Solved

Failover for Window 2000 active directory service ?

Posted on 2002-05-28
9
466 Views
Last Modified: 2010-04-13
Is there any way to build a failover server for Window 2000 server that with active directory service installed ? Once the primary Active Directory Server down, the FailOver server will be running up.



0
Comment
Question by:joehuang
  • 5
  • 2
  • 2
9 Comments
 
LVL 4

Expert Comment

by:Nevaar
ID: 7040276
How about a second W2K domain controller in the same domain?

They should both register their resources in DNS, so any workstations should have access (via DNS) to the names and locations of both domnain controllers/AD servers.
0
 

Author Comment

by:joehuang
ID: 7040486
We do have a second W@K ADS Domain controller here, but the problem is that administrator has to configure RID/PDC/Insfratructure thru Active Directory Users and Computers, and something else that I read from TechNet.
I have done a test that I shutdown the Primary Domain Controller, no user can login to the network even the 2nd DC online. in order for user to logon to network, the RID/PDC/Infrastructure need to be modified on BDC befor PDC shutdown. This is a lot of different than NT4 that BDC still authenticate the net logon, even PDC offline.
It does not make any sense why Microsoft creat a such drawback in Win2k ADS. Please correct me, if my concept is wrong.

This is a reason that I am looking a tool to build a Failover server for OS/Domain Controller failure. I hae found a solution from http://www.marathontechnologies.com , but We do not need such big system.

Does Microsoft Clustering Serveice handle OS Failove for Domain Controler ? or It only handle the application failover ?
0
 
LVL 4

Expert Comment

by:Nevaar
ID: 7040535
The lack of RID, PDC & Infrastructure roles will not keep a user from being able to logon to a domain.

However, the lack of a DHCP and/or DNS server would.  Is you primary server the only DHCP and DNS server that you have set up?
0
 
LVL 4

Expert Comment

by:Nevaar
ID: 7040537
Oops, I almost forgot.  A missing Global Catalog server would cause you problems too.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Expert Comment

by:st_steve
ID: 7040876
If you need to shut down the PDC often, BEFORE you shut it down, "transfer" the PDC Emulator role (from Active Directory Users and Computers) to the second domain controller. Transfer the role back to original PDC when it's up again.

You should only seize the roles if you know for SURE that the old machine will NEVER be online again. Many recommend if you SEIZE a role, you format the hard drive of the machine which held the role originally.

As Nevaar alreasdy mentioned, you also need DNS for AD to function and for clients to locate the nearest PDC.

On another note, if you need to shut down a machine often, that computer shouldn't be running any of the FSMO roles.

You need to be at least Domain Admin to modify these rights. You wouldn't want anyone to modify what server holds what FSMO roles, would you??
0
 
LVL 6

Expert Comment

by:st_steve
ID: 7040878
Under Windows 2000, every DC is the same except:

PDC Emulator:
Controls user authentication
Time synchronisation within the domain (required for Kerberos)

Infrastructure Master:
Manages group membership changes (doesn't function if the machine is also a Global Catalog Server), being a GC, Infrastructure Master can't tell whether group memeberships have changed.

Relative ID Master:
Manages new accounts creations, GUID = DomainID + RelativeID

Schema Master:
Controls Modifications to Schema, the backbone of AD

Domain Naming Master:
Controls adding and removing of Domain names

Schema and Domain Naming are "forest-wide" roles (only one in each forest), the rest are "domain-wide" roles (one in each domain).
0
 
LVL 4

Expert Comment

by:Nevaar
ID: 7041374
What type of clients are you running (W98, NT 2K, XP)?  Are they running NetBios int addition to TCP?
0
 

Author Comment

by:joehuang
ID: 7042494
There is only one DHCP service on Primary DC, DNS service on each of  Primary DC and Second PC. w98/NT/2K/XP are the client running NetBios/TCP. This is a good reminder plus GC, once Primary DC down, DHCP Clients can not lease the iP address from any DC, because there is only one DHCP server.  

So, if the Primary DC dead suddenly, there is no chance to modify the role with PDC on line, how to make second DC become Primary DC ?


 
0
 
LVL 4

Accepted Solution

by:
Nevaar earned 50 total points
ID: 7042767
In terms of Active Directory from the client perspective, there is no such thing as a primary or secondary DC. This is not an old style NT domain.

You should set up a DHCP server (with a smaller scope) on the second DC.  Also make sure that you have both DNS servers listed in the DNS server option on your DHCP server scopes.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now