[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Setting up Backup Domain Controller

Posted on 2007-11-28
Medium Priority
Last Modified: 2012-06-21
we have only one DC in a small org.

we need to provide redundancy & load balancing and would like to implement a second server to act as the backup DC. However, the question would be for the FSMO roles. Rather than a manual transfer if primary DC goes down - Can the FSMO roles be made redundant?

if so what are the ways?
if not - would server clustering be an option for domain controllers.?

Question by:rdvarghese
  • 5
  • 2
LVL 70

Accepted Solution

KCTS earned 2000 total points
ID: 20364083
You cannot have redundant FSMO roles - by definition they are Single Operation Masters. That said the domain can operate quite effectivly for a considerable time if these roles are not available. Clustering I suppose is an option but would be very expensive and I doubt it is really necessary in your case.

The procedure to adding a second Domain Controller - (note a second domain controler NOT a BDC - BDCs ceased to exist with the demise of Windows NT), is as follows;

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network
Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the ‘R2’ version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select ‘Additional Domain Controller in an existing Domain’

Install DNS on the new DC. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a quite while at least should any one of them fail.

However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned ‘emergency’ the FSMO roles can be seized (see http://support.microsoft.com/kb/255504)
LVL 29

Expert Comment

ID: 20364086

In Active Directory Windows 200x there is no real difference between DC's and therefore the idea of PDC and BDC is gone in theory. You are right that there are some roles FSMO that can only be hosted on one DC at a time. The neat thing is that if the DC holding these roles goes offline you can seize the FSMO roles so they are available on another DC that is functioning.

The main thing to remember is that you should enable the second DC as a global catalog and DNS server and specify your clients and servers DNS settings to use one DC as the primary DNS and the other as secondary.


Author Comment

ID: 20364127

i did read your same exact words on another post, but thank you for the information on FSMO. Is it possible to have more than one global catalog?
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

LVL 70

Expert Comment

ID: 20364132
Yes - indeed its best to have at least two - and one per site as a miniumum.

Author Comment

ID: 20364165
Still trying to clarify the FSMO deal.
For example,
if you have two seperate domains in an org. and 10 clients in domain_A and 90 clients in domain_B. if i move the 10 clients to domain_B(assuming both global catalog), and have all users authenticate to one domain, - For shutting down the second domain, does the FSMO matter? does FSMO needs to be transffered to a domain that is completely different.?
LVL 70

Expert Comment

ID: 20364250
If you have two seperate domains then its a bit different
Some FSMO roles are only held in the forest root - one per forest - thse are
Schema master
Domain Naming Master

Each domain has its own
RID master
Infrastructure Master
PDC Emulator

You cannot transfer the Forest FSMO roles out of the forest root
You cannot transfer domain roles across forests
LVL 70

Expert Comment

ID: 20364274
... that last on should say
You cannot transfer domain FSMO roles across DOMAINS

basically FSMO roles can only be transferred to another DC in the same domain
LVL 70

Expert Comment

ID: 20364342
If you are getting rid of a child domain then once the users have all been moved you do not need to do anything with the FSMO roles. Just run DCPROMO in the DC in the child domain and select the "This is the last DC in the domain option"

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question