Go Premium for a chance to win a PS4. Enter to Win


active directory/dns/exchange question ( extra 500 point for this question )

Posted on 2003-11-14
Medium Priority
Last Modified: 2010-04-14
hi there

i have an exchange server installed on the same server that the active directory ( and dns as well )

the problem is that i want to make each one of them to be stand alone in 3 different servers

and even add antother domain controller to replicate the active directory  

* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories  and one of them will be down , how the clients will know to go to the other ?



Question by:victorbx
  • 4
  • 4
  • 2
  • +1
LVL 15

Expert Comment

by:Rob Stone
ID: 9746793
AD replicates to other AD servers so don't worry about that.

Check this link again for MS Documentation:


Expert Comment

ID: 9746955
What you should do is install another DNS and another AD server (although you can have both of them on the same computer with no problem).
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When  a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.

Author Comment

ID: 9747081
all the computers are pointing to one dns

if the DC crashes , so will the dns

they will know how to go to the other dns on the other DC ?

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Expert Comment

ID: 9747538
True, if you have DNS/DC on one machine and it goes down, you will have a problem.
Cleints will only be able to access the other DC if they have its IP already cached.
 But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.

Expert Comment

ID: 9748378
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.

Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.

What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.

DNS also stores information about DC's and AD.

The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.

Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).

Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.

I know it's a bit too dense but I hope it helps

Author Comment

ID: 9748858
i didn't understand the last part ...

" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "

what do you mean by "same proccess from DNS - DC"




Expert Comment

ID: 9749062
Yes, there are 2 different authentications.
The machine logs on to the domain when it starts up.

The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)

This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.

Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.

In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.

Author Comment

ID: 9749309
so , if a failure to contact a global catalog server may result in delays and stuff

there is a way to disable the global catalog server ?


Expert Comment

ID: 9749547
the network needs a catalog server.
so make your second DC also a GC

from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.

(by the way, all GC still behave as normal DC's)

Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.

Author Comment

ID: 9781394
thank you Ralonso for the grate aswers

one more question and you will give the points

i have a domain controller that exchange is installed on it
i raised up another domain controller

how do i remove the domain controller from the exchange server so the exchange will be without it ?


Accepted Solution

ralonso earned 2000 total points
ID: 9782739
run dcpromo in the domain controller you want to demote.

If this domain controller was the first you installed, it would be a wise move to transfer the FSMO (flexible single master of operations) roles to another DC before demoting it.

use NTDSUTIL.EXE to transfer them:

You can either transfer or seize the roles: use TRANSFER
Then synchronize the DC's, run dcpromo, restart and you are done.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ranking ecommerce websites is a vital process. You need to have a strong SEO (Search Engine Optimization) strategy. If you don’t have one, you are losing out on brand impressions, clicks and sales. Check this guide on how to improve website traffic …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question