Solved

Active Directory 2003.  What roles does the main domain controller server?  What happens if it goes down?  Does a second domain controller take over the roles?

Posted on 2006-07-19
17
1,420 Views
Last Modified: 2012-06-27
Reason I ask is that I have noticed that I had some trouble logging onto our exchange server when power cycling the main (1st installed or GCS) domain controller.  I thought that installing a second domain controller was supposed to handle requests for svc's whe nthe main one went down for any reason.  Does it have anything to do whether the second BDC is listed under DNS on the member servers' network card?

Secondly, lets say I want to upgrade from w2k domain to w2k3 domain.  What is the procedure for this?  Can I just add w2k3 member servers first and then upgrade them to dc's... and then what..?

Last, what are the roles that a 2nd domain controller plays when added to the domain?  What roles does the main server or 1st domain controller.  I know it is a global catalog server.  Is this a role that you somehow "transfer" to a member server when changing roles from an old DC to a new one?
0
Comment
Question by:Sp0cky
  • 6
  • 6
  • 3
  • +2
17 Comments
 
LVL 2

Accepted Solution

by:
JeremyPage earned 300 total points
Comment Utility
You will have this unless you make one of your other DC's a Global Catalog Server. There are several roles, the main one that you need to be concerned about is your Infrastructure Master, you should not have it on the same server that's a GC unless ALL your domain controllerrs are GC's.

That said, if you only have one domain go ahead and make all your DC's Global Catalogs (assuming you have 4 or less DC's) and you should be fine.

http://9z.com/weblog/2004/08/fsmo-roles-in-active-directory.asp more on FSMO's (Roles).

Most of the time in a simple 1 domain network you don't really have to worry about this, except to make certain a Global Catalog is availble for Exchange users.
0
 
LVL 2

Assisted Solution

by:panman3
panman3 earned 100 total points
Comment Utility
Your secondary controller will indeed be able to serve requests when the primary is down or the workload gets too high. Getting a secondary DC is also usefull for when your primary DC might crash. Untill the primary DC is restored from backups it will otherwise be impossible to log onto the network for all users.

The DC serves all lon-on requests by giving users and computers Kerberos tickets. With these tickets they are authorised to talk to other pc's, users, servers (to open documents, access shares, open programs).

If you want to upgrade your DC to a new OS then you need to be sure that the role as primary DC NEVER gets interrupted. F.e. if you format your DC and reinstall it, then nothing will work anymore, because all servers will not recognise the new DC (internally in Windows it has gotten a new ID number so it will basically no longer be the same server anymore. The other servers therefore won't acknowledge its leadership). As a secondary DC can only become a primary with the consent of the current primary, you'll never be able to promote it...

There are several possible ways to procede, here's one:

- server1 = primary DC, server2 = other server
- Install a secondary DC (in your case that has already happened) on server2 ("manage your server" - "add or remove a role" - "domain controller" - ...)
- Promote your secondary DC to primary DC (DCPROMO command) (*)
- (server1 authorises server2 to become the new primary; server1 becomes a secondary DC)
- install Win2k3 on server1
- make server1 a DC
- keep server2 as primary DC or promote server1

(*) it might be possible to do an upgrade of server1 from win2k to win2k3 while it is the primary DC, but realise that if something goes wrong and your server is a total loss, you will never be able to insert a new primary DC in your domain unless you can restore a full backup from tape.
0
 
LVL 2

Expert Comment

by:JeremyPage
Comment Utility
"As a secondary DC can only become a primary with the consent of the current primary, you'll never be able to promote it..."

That's not correct, you can "Seize" roles if you loose a domain controller. It's not the best thing to do in most cases (It's better to run DCpromo on a DC you want to get rid of, make it a member server and then remove it.

Also, for the most part you don't need to mess with any of this. Just make the 2nd DC a GC and you should be fine, assuming you have a smallish network with only 2 DC's.
0
 

Author Comment

by:Sp0cky
Comment Utility
Thanks guys.

"remember not to move your Infrastructure to a global catalog server. Bad things will happen!"

Ok, this makes no sense to me because your 1st DC has all these roles...can you explain?

Also, how do you make a server a GCS?  I will have to recheck that article...
0
 

Author Comment

by:Sp0cky
Comment Utility
Ok, found the answer to both.  No GCS on IM if you have more tha none domain or subdomains I guess...  And if you have subdomains or more than one domain in the forest, I guess the suggestion is move the GCS role off the infrastructure master to another DC?
0
 
LVL 2

Expert Comment

by:JeremyPage
Comment Utility
If you only have one domain it does not really matter where it is, just make both boxes GC's
0
 
LVL 2

Expert Comment

by:JeremyPage
Comment Utility
Where it is being the Infrastructure master, that really only comes into play in a multi domain environment.
0
 

Author Comment

by:Sp0cky
Comment Utility
One more Jeremy, that article is great but how do you ADD the FSMO roles to another DC instead of moving them?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 13

Expert Comment

by:haim96
Comment Utility
you can't add another DC with operation masters function but you can move them from server to server.
in AD console , stand on the domain name root, right click-> all task - > operation master.
note that it say that only one DC alow to operate as master and you have the option to change it's location
0
 

Author Comment

by:Sp0cky
Comment Utility
"There are several possible ways to procede, here's one:

- server1 = primary DC, server2 = other server
- Install a secondary DC (in your case that has already happened) on server2 ("manage your server" - "add or remove a role" - "domain controller" - ...)
- Promote your secondary DC to primary DC (DCPROMO command) (*)
- (server1 authorises server2 to become the new primary; server1 becomes a secondary DC)
- install Win2k3 on server1
- make server1 a DC
- keep server2 as primary DC or promote server1" -  panman3

 panman3, does this mean that the domain will be upgraded to a w2k3 domain automatically in the process of promoting the secondary DC because the secondary DC is already installed wit hw2k3?


0
 
LVL 44

Assisted Solution

by:scrathcyboy
scrathcyboy earned 100 total points
Comment Utility
"Secondly, lets say I want to upgrade from w2k domain to w2k3 domain.  What is the procedure for this?  Can I just add w2k3 member servers first and then upgrade them to dc's... and then what..?"

NO, you HAVE to follow the MS approved procedure or it wont work, you will lose all DC functionality --

support.microsoft.com/kb/555040/en-us
support.microsoft.com/?kbid=325379
www.petri.co.il/windows_2003_adprep.htm
www.tek-tips.com/viewthread.cfm?qid=1238743&page=1
www.tutorialsall.com/DIRECTORY/Upgrading/
www.windowsitpro.com/Article/ArticleID/45477/45477.html
www.commodore.ca/windows/windows_2003_upgrade.htm
0
 
LVL 2

Expert Comment

by:panman3
Comment Utility
*does this mean that the domain will be upgraded to a w2k3 domain automatically in the process of promoting the secondary DC because the secondary DC is already installed wit hw2k3?

NO.
You can install win2k3 on new servers, but they will automatically run in "mixed mode" (see next paragraph). If you want to upgrade the domain itself, you first need to make sure all servers can work with the win2k3-native mode and then change the mode on the DC's.

When you install a domain, you can choose between a win2k3-native domain or a mixed-mode. Windows 2000 clients and servers need a mixed mode domain, if you only have windows XP clients and windows 2003 servers then you can choose win2k3 native.

In short: when upgrading you need to change from mixed mode to win2k3 native.

First you need to make sure that all servers are windows 2003 or are able to work with win2k3-native-mode. So you need to upgrade the OS'es. Be sure not to take any risks with your primary DC (as described before). Only when you don't have any win2000 servers anymore, then you can upgrade the domain itself to win2k3 native. I think it is also possible when you have SP4 on all win2000 servers, but I'm not completely sure (SP4 should make them capable of running win2k3-native mode)

The links from scrathcyboy seem very helpfull. I also browsed these:

MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 -> http://support.microsoft.com/?id=555040
MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 -> http://support.microsoft.com/?id=325379
0
 
LVL 2

Expert Comment

by:panman3
Comment Utility
EDIT:
You can install win2k3 on new servers, but they will automatically run in "mixed mode" WHEN THEY ARE CONNECTED TO AN ALREADY EXISTING MIXED-MODE DOMAIN.

If you install a new domain on a fresh win2k3 it will be win2k3 native.
0
 
LVL 2

Expert Comment

by:JeremyPage
Comment Utility
You can't have two machines with the same FSMO in the same domain. You can have multiple Global Catalogs, you set this under the server's properties in AD Sites and Services.
0
 

Author Comment

by:Sp0cky
Comment Utility
Ok, so "basically" after transerring the roles and then upgrading or taking the old servers off line and thus having all dc's on the w2k3 o/s, I can change to native w2k3 mode...right?  (Assuming I also follow the guidelines in the above articles thanks to scrathcyboy..
0
 
LVL 2

Expert Comment

by:JeremyPage
Comment Utility
Yes, but don't take the old servers offline until you run DCPROMO on them to make them member servers.

And yeah, you need to do a forest prep and domain prep first. The rest should pretty much already be done since you are in 2000 mode now. It's not too terribly difficult. Back up your system state before you do the upgrade just to be certain.
0
 

Author Comment

by:Sp0cky
Comment Utility
Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now