Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


active directory/dns/exchange question ( extra 500 point for this question )

Posted on 2003-11-14
Medium Priority
Last Modified: 2010-04-14
hi there

i have an exchange server installed on the same server that the active directory ( and dns as well )

the problem is that i want to make each one of them to be stand alone in 3 different servers

and even add antother domain controller to replicate the active directory  

* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories  and one of them will be down , how the clients will know to go to the other ?



Question by:victorbx
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
LVL 15

Expert Comment

by:Rob Stone
ID: 9746793
AD replicates to other AD servers so don't worry about that.

Check this link again for MS Documentation:

Expert Comment

ID: 9746955
What you should do is install another DNS and another AD server (although you can have both of them on the same computer with no problem).
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When  a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.

Author Comment

ID: 9747081
all the computers are pointing to one dns

if the DC crashes , so will the dns

they will know how to go to the other dns on the other DC ?

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.


Expert Comment

ID: 9747538
True, if you have DNS/DC on one machine and it goes down, you will have a problem.
Cleints will only be able to access the other DC if they have its IP already cached.
 But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.

Expert Comment

ID: 9748378
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.

Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.

What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.

DNS also stores information about DC's and AD.

The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.

Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).

Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.

I know it's a bit too dense but I hope it helps

Author Comment

ID: 9748858
i didn't understand the last part ...

" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "

what do you mean by "same proccess from DNS - DC"




Expert Comment

ID: 9749062
Yes, there are 2 different authentications.
The machine logs on to the domain when it starts up.

The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)

This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.

Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.

In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.

Author Comment

ID: 9749309
so , if a failure to contact a global catalog server may result in delays and stuff

there is a way to disable the global catalog server ?


Expert Comment

ID: 9749547
the network needs a catalog server.
so make your second DC also a GC

from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.

(by the way, all GC still behave as normal DC's)

Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.

Author Comment

ID: 9781394
thank you Ralonso for the grate aswers

one more question and you will give the points

i have a domain controller that exchange is installed on it
i raised up another domain controller

how do i remove the domain controller from the exchange server so the exchange will be without it ?


Accepted Solution

ralonso earned 2000 total points
ID: 9782739
run dcpromo in the domain controller you want to demote.

If this domain controller was the first you installed, it would be a wise move to transfer the FSMO (flexible single master of operations) roles to another DC before demoting it.

use NTDSUTIL.EXE to transfer them:

You can either transfer or seize the roles: use TRANSFER
Then synchronize the DC's, run dcpromo, restart and you are done.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Check out what's been happening in the Experts Exchange community.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question