次の方法で共有


Time, time, everyone wants time...

In a previous post about managing FSMO roles, I asked a question about who remembers to configure the new server as an authoritative time source when transferring the PDC FSMO role.  The reason I ask this, is because when you look at managing the FSMO roles from an operational perspective, everything is automated or dynamic EXCEPT for the time service configuration.

In MS IT, we have 6 production forests, most of which have at least 2 domains and the main forest has an empty root with 8 child domains.  Time service configuration both between forests, and within the forests is critical, and operationally we have had multiple instances where a root domain PDC has ended up on a misconfigured server.

For this reason, a couple of years ago we went through and configured all root domain DC's to be authoritative time servers.  This way, no matter which server you transferred the PDC to, they were always "in synch" with each other.  This works well for us, because our largest root domain only has 5 DC's in it, and most only have 3 DC's.  Manually configuring these servers is a "fix and forget" operation.  But what would we do if we were in a single domain environment, with a couple of hundred DC's?

To answer this, I look at how we manage the PDC role in our largest child domain, Redmond.  The Redmond PDC is always under the highest load of any DC in that domain, so we take some extra steps to shield it from general auth traffic.  Because we know that when we're dogfooding, the PDC is also the most likely candidate to be offline for debug, we also take an extra DC and pre-configure it the same way...the net result is that we have one really busy PDC, and a not-so-busy stand-by PDC.  This may be an expensive way of managing failures, but then again we don't expect anyone else to dogfood the way we do either...so for us it's worth the extra cost.

How could our Redmond PDC configuration map to the time service configuration in your single domain forest with a lot of DC's?  Simple, just take some subset of your servers...and identify those as the ones which you could transfer your PDC role to if necessary.  Pre-configure them as authoritative time servers, then go sit back and relax.  When the call comes in the middle of the night and you need to transfer the PDC role to another box, you won't go back to bed with that itchy feeling that you forgot something...instead you'll just relax and get a good nights sleep.

(I also wanted to note that Joe called this out as well in the comments of the previous post.  If you haven't checked out his FREE tools (https://joeware.net) then you're probably working too hard...)

Comments