Setting up Backup Domain Controller

Posted on 2007-11-28
Last Modified: 2012-06-21
we have only one DC in a small org.

we need to provide redundancy & load balancing and would like to implement a second server to act as the backup DC. However, the question would be for the FSMO roles. Rather than a manual transfer if primary DC goes down - Can the FSMO roles be made redundant?

if so what are the ways?
if not - would server clustering be an option for domain controllers.?

Question by:rdvarghese
  • 5
  • 2
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 20364083
You cannot have redundant FSMO roles - by definition they are Single Operation Masters. That said the domain can operate quite effectivly for a considerable time if these roles are not available. Clustering I suppose is an option but would be very expensive and I doubt it is really necessary in your case.

The procedure to adding a second Domain Controller - (note a second domain controler NOT a BDC - BDCs ceased to exist with the demise of Windows NT), is as follows;

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network
Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the ‘R2’ version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select ‘Additional Domain Controller in an existing Domain’

Install DNS on the new DC. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a quite while at least should any one of them fail.

However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned ‘emergency’ the FSMO roles can be seized (see
LVL 29

Expert Comment

ID: 20364086

In Active Directory Windows 200x there is no real difference between DC's and therefore the idea of PDC and BDC is gone in theory. You are right that there are some roles FSMO that can only be hosted on one DC at a time. The neat thing is that if the DC holding these roles goes offline you can seize the FSMO roles so they are available on another DC that is functioning.

The main thing to remember is that you should enable the second DC as a global catalog and DNS server and specify your clients and servers DNS settings to use one DC as the primary DNS and the other as secondary.

Author Comment

ID: 20364127

i did read your same exact words on another post, but thank you for the information on FSMO. Is it possible to have more than one global catalog?
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

LVL 70

Expert Comment

ID: 20364132
Yes - indeed its best to have at least two - and one per site as a miniumum.

Author Comment

ID: 20364165
Still trying to clarify the FSMO deal.
For example,
if you have two seperate domains in an org. and 10 clients in domain_A and 90 clients in domain_B. if i move the 10 clients to domain_B(assuming both global catalog), and have all users authenticate to one domain, - For shutting down the second domain, does the FSMO matter? does FSMO needs to be transffered to a domain that is completely different.?
LVL 70

Expert Comment

ID: 20364250
If you have two seperate domains then its a bit different
Some FSMO roles are only held in the forest root - one per forest - thse are
Schema master
Domain Naming Master

Each domain has its own
RID master
Infrastructure Master
PDC Emulator

You cannot transfer the Forest FSMO roles out of the forest root
You cannot transfer domain roles across forests
LVL 70

Expert Comment

ID: 20364274
... that last on should say
You cannot transfer domain FSMO roles across DOMAINS

basically FSMO roles can only be transferred to another DC in the same domain
LVL 70

Expert Comment

ID: 20364342
If you are getting rid of a child domain then once the users have all been moved you do not need to do anything with the FSMO roles. Just run DCPROMO in the DC in the child domain and select the "This is the last DC in the domain option"

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot connect to wireless using RADIUS 16 39
Reverse DND setup 6 38
Retrieve Active Directory Groups a User belongs to in VB.NET 3 20
DNS Forward 4 18
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question