[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

2003 network and want to use 2000 as a backup domain controler

Thanks for looking at my issue.
I have a primary domain controller using 2k3 server, this server host dhcp dns ad and everything else needed to run a domain enviroment. I have an extra license of 2000 server that I want to build a backup domain controler out of. I know in the new terms their is no BDC and PDC's but I will just call them that since that is how I think of them as. What I'm looking to do it to be able to shut off my 2k3 PDC and have the 2000 server BDC take up the slak. With out having to do anything when the PDC goes down.

I know that after I build the 2k server box I have to dcpromo the box to connect it to ad, but thats about as far as I know how to do. Again my end result here is to be able to turn off the pdc and have network still run with out a hitch.

one other note I have another 2k3 server that host exchange 2k3 so this absolutly has to be working with out a hitch if the PDC goes down.

Thanks in advance.
0
jimmy6154
Asked:
jimmy6154
  • 6
  • 4
  • 2
  • +1
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Exchange is going to be the real problem here. The only way to create near-instantaneous failover for Exchange is with a Cluster (MS Cluster Services).

For a cluster you would need:

2 Advanced / Enterprise Server Licenses
2 Exchange Licenses
2 similar servers, each with 2 network adapters
1 Shared Storage Device (SCSI Attached Storage / Storage Area Network)

Equally, having Exchange on a Domain Controller will effect any disaster recovery situation (by making the restore process more complex and therefore longer).

Now everything else isn't so difficult, you need to setup DNS on your 2000 server and add it as the secondary DNS to your users. That provides access to the Domain when the main server is down.

You will also need to make it a Global Catalog (AD Sites and Services, properties for the servers NTDS Settings). That's needed to logon to the Domain.

The 5 FSMO (Flexible Single Master Operations) Roles will only exist on your 2003 Server at present, these cannot be duplicated onto the second server, but they can be split between the two servers. Out of all of those the most noticable to the users is the PDC Emulator which is (in part) responsible for synchronising time on the network.
0
 
mikeleebrlaCommented:
your domain controller will have to be in the functional level 2000 native mode.. which basicall means that it is acting as a windows 2000 domain since you still have a 2000 DC on it.  This article will exlain it a little further:

http://www.computerperformance.co.uk/w2k3/w2k3_mixedvnative.htm

Granted that you have DNS properly set up (ie more than one DNS server that has current DNS records and clients that "know" about both DNS servers.  If one DC goes down your clients should start authenticating to the other DC.  In my experience the worst case scenerio is that the client will have to reboot to find the new DC.

0
 
Chris DentPowerShell DeveloperCommented:

Ack sorry forget the bit about the Exchange cluster, I missed that it was running on a seperate server anyway.

In which case all you have to do (after checking the functional level as Mike mentions) is make it a Global Catalog and set-up secondary DNS.

The rest of the FSMO roles are less important in terms of users on the domain, but you really don't want to have them offline for a long time (more than a day really).
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
WerewolfTACommented:
jimmy6154,

I think Chris has given a good answer.  However, depending on what you're budget's like, it can be pretty expensive.  Given the fact that you're running everything currently off of 1, I'd say your budget's probably even worse than mine.

We were looking into a failover cluster for our SQL server.  However, by the time we stepped up to Enterprise SQL, Advanced Windows server, the shared drive array with adequate storage space, and the scsi cards, we were hovering around the $50k mark.  For us that was too high.  So, we started looking into alternatives and found some software failover solutions.  The one that seemed to be rated best overall from the reviews I read was Computer Associates' Brightstor High Availability.  Now, I'm not endorsing that product as we have not  yet had the opportunity to test the product.  However, it will do failover from one server to another (or from multiple servers to one) without requiring high-end versions of software (ie. you can run server instead of enterprise/advanced).  It was tested as failing over pretty quickly.  The price was reasonable, around $1200 as I recall, for 2 servers.  It has wizards for, among other things, Exchange.  Seemed pretty compelling and less expensive than the hardware cluster.  Perhaps something for you to look into.

As for being able to have everything work without a hitch if your primary DC goes down... Well, you can have that PDC emulator, or any of your other FSMO roles, go down for the short term, such as for a reboot to update Windows, and your users shouldn't notice.  However, if you're going to be pulling a server that has FSMO roles offline for an extended period of time, you should transfer those roles onto the other DC (or seize them, if it wasn't a planned outage) to avoid problems.

Setting up that DC may cause you some problems.  There doesn't seem to be a lot of documentation out there on the proper setup and configuration of a 2nd domain controller; plenty on the first.  Or at least that was the case when we were setting up AD.  After much trial and error and searching, I compiled some KB articles that I found particularly useful.  Check out my entry at the link below for those articles and my notes.  Hopefully, that'll save you some headaches when you go to setup that 2nd DC.
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21056758.html

Good Luck!
0
 
WerewolfTACommented:
jimmy6154,

Yeah, Mike brings up a good point.  You can't be in 2003 native mode to add that 2000 DC into the mix.  If you've already raised the functional level, there's no going back that I know of.  Unless somebody knows of a good script, you'll also need to add that 2nd DC into the DNS network properties for your clients after you have it setup, or you won't have any failover for DNS/AD.  

Also, if you're running your file server on your DC, as well, you'll probably want to setup a DFS root between the 2 servers and start pointing your users to that for their file server needs instead of to a particular server so you have failover there, too.  We're all 2003 here, don't remember if that feature was present in 2000.  If you have the money, you may want to do yourself a favor and bring that 2nd DC in as a 2003 box.  Then, you can use your 2000 license to pull some of those duties off your domain controllers, or at least your pdc.

That's my $0.02 anyway.
0
 
jimmy6154Author Commented:
Just to add to this as alot of time has passed and I finally have recieved funding for some test networks and such. I since succesfully have a fail over in place.

This is what I've done.
I set up box1 as the DC with AD,DHCP,DNS. It also holds all FSMO roles and the GC. Its running 2003 server in the 2003 raised lvl mode in the domain.
I set up box2 as a DC with AD, DHCP,DNS. It also holds the GC and is a 2003 srvr OS as well.

Now if I unpluggedthe lan cable of box1, I could log into the network but could not find the domain, logon scripts, GP would not run. Even after a reboot. The client would find box2 and authenticate to it but thats was it.

This does not solve my issue of having people be able to browse the internet, get e-mail, logon with scripts and gp running.

But I think I found the light at the end of the tunnel. In the DHCP config options I found something called world wide web(WWW). I set that option to both my DC's.

I unplugged the lan cable from box1 and my client was able to still browse the internet.. (SWEET!) So then I rebooted the client and low and behold, logon scripts ran and GP went through. Perfect just what I needed.

Now I have to get e-mail working. I thinkits an issue with not seeing the other DC but will look into it and post when I get it running.
0
 
WerewolfTACommented:
Congrats on what you've gotten so far.  What's not working with the email?
0
 
jimmy6154Author Commented:
when I unplug 1 dc, I want people tp still be able to send and recieve e-mail from the other DC. Without having to reboot there PC's. On the other hand also to have people that reboot, or log into the other DC while on is down, to be able to send and revcieve e-mails like normal
0
 
WerewolfTACommented:
The mail server's not on the DC, is it?  It's on its own box?
0
 
jimmy6154Author Commented:
correct. its on its own box
0
 
WerewolfTACommented:
I'm doing a little educated guessing here, because our parent IT group actually handles the email servers, but from what I understand, you should just have to have your mx records in DNS on both DC's.  Is it possible there's a replication issue, where the mx record isn't being replicated from the pdc to the other dc?  Or depending on how your client connects, maybe the pointer record isn't there or up-to-date.  Or is it web-based mail with an alias that maybe didn't transfer?

Try an nslookup with both servers up against your mail server's records and then with the pdc down and see if the other pdc can resolve those records.  That'd be what I'd try first.
0
 
mikeleebrlaCommented:
MX records only need to be on your PUBLIC DNS servers since they are only used for other mail servers to find your mail server.  MX records aren't used at all on private LAN DNS.
0
 
WerewolfTACommented:
oops
0
 
jimmy6154Author Commented:
So just to update all on this last part that I got working. I acutally found a white paper on  exchange and how it uses the DC/GC. So once I understood that DSAccess is the key to finding the live DC at any time. I understood that all I needed to do was to ensure that both DC's were in the list where exchange looks to find DC's. When the config DC goes do exchange then looks down the list for the next one. It will then send a few ldap query to it, when its happy exchange will then start using that DC. This happens until the config DC comes back online. A note should be said that it take a few minutes for the proccess to happen. Its not an instant thing. But thats ok for me and to be able to reroute to another DC within 5 min is good enought leaway from this company..

thanks again.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now