Solved

In case the primary domain controller is down, I would like to have dns resolve to a secondary domain controller and/or to diversify load..

Posted on 2006-07-19
14
458 Views
Last Modified: 2012-05-05
Does anyone have a link on this concept or explain it as well as instructions on how to do this? w2k3 server and AD.
0
Comment
Question by:Sp0cky
  • 8
  • 5
14 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 375 total points
Comment Utility

It's quite easy to setup if I understand what you're looking to do correctly.

Install the DNS Service on another Domain Controller, add the IP Address for the second Domain Controller to your clients configuration.

The Forward Lookup zone you need for it all to work should appear automatically when you install the DNS Service onto the DC.

If the first (Preferred) DNS Server is unavailable the client will use the second (Alternate).

Chris
0
 

Author Comment

by:Sp0cky
Comment Utility
Maybe that has something to do with why my exchange did not seem to run properly when the primary was down?  Because I don't have a second DNS server entry in there...?
0
 
LVL 2

Assisted Solution

by:panman3
panman3 earned 125 total points
Comment Utility
You should configure another server as a DNS, and make all clients able to work with the new DNS (2 possibilities here).

1) create a new DNS

The installation is quite straight-forward, just choose "Manage your server" from the start menu (or it might start up automatically when you log in) and add the DNS role

on a server:
- Start menu - Programs - Administrative tools - Manage your server
- Click on button "Add or remove a role"
- Choose DNS and click through the wizard.

2) Make clients able to work with the new DNS

Next there are 2 possibilities:
- give the new DNS the IP address of the old one. The clients in your network will automatically see the new DNS and think it is the old one.
- you need to make your clients aware that there is an alternative for your primary DNS server.

on the clients:
- open the properties for the LAN-connection
- open TCP/IP properties
- select "use the following DNS addresses"
- your primary DNS is most likely already there; add the IP address of the new DNS as secondary

3) IMPORTANT NOTE!

If your primary domain controller is not just down for maintenance, but there is a large problem with Windows. DO NOT FORMAT it and reinstall. There is no possible way to upgrade a secondary DC to primary without the explicit authorisation of the current primary DC.
- Take all possible actions to get it running again without a complete reinstall
- Create a secondary DC (just add the DC role to a server, it will automatically replicate the AD from the primary controller -> this might take some time)
- Make the secondary DC your primary (only then will you regain complete control over your domain again)
- (your primary DC is now downgraded to secondary as a new primary DC has been approved by the previous one)
- Reinstall the server and make it a domain controller
- If needed make it primary again (or leave the other server as primary).
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> Maybe that has something to do with why my exchange did not seem to run properly
> when the primary was down?  Because I don't have a second DNS server entry in there...?

Well you will certainly need the secondary DNS for it to be able to resolve requests. Especially for sending mail.

In addition to that you will need to make sure that there is another Global Catalog availble on the network for Exchange to use.

Chris
0
 

Author Comment

by:Sp0cky
Comment Utility
What then is the purpose of a secondary dc if the roles of the first are not distributed to the 2nd?  If the first goes down and you have a backup then you are still screwed..right?

"Make the secondary DC your primary (only then will you regain complete control over your domain again)"

Thank you.  How is this accomplished?  Thanks.
0
 

Author Comment

by:Sp0cky
Comment Utility
"In addition to that you will need to make sure that there is another Global Catalog availble on the network for Exchange to use."

Wow, I didn't know you could distribute this role..and you would think it would be distributed by default.  Again, otherwise, what good is the secondary?
0
 

Author Comment

by:Sp0cky
Comment Utility
Lastly, Chris is there any particular reason after adding the dns server service on the 2nd DC that when clicking on the dns server in dns snap in that it says "configure a DNS server" as though it has not been configured?  I see the forward and reverse zones in there automatically but is that something I should worry about?  Thx.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

In reverse order...

> Lastly, Chris is there any particular reason after adding the dns server service on the 2nd DC
> that when clicking on the dns server in dns snap in that it says "configure a DNS server" as
> though it has not been configured?  I see the forward and reverse zones in there automatically
> but is that something I should worry about?  Thx.

Not really... I shouldn't worry about it unless you experience problems. You can check the event logs for errors associated with it but it's unlikely there will be any as you have the zones.

> Wow, I didn't know you could distribute this role..and you would think it would be distributed
> by default.  Again, otherwise, what good is the secondary?

Yep this role can be distributed, and it's recommended that you do. Generally it works out best to just make all your Domain Controllers Global Catalogs.

Even without that role the Domain Controller holds a full copy of your local domain and can authenticate users or answer LDAP requests depending what your clients are doing. Unlike Windows NT the second DC can accept updates directly - there are only a few roles that must still be handled by individual servers, there's no reason you must have all those roles on a single machine though.

Which sort of leads onto this bit:

> If the first goes down and you have a backup then you are still screwed..right?

No, not at all.

Except for the 5 FSMO Roles (Flexible Single Master Operations: Schema Master, RID Master, PDC Emulator, Infrastructure Master and Domain Naming Master) everything is exactly the same as your first DC. Each of those 5 roles can be moved around, and there are best-practices for placing them, although in a small network I wouldn't worry about them too much. In the event of the server holding those roles failing entirely you can seize those on an active DC and have a completely operational domain very quickly.

It's better not to think in terms of a Primary Domain Controller and Backup Domain Controllers anymore. Each of your DCs is effectively Primary, each can accept updates from any client and perform pretty much every operation without the other DCs being around.

The exceptions to this are the FSMO roles mentioned above, the Global Catalog and the DNS Service - these must be configured on each DC as applicable.

In this respect adding another DNS server helps a great deal. As with your current DNS server your clients can add their address entries to it and it contains exactly the same thing as your other DNS with only a very minor pause while replication takes place between the two servers.

Chris
0
 

Author Comment

by:Sp0cky
Comment Utility
Lastly, I would like to add (not change) the FSMO roles to the second dc just in case the first goes down or dies.  Can I do this?
0
 

Author Comment

by:Sp0cky
Comment Utility
...and

"Except for the 5 FSMO Roles (Flexible Single Master Operations: Schema Master, RID Master, PDC Emulator, Infrastructure Master and Domain Naming Master) everything is exactly the same as your first DC."

Yes but if the 1st dc goes down and you don't have a RID master role on the second, then you can't add anymore sids when you run out.  If the "schema master" role was on the 1st then you can't make any changes to AD without it...  If the PDC Emulator role was on the 1st DC only and you didn't add the role to the 2nd then you could have a time synch problem.  Is this correct?  If so then the 5 FSMO roles are extremely important to have on the 2nd dc right?

Ok, just so I have this correct, the 2nd dc only processes logins pretty much when the 1st is down and it also may interrupt exchange if it does not have the GCS role on it and the 1st goes down for any reason?

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

There will probably be a little repitition in this, you'll have to forgive me for that, I'm just going to blame the heat :)

> Lastly, I would like to add (not change) the FSMO roles to the second dc just in case
> the first goes down or dies.  Can I do this?

While there is a degree of flexibility in the role placement each is, as the name for the group of them suggests, can only exist on one server on your network.

> Yes but if the 1st dc goes down and you don't have a RID master role on the second,
> then you can't add anymore sids when you run out.

This is correct, but then you're not supposed to leave a complete server crash unchecked for days on end. You really won't notice the lack of this role for a few minutes or hours.

> If the "schema master" role was on the 1st then you can't make any changes to AD without it...

No, you can't make any changes to the Schema without it, the two are seperate. The Schema defines how the objects in Active Directory look, what properties and attributes they have, it doesn't stop you adding new objects (whether users or computers) those are part of the main AD database not the Schema.

> If the PDC Emulator role was on the 1st DC only and you didn't add the role to
> the 2nd then you could have a time synch problem.

Yes, but again you're not supposed to be without these things for days on end, a few hours doesn't matter either way. Anyway, since Time should be synced prior to the DC crash you'd have to have a lot of odd behaviour in the clocks for it to fall far out.

So yes, the roles are very important, and they can only be on one server each. However, you can put them where you please, so you could have the PDC Emulator and RID Master on DC2, leaving the rest on DC1.

The only time you should Seize the Roles is if DC1 died and you didn't have a backup (or didn't want to do a restore - which is frequently easier if the DC is nothing more than a DC), in that case you would seize the roles which just makes DC2 the boss for those and everything is great again. In that scenario you could never bring DC1 back online without a rebuild and re-dcpromo as the two DCs wouldn't agree on who held the FSMO roles.

> Ok, just so I have this correct, the 2nd dc only processes logins pretty much when
> the 1st is down and it also may interrupt exchange if it does not have the GCS role
> on it and the 1st goes down for any reason?

The Global Catalog is a different function from those above, you can have as many of them on the network as you want, and in a small environment (as mentioned above) and even many very large environments it would make sense to just tick the box for all of your DCs which leaves everything nice and resiliant.

The GC in general has much more of an important role in a Forest rather than single Domain, but Exchange really needs it, and users do too since it's responsible for enumerating Universal Group Membership.

In essence all you should really need to do is:

1. Add the Global Catalog role to DC2
2. Add the DNS Service to DC2
3. Add the IP Address for DC2 as the Alternate DNS in all client and server configuration

And whatever happens you'll have another server that's fully operational and can become everything needed for the domain in a few short steps.

Chris
0
 

Author Comment

by:Sp0cky
Comment Utility
Thanks Chris!  I will award points momentarily!  If I remember correctly, a "system state" backup backs up all of these roles.  right?  I think I would just sieze the roles anyway.  Does the 2nd DC need to be a GCS to do this in the case of the first domain failing?  Thanks!!
0
 

Author Comment

by:Sp0cky
Comment Utility
Ok, got my answers.  Thx!!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> I will award points momentarily!  If I remember correctly, a "system state" backup backs up
> all of these roles.  right?

It backs up absolutely everything you need to be able to restore the domain - including the location of those roles.

> I think I would just sieze the roles anyway.  Does the 2nd DC need to be a GCS to do this in
> the case of the first domain failing?

Nope, it just needs to be a Domain Controller. You would need the GC role somewhere to maintain your network, but it doesn't have to be on the same server as the roles are.

Chris
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now