victorbx
asked on
active directory/dns/exchange question ( extra 500 point for this question )
hi there
i have an exchange server installed on the same server that the active directory ( and dns as well )
the problem is that i want to make each one of them to be stand alone in 3 different servers
and even add antother domain controller to replicate the active directory
* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories and one of them will be down , how the clients will know to go to the other ?
thanks
victor
i have an exchange server installed on the same server that the active directory ( and dns as well )
the problem is that i want to make each one of them to be stand alone in 3 different servers
and even add antother domain controller to replicate the active directory
* can someone tell me how to do it ?
* if there will be two active directories , i will need two dns's ?
* if there will be two active directories and one of them will be down , how the clients will know to go to the other ?
thanks
victor
What you should do is install another DNS and another AD server (although you can have both of them on the same computer with no problem).
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.
When both of the new computers have finished replicating and are working properly, remove the AD and DNS services from the original computer. Leave the Exchange as it is, moving it to a different server is a bit more comlicated and not neccessary.
Some background:
There is no such thing as "two ADs" unless you have two different domains, which I assume you don't. Computers in a domain with AD installed are reffered to as Domain Controllers (DCs). DNS and DC servers replicate data automatically.
The DNS stores information about the IP adresses if the Domain controllers. A client computer requests the DC IP adrress from the DNS (notice you have no place to write the DC IP in the network configuration panel, you can only specify WINS ans DNS servers). When a DC goes
down the DNS gives the client the adresss of the alternative DC, but this can slow down access.
ASKER
all the computers are pointing to one dns
if the DC crashes , so will the dns
they will know how to go to the other dns on the other DC ?
victor
if the DC crashes , so will the dns
they will know how to go to the other dns on the other DC ?
victor
True, if you have DNS/DC on one machine and it goes down, you will have a problem.
Cleints will only be able to access the other DC if they have its IP already cached.
But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.
Cleints will only be able to access the other DC if they have its IP already cached.
But if you have 2 DNS machines you can just specify their IP adresses in the connection configuraiton panel (there are boxes for the preffered and alternate DNS server's IP). if you want to use more than 2 DNS servers, just click on the advanced button.
Victor,
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.
Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.
What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.
DNS also stores information about DC's and AD.
The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.
Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).
Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.
I know it's a bit too dense but I hope it helps
R/
what you will probably want to do is:
set up 2 domain controllers and have DNS running on them. DNS in windows 2000 can be AD integrated which makes replication completely transparent and easy.
Exchange also uses AD, but there is no significant advantage of having exchange running in a domain controller.
What you really need to do is set up your clients to use the 2 DNS servers (primary and secondary)
If your client tries to contact a DNS server and it doesn't respond, it will connect to the other.
DNS also stores information about DC's and AD.
The boot-up process would be the following:
Your machine starts
it contacts DNS to find a DC (initially the primary, alternatively the secondary)
If it cannot contact any DNS server, it will throw a NETBIOS request <DOMAIN NAME>[1C] (that means: god help me, I need a domain controller for domain <DOMAIN NAME>). It can do it via WINS and/or Broadcast.
Once it has contacted a domain controller, the machine will authenticate to the server (we are talking about nt/2k/xp).
Then you log on; same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)
The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console.
I know it's a bit too dense but I hope it helps
R/
ASKER
i didn't understand the last part ...
" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "
what do you mean by "same proccess from DNS - DC"
thanks
victor
" same process: DNS - DC, but now with an extra step: Global Catalog server (the first DC you installed)The global catalog server will provide information about universal groups in AD.
You can upgrade any DC to GC from the Active Directory Sites and Services Console. "
what do you mean by "same proccess from DNS - DC"
thanks
victor
Yes, there are 2 different authentications.
The machine logs on to the domain when it starts up.
The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)
This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.
Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.
In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.
The machine logs on to the domain when it starts up.
The user logs on to the domain later on.
When you press ctrl+alt+del your machine finds a domain controller for the domain to which your machine belongs using the following failover sequence:
primary DNS, secondary DNS, NetBIOS resolution (usually netbios cache, WINS, broadcast and lmhosts)
This query will return one (or more DC's).
Then you query the DC and retrieve a list of domains where you can log on (depends on the number of trust relationships established by your domain)
Then you type username, password and select the domain you want to log on to.
There is another query to DNS to retrieve the domain controllers for the domain where you want to log on.
Your authentication is submited to the domain controller. The domain controller contacts a global catalog server and builds a session token that has the SID's for your user account, plus all global and universal groups you belong to.
Universal groups exist in pure windows 2000 domains (no NT4 BDC's). A universal group should include global groups from different domains in the forest that are supposed to do the same function:
imagine you have 2 domain and a "Sales" global group in each domain.
Then you would create a Sales universal group containing both global groups and you could assign permissions on resources to the universal group instead of adding the group of every domain.
In a 99.9% of the situations universal groups are useless, but your domain controller will still try to contact the Global Catalog server.
A failure to contact a global catalog server may result in delays logging in and eventually not even being able to log on.
ASKER
so , if a failure to contact a global catalog server may result in delays and stuff
there is a way to disable the global catalog server ?
victor
there is a way to disable the global catalog server ?
victor
the network needs a catalog server.
so make your second DC also a GC
from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.
(by the way, all GC still behave as normal DC's)
Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.
so make your second DC also a GC
from Active Directory Sites and services
expand your site (probably called Default-first-site-name)
Expand Servers and your server until you see: NTDS Settings
Right click on it and select Properties
In the first tab you will find a checkbox called: Global Catalog
To turn a DC into a GC you just need to tick this box.
(by the way, all GC still behave as normal DC's)
Once you have the two servers as DNS, DC and GC and you configure clients to use both DNS servers, your network authentication will be fault tolerant.
ASKER
thank you Ralonso for the grate aswers
one more question and you will give the points
i have a domain controller that exchange is installed on it
i raised up another domain controller
how do i remove the domain controller from the exchange server so the exchange will be without it ?
victor
one more question and you will give the points
i have a domain controller that exchange is installed on it
i raised up another domain controller
how do i remove the domain controller from the exchange server so the exchange will be without it ?
victor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check this link again for MS Documentation:
http://www.microsoft.com/windows2000/en/server/help/