[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 876
  • Last Modified:

Setting up Backup Domain Controller

we have only one DC in a small org.

we need to provide redundancy & load balancing and would like to implement a second server to act as the backup DC. However, the question would be for the FSMO roles. Rather than a manual transfer if primary DC goes down - Can the FSMO roles be made redundant?

if so what are the ways?
if not - would server clustering be an option for domain controllers.?

  • 5
  • 2
1 Solution
You cannot have redundant FSMO roles - by definition they are Single Operation Masters. That said the domain can operate quite effectivly for a considerable time if these roles are not available. Clustering I suppose is an option but would be very expensive and I doubt it is really necessary in your case.

The procedure to adding a second Domain Controller - (note a second domain controler NOT a BDC - BDCs ceased to exist with the demise of Windows NT), is as follows;

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network
Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the ‘R2’ version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select ‘Additional Domain Controller in an existing Domain’

Install DNS on the new DC. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will have replicated to the new domain controller along with Active Directory.

Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the "Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If you are using DHCP you should spread this across the domain controllers, In a simple single domain this is easiest done by Setting up DHCP on the second Domain controller and using a scope on the same network that does not overlap with the existing scope on the other Domain Controller. Don’t forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set to one domain controller, and the Alternate DNS to the other, that way if one of the DNS Servers fails, the clients will automatically use the other.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and DHCP. and the domain could function for a quite while at least should any one of them fail.

However for a fully robust system you need to be aware that the first domain controller that existed will by default hold what are called FSMO Roles. There are five of these roles that are held on a single server and are essential for the functioning of the network. If the second Domain Controller fails, then no problem as the FSMO roles are on the first Domain Controller. However if you intent to function with the second Domain Controller only, then the roles need to be moved to the Second Domain Controller. Ideally if this is a planned event you should cleanly transfer the FSMO roles, if it is an unplanned ‘emergency’ the FSMO roles can be seized (see http://support.microsoft.com/kb/255504)

In Active Directory Windows 200x there is no real difference between DC's and therefore the idea of PDC and BDC is gone in theory. You are right that there are some roles FSMO that can only be hosted on one DC at a time. The neat thing is that if the DC holding these roles goes offline you can seize the FSMO roles so they are available on another DC that is functioning.

The main thing to remember is that you should enable the second DC as a global catalog and DNS server and specify your clients and servers DNS settings to use one DC as the primary DNS and the other as secondary.

rdvargheseAuthor Commented:

i did read your same exact words on another post, but thank you for the information on FSMO. Is it possible to have more than one global catalog?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Yes - indeed its best to have at least two - and one per site as a miniumum.
rdvargheseAuthor Commented:
Still trying to clarify the FSMO deal.
For example,
if you have two seperate domains in an org. and 10 clients in domain_A and 90 clients in domain_B. if i move the 10 clients to domain_B(assuming both global catalog), and have all users authenticate to one domain, - For shutting down the second domain, does the FSMO matter? does FSMO needs to be transffered to a domain that is completely different.?
If you have two seperate domains then its a bit different
Some FSMO roles are only held in the forest root - one per forest - thse are
Schema master
Domain Naming Master

Each domain has its own
RID master
Infrastructure Master
PDC Emulator

You cannot transfer the Forest FSMO roles out of the forest root
You cannot transfer domain roles across forests
... that last on should say
You cannot transfer domain FSMO roles across DOMAINS

basically FSMO roles can only be transferred to another DC in the same domain
If you are getting rid of a child domain then once the users have all been moved you do not need to do anything with the FSMO roles. Just run DCPROMO in the DC in the child domain and select the "This is the last DC in the domain option"

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now