain controller declared "unavailable" kcc:
-
the requesting domain controller must have made n number of attempts replicate target domain controller.
-
for replication between sites, default value 1 attempt.
-
for replication within site, following distinctions made between 2 immediate neighbors (in ring) , optimizing connections:
immediate neighbors, default value 0 failed attempts. (thus, attempt fails, new server tried.)
optimizing connections, default value 1 failed attempt. (thus, second failed attempt occurs, new server tried.) -
-
a amount of time must pass since last successful replication attempt.
-
for replication between sites, default time 2 hours.
-
for replication within site, distinction made between 2 immediate neighbors (in ring) , optimizing connections:
immediate neighbors, default time 2 hours.
optimizing connections, default value 12 hours. -
to modify thresholds excluding nonresponding servers, use following registry entries in hkey_local_machine\system\currentcontrolset\services\ntds\parameters, data type reg_dword. can modify these values desired value follows:
for replication between sites, use following entries:
-
intersitefailuresallowed
value: number of failed attempts
default: 1 -
maxfailuretimeforintersitelink (secs)
value: time must elapse before being considered stale, in seconds
default: 7200 (2 hours)
for optimizing connections within site, use following entries:
-
noncriticallinkfailuresallowed
value: number of failed attempts
default: 1 -
maxfailuretimefornoncriticallink
value: time must elapse before considered stale, in seconds
default: 43200 (12 hours)
for immediate neighbor connections within site, use following entries:
-
criticallinkfailuresallowed
value: number of failed attempts
default: 0 -
maxfailuretimeforcriticallink
value: time must elapse before considered stale, in seconds
default: 7200 (2 hours)
for istg (inter-site topology generator) see following blog post: when istg fails, happens?
http://blogs.technet.com/b/janelewis/archive/2009/05/07/istg-what-happens-when-it-fails.aspx
enfo zipper
christoffer andersson – principal advisor
http://blogs.chrisse.se - directory services blog
Windows Server > Directory Services
Comments
Post a Comment