Solved

active directory/dns/exchange question ( extra 500 point for this question )

Posted on 2003-11-14
11
442 Views
Last Modified: 2010-04-14
hi there

i have an exchange server installed on the same server that the active directory ( and dns as well )

the problem is that i want to make each one of them to be stand alone in 3 different servers

and even add antother domain controller to replicate the active directory  

* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories  and one of them will be down , how the clients will know to go to the other ?


thanks

victor

0
Comment
Question by:victorbx
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9746793
AD replicates to other AD servers so don't worry about that.

Check this link again for MS Documentation:

http://www.microsoft.com/windows2000/en/server/help/
0
 
LVL 1

Expert Comment

by:NahumK
ID: 9746955
What you should do is install another DNS and another AD server (although you can have both of them on the same computer with no problem).
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When  a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.
0
 
LVL 4

Author Comment

by:victorbx
ID: 9747081
all the computers are pointing to one dns

if the DC crashes , so will the dns

they will know how to go to the other dns on the other DC ?

victor
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Expert Comment

by:NahumK
ID: 9747538
True, if you have DNS/DC on one machine and it goes down, you will have a problem.
Cleints will only be able to access the other DC if they have its IP already cached.
 But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9748378
Victor,
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.

Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.

What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.

DNS also stores information about DC's and AD.

The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.

Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).

Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.

I know it's a bit too dense but I hope it helps
R/
0
 
LVL 4

Author Comment

by:victorbx
ID: 9748858
i didn't understand the last part ...

" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "

what do you mean by "same proccess from DNS - DC"


thanks

victor

0
 
LVL 5

Expert Comment

by:ralonso
ID: 9749062
Yes, there are 2 different authentications.
The machine logs on to the domain when it starts up.

The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)

This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.

Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.

In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.
0
 
LVL 4

Author Comment

by:victorbx
ID: 9749309
so , if a failure to contact a global catalog server may result in delays and stuff

there is a way to disable the global catalog server ?


victor
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9749547
the network needs a catalog server.
so make your second DC also a GC

from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.

(by the way, all GC still behave as normal DC's)

Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.
0
 
LVL 4

Author Comment

by:victorbx
ID: 9781394
thank you Ralonso for the grate aswers

one more question and you will give the points

i have a domain controller that exchange is installed on it
i raised up another domain controller

how do i remove the domain controller from the exchange server so the exchange will be without it ?


victor
0
 
LVL 5

Accepted Solution

by:
ralonso earned 500 total points
ID: 9782739
run dcpromo in the domain controller you want to demote.

If this domain controller was the first you installed, it would be a wise move to transfer the FSMO (flexible single master of operations) roles to another DC before demoting it.

use NTDSUTIL.EXE to transfer them:
http://support.microsoft.com/?kbid=255504

You can either transfer or seize the roles: use TRANSFER
Then synchronize the DC's, run dcpromo, restart and you are done.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Building a successful professional career is a long and difficult journey, especially in case if your decisions are not chosen carefully. For example, if you think that you can get to the desired position without experience and apply for it, your ch…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question