Solved

Setting up Backup Domain Controller

Posted on 2007-11-28
8
852 Views
Last Modified: 2012-06-21
we have only one DC in a small org.

we need to provide redundancy & load balancing and would like to implement a second server to act as the backup DC. However, the question would be for the FSMO roles. Rather than a manual transfer if primary DC goes down - Can the FSMO roles be made redundant?

if so what are the ways?
if not - would server clustering be an option for domain controllers.?



0
Comment
Question by:rdvarghese
  • 5
  • 2
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
Comment Utility
You cannot have redundant FSMO roles - by definition they are Single Operation Masters. That said the domain can operate quite effectivly for a considerable time if these roles are not available. Clustering I suppose is an option but would be very expensive and I doubt it is really necessary in your case.

The procedure to adding a second Domain Controller - (note a second domain controler NOT a BDC - BDCs ceased to exist with the demise of Windows NT), is as follows;

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network
Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the ‘R2’ version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select ‘Additional Domain Controller in an existing Domain’

Install DNS on the new DC. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a quite while at least should any one of them fail.

However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned ‘emergency’ the FSMO roles can be seized (see http://support.microsoft.com/kb/255504)
0
 
LVL 29

Expert Comment

by:mass2612
Comment Utility
Hi,

In Active Directory Windows 200x there is no real difference between DC's and therefore the idea of PDC and BDC is gone in theory. You are right that there are some roles FSMO that can only be hosted on one DC at a time. The neat thing is that if the DC holding these roles goes offline you can seize the FSMO roles so they are available on another DC that is functioning.

The main thing to remember is that you should enable the second DC as a global catalog and DNS server and specify your clients and servers DNS settings to use one DC as the primary DNS and the other as secondary.

http://www.petri.co.il/seizing_fsmo_roles.htm
0
 

Author Comment

by:rdvarghese
Comment Utility
KCTS:

i did read your same exact words on another post, but thank you for the information on FSMO. Is it possible to have more than one global catalog?
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Yes - indeed its best to have at least two - and one per site as a miniumum.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rdvarghese
Comment Utility
Still trying to clarify the FSMO deal.
For example,
if you have two seperate domains in an org. and 10 clients in domain_A and 90 clients in domain_B. if i move the 10 clients to domain_B(assuming both global catalog), and have all users authenticate to one domain, - For shutting down the second domain, does the FSMO matter? does FSMO needs to be transffered to a domain that is completely different.?
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If you have two seperate domains then its a bit different
Some FSMO roles are only held in the forest root - one per forest - thse are
Schema master
Domain Naming Master

Each domain has its own
RID master
Infrastructure Master
PDC Emulator

You cannot transfer the Forest FSMO roles out of the forest root
You cannot transfer domain roles across forests
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
... that last on should say
You cannot transfer domain FSMO roles across DOMAINS

basically FSMO roles can only be transferred to another DC in the same domain
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If you are getting rid of a child domain then once the users have all been moved you do not need to do anything with the FSMO roles. Just run DCPROMO in the DC in the child domain and select the "This is the last DC in the domain option"
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now