Setting up Backup Domain Controller

Posted on 2007-11-28
Last Modified: 2012-06-21
we have only one DC in a small org.

we need to provide redundancy & load balancing and would like to implement a second server to act as the backup DC. However, the question would be for the FSMO roles. Rather than a manual transfer if primary DC goes down - Can the FSMO roles be made redundant?

if so what are the ways?
if not - would server clustering be an option for domain controllers.?

Question by:rdvarghese
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 20364083
You cannot have redundant FSMO roles - by definition they are Single Operation Masters. That said the domain can operate quite effectivly for a considerable time if these roles are not available. Clustering I suppose is an option but would be very expensive and I doubt it is really necessary in your case.

The procedure to adding a second Domain Controller - (note a second domain controler NOT a BDC - BDCs ceased to exist with the demise of Windows NT), is as follows;

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network
Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the ‘R2’ version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select ‘Additional Domain Controller in an existing Domain’

Install DNS on the new DC. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a quite while at least should any one of them fail.

However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned ‘emergency’ the FSMO roles can be seized (see
LVL 29

Expert Comment

ID: 20364086

In Active Directory Windows 200x there is no real difference between DC's and therefore the idea of PDC and BDC is gone in theory. You are right that there are some roles FSMO that can only be hosted on one DC at a time. The neat thing is that if the DC holding these roles goes offline you can seize the FSMO roles so they are available on another DC that is functioning.

The main thing to remember is that you should enable the second DC as a global catalog and DNS server and specify your clients and servers DNS settings to use one DC as the primary DNS and the other as secondary.

Author Comment

ID: 20364127

i did read your same exact words on another post, but thank you for the information on FSMO. Is it possible to have more than one global catalog?
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

LVL 70

Expert Comment

ID: 20364132
Yes - indeed its best to have at least two - and one per site as a miniumum.

Author Comment

ID: 20364165
Still trying to clarify the FSMO deal.
For example,
if you have two seperate domains in an org. and 10 clients in domain_A and 90 clients in domain_B. if i move the 10 clients to domain_B(assuming both global catalog), and have all users authenticate to one domain, - For shutting down the second domain, does the FSMO matter? does FSMO needs to be transffered to a domain that is completely different.?
LVL 70

Expert Comment

ID: 20364250
If you have two seperate domains then its a bit different
Some FSMO roles are only held in the forest root - one per forest - thse are
Schema master
Domain Naming Master

Each domain has its own
RID master
Infrastructure Master
PDC Emulator

You cannot transfer the Forest FSMO roles out of the forest root
You cannot transfer domain roles across forests
LVL 70

Expert Comment

ID: 20364274
... that last on should say
You cannot transfer domain FSMO roles across DOMAINS

basically FSMO roles can only be transferred to another DC in the same domain
LVL 70

Expert Comment

ID: 20364342
If you are getting rid of a child domain then once the users have all been moved you do not need to do anything with the FSMO roles. Just run DCPROMO in the DC in the child domain and select the "This is the last DC in the domain option"

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question