Solved

active directory/dns/exchange question ( extra 500 point for this question )

Posted on 2003-11-14
11
439 Views
Last Modified: 2010-04-14
hi there

i have an exchange server installed on the same server that the active directory ( and dns as well )

the problem is that i want to make each one of them to be stand alone in 3 different servers

and even add antother domain controller to replicate the active directory  

* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories  and one of them will be down , how the clients will know to go to the other ?


thanks

victor

0
Comment
Question by:victorbx
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:Rob Stone
Comment Utility
AD replicates to other AD servers so don't worry about that.

Check this link again for MS Documentation:

http://www.microsoft.com/windows2000/en/server/help/
0
 
LVL 1

Expert Comment

by:NahumK
Comment Utility
What you should do is install another DNS and another AD server (although you can have both of them on the same computer with no problem).
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When  a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.
0
 
LVL 4

Author Comment

by:victorbx
Comment Utility
all the computers are pointing to one dns

if the DC crashes , so will the dns

they will know how to go to the other dns on the other DC ?

victor
0
 
LVL 1

Expert Comment

by:NahumK
Comment Utility
True, if you have DNS/DC on one machine and it goes down, you will have a problem.
Cleints will only be able to access the other DC if they have its IP already cached.
 But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.
0
 
LVL 5

Expert Comment

by:ralonso
Comment Utility
Victor,
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.

Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.

What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.

DNS also stores information about DC's and AD.

The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.

Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).

Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.

I know it's a bit too dense but I hope it helps
R/
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Author Comment

by:victorbx
Comment Utility
i didn't understand the last part ...

" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "

what do you mean by "same proccess from DNS - DC"


thanks

victor

0
 
LVL 5

Expert Comment

by:ralonso
Comment Utility
Yes, there are 2 different authentications.
The machine logs on to the domain when it starts up.

The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)

This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.

Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.

In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.
0
 
LVL 4

Author Comment

by:victorbx
Comment Utility
so , if a failure to contact a global catalog server may result in delays and stuff

there is a way to disable the global catalog server ?


victor
0
 
LVL 5

Expert Comment

by:ralonso
Comment Utility
the network needs a catalog server.
so make your second DC also a GC

from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.

(by the way, all GC still behave as normal DC's)

Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.
0
 
LVL 4

Author Comment

by:victorbx
Comment Utility
thank you Ralonso for the grate aswers

one more question and you will give the points

i have a domain controller that exchange is installed on it
i raised up another domain controller

how do i remove the domain controller from the exchange server so the exchange will be without it ?


victor
0
 
LVL 5

Accepted Solution

by:
ralonso earned 500 total points
Comment Utility
run dcpromo in the domain controller you want to demote.

If this domain controller was the first you installed, it would be a wise move to transfer the FSMO (flexible single master of operations) roles to another DC before demoting it.

use NTDSUTIL.EXE to transfer them:
http://support.microsoft.com/?kbid=255504

You can either transfer or seize the roles: use TRANSFER
Then synchronize the DC's, run dcpromo, restart and you are done.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now