[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 902
  • Last Modified:

Backup Domain Controller (BDC) - How do I set up?

I've never installed a BDC (Backup Domain Controller) - only a PDC (Primary Domain Controller).

I'm doing both for an organization next week. Can I get some tips/advice on a few matters:

1) Should I complete the PDC and then migrate the data to the BDC?
2) How do I put it in Service?
3) What are some best practices?
4) Is there a good URL for a "HIgh-Level" overview of the installation?

Thanks!
0
Ryman1
Asked:
Ryman1
  • 6
  • 4
  • 3
  • +2
8 Solutions
 
Hedley PhillipsCommented:
Just run through the dcpromo setup of the backup Domain Controller and tick the box that says there is an existing DC in the domain and it will replicate everything over for you.
0
 
Zenith63Commented:
Active Directory has removed the concept of primary and backup domain controllers, you just have Domain Controllers now, all equal.  Well this is simplified ever so slightly, there are FSMO roles and Global Catlogues, but it's pretty much true.  Users can log on to any domain controller they can contact, they don't have to be logging on to the "primary" domain controller.  So the concept of failing over to a BDC is gone, if one domain controller (DC) is down the users can and will log on to any other available DC.

So as Mr-Madcowz said you add extra domain controllers by first setting up an IP address on the new server, pointing it to the existing DC for DNS, then running the command "dcpromo".  Select the option to join an existing domain and fill in the details.  This will setup replication and do an inital replication also.

Other things to consider -
- You should make the second domain controller a Global Catalogue Server when you have made it a DC. To do this open "Active Directory Sites and Services", go down through the tree to your second DC, right click "NTDS Settings" under this server and select Properties, tick Global Catalogue and hit OK.  You'll see an Event in the logs of this server after a few minutes saying it is now a Global Catalogue.
- Assuming your DNS is Active Directory Integrated (default) then DNS is being replicated between the Domain Controllers.  So install DNS Server on the second DC and restart it.  This server will now be a DNS server as well, so you can put it's address in as the secondary DNS Server address on client PCs, so if the primary DNS server (your first DC) goes down the PCs can still resolve addresses (very important if they want to log on to a different DC and find it!).
- I usually setup WINS replication also but it's not a big deal for now.
0
 
KCTSCommented:
Lets get put the record straight - there is no such thing as a BDC or a PDC either for that matter and has not been since Windows NT4. Windows 2000/2003  uses a multi-master database which means that any Domain Controller can be used to query and update Active Directory, That said, there are some Single Master Roles (FSMO Roles) than only one Domain Contoller can hold at any one time and one of these is the PDC emulator. OK now thats over down to your question.

If you want to add a second DC for backup and redundancy - which is highly recommended, the procedure is as follows:-

Install Windows Server on the new machine

Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain and follow the prompts.

Active Directory will be replicated automatically from the existing DC to the new DC and assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Dont forget to set the default gateway (router) and DNS Servers.

Talking of client DNS settings, all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other. Domain Controllers should use themselves as the Preferred DNS server and the other DC as the alternate DNS Server)

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a while at least should any one of them fail. However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned emergency the FSMO roles can be seized (see  http://www.petri.co.il/transferring_fsmo_roles.htm and  http://support.microsoft.com/kb/255504)
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Hedley PhillipsCommented:
Yes Windows 2000/2003 is a multi master Active Directory replication environment where all DC's are peers.

But, a lot of us still call the DC that holds the FSMO roles the primary Domain Controller.

Old habits die hard.

0
 
Ryman1Author Commented:
Wow, that's amazing help!

Another question: Have either of you heard of using a Virtual Machine for the second Domain Controller. A friend of mine says their company does it this way since their uses are not incredibly resource intensive.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
That's what I do for my own private network.  AD is not a resource intensive service for most businesses.  If you don't have the physical hardware and/or want to save on your electric costs, a VM is a fine solution.  Of course, I would run one server with VMs and the other as a DC (running a VM DC on a DC is not very good - if the DC goes down, so does the VM DC, somewhat negating the benefits).
0
 
KCTSCommented:
Yes having a virtual machine as a second DC is a good idea if you don't  have the hardware to run another 'real' DC, as leew says - don't put the Virtual machine on the DC, not only will it slow down the DC, but if you have a hardware failure you will lose both. You could run a virtulaized second 2003 DC on Microsoft Virtual PC running on a windows XP system.

Virtual PC can be got free from http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx though you will still have to obtain another copy of Server 2003 to install on the Virtual PC of course.
0
 
Ryman1Author Commented:
Sorry to take a tangent on this thread, but they have come back with an unexpected question:

They are considering using Small Business Server with 25 cals. Can you do a second DC in that environment?

I'm going to urge against it - based on what you guys say.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You should read up on SBS - You can have a second DC... a third, a fourth, a fifth..., a thousandth if you want... BUT your SBS server MUST be your FSMO Master.
0
 
Zenith63Commented:
Why urge against it?  SBS is a great solution and very well priced for businesses of the right size, I'd also recommend you read up on it.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I agree - I suggest you do some reading up on SBS - outside of trusts, there's very little it can't do or accommodate.  And when you outgrow it, you get the Transition pack and remove any limitations.
0
 
KCTSCommented:
Yue you can have a second domain controller on SBS - so long as you set up SBS first and then add the other DC. The SBS server MUST hold all of the FSMO roles - you cannot move these to the second DC, but the second DC can still be a DNS, DHCP and Global Catalog server.

SBS Server is actually quite a nice cost-effective solution for small businesses,  if a bit querky until you get used to it, so do not discount it out of hand.
0
 
Ryman1Author Commented:
It looks like we will be using Server 2003 Standard since the business plans to have solid growth (out of the range of SBS) and want to make sure things like Exchange, IIS, etc are on separate boxes.

The install will be happening this week if the licenses arrive.

One thing: How do I migrate the Profiles of the 10 Windows XP Users that already exist?
0
 
Ryman1Author Commented:
Mr. KCTS,

here's the detailed instructions from Microsoft for installing the second DC, but I'm wondering if your instructions are more current than Microsoft's?.
0
 
KCTSCommented:
There should not be any conflict between what I have suggested and the Microsoft 'official' solution. My method is based on having added additional DCs many times.
0
 
Ryman1Author Commented:
Thanks KCTS, I'll likely go with your method.

One thing: How do I migrate the Profiles of the 10 Windows XP Users that already exist?
0
 
Ryman1Author Commented:
How should I configure the DNS Server for the second DC?

During the wizard I have: options for forward, reverse, or root hints only.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now