Solved

Does Group Policy Settings replicate to a new Secondary Domain controller?

Posted on 2008-06-26
15
688 Views
Last Modified: 2011-04-14
Hi,
 I have a few questions about secondary dc and group policy.
NB: Server A
            Exchange server2003, AD, DNS, DHCP
            File Server
      Server B(new)
            Server 2003Will Setup as secondary DC and GC

Presently Server A is operational and clients can login ok.  I however want to take some load off the one server.
I am proposing to setup secondary dc and have clients login to this instead of server A.  I do want to keep Group policy settings and Folder Redirection.  Is this possible and how  will it affect exchange client and exixting user profiles?

Thanks in advance
0
Comment
Question by:TechGSC
  • 6
  • 5
  • 2
  • +1
15 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility
Group Policy will be automatically replicated to the new server when it is promoted as a Domain Controller.

You cannot easily take load off either server because as long as both servers are in the same site, they will both be contacted to process user logons. Doing simple Active Directory actions like logons isn't a too difficult job for any server though. Even if you moved one DC to another site, you would then find the DC on the workstation's local subnet will always receive the logon requests first.

What I do suggest you do is ensure the DNS service is installed to the new DC, and perhaps configure the new DC in your DHCP scope settings to be the preferred (highest preference) DNS server for the network. That may reduce some workload from DC A.

For roaming profiles, they will still work from Server A unless you move them to Server B. Adding a new DC won't actually affect the operation of roaming profiles though.

Furthermore, Exchange will remain on Server A until it is moved to another server. Since Exchange is installed on a Domain Controller, it is ONLY going to use Server A to process Active Directory lookup requests, and Server B will not be seen by Exchange at all. This is the reason why you must keep Server A as a DC and GC at all times.

I should remind you that running the dcpromo wizard on any server with Exchange installed WILL break Exchange - do not do this to demote or promote any server whilst Exchange is still installed.

-tigermatt
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
Comment Utility
Cracking answer tigermatt.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
Thanks ;-)
0
 

Author Comment

by:TechGSC
Comment Utility
tigermatt:

Thanks for the response.
I would also like to transfer fsmo to secondary dc as well.  If this can be done or recommended pls let know how.
Also I will Tranfer  ' Shared Data'  and 'My Documents'(Folder Redirected) to the secondary server.  I am assuming I have to change the UNC path in Group policy for folder redirection to work.
\\SecondaryDC\newshare\%username%    ?


Please let me know if there are other considerations.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
sure you can move them over - are you looking at replacing that original DC, if so follo wmy guide here it covers everything
http://www.block.net.au/help/replace-dc/
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
You can move FSMO roles as per what James as mentioned above. There's also a guide at http://www.petri.co.il/transferring_fsmo_roles.htm which you can read too. Whatever you do go and read, ensure you are reading about *transferring* the roles - anything which mentions seizing them should be disregarded in this situation.

For your other data folders, you just need to create the share and then change the shortcuts at workstations and the path in the Group Policy. At their next logon, users' data will be moved to their new redirected location.

-tigermatt
0
 

Author Comment

by:TechGSC
Comment Utility
Hi Guys:
I setup the secondary DC.  AD is setup  and enabled GC.  
However DNS seems to have not replicated.  Please advise on best way to setup dns on secondary dc keeping in mind that i want users to login to the secondary DC instead of the first

tigermatt:
how do I "configure the new DC in your DHCP scope settings to be the preferred (highest preference) DNS server" ?

Your prompt response is appreciated as I have to implement tomorrow.
Thanks
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
restart the netlogon and dns server services - or youc an force replication in sites and services....

under your scope options in DHCP - you need to specify the new server as the first DNS server
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
Comment Utility
Have you installed DNS and are your zones AD integrated?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
TechGSC,

You need to open the DHCP console on your DHCP server and find the scope settings. Within there, you can see all your configured DNS servers, Add the IP of the new server, but then use the Up and Down buttons to move it to the top of the list, making it the DNS server with highest preference.

For DNS, you will need to ensure your zones are Active Directory-integrated zones so they replicate automatically. See http://support.microsoft.com/kb/198437
0
 

Author Comment

by:TechGSC
Comment Utility
tigermatt:
   I was able to do everything as planned with your help.   One last question which might be quite simple but I don't know.  How do can you know/verify that users  are logging into the secondary domain and not the PDC?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
You cannot control which server the users are logging into, except perhaps to a certain extent through Active Directory Sites and Services. However, you can find out which server a client used for processing their login by opening a command prompt and typing the SET command. Look for the LOGONSERVER variable.

-tigermatt
0
 

Author Comment

by:TechGSC
Comment Utility
ok
How would I control(to a extent) which server the user logs into using 'Active Directory Sites and Services' ?

thanks
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
You'd have to open Active Directory Sites and Services, create a new Site, then move the existing server into that site. The complicated part is that the server in the other site must be on a different IP subnet to the server in the local site and all the workstations, which means you are going to need a lot of additional network hardware to achieve this.

There shouldn't be any requirement to control which server is used for logons - Active Directory manages this itself, automatically.

-tigermatt
0
 

Author Closing Comment

by:TechGSC
Comment Utility
Thanks for the assistance. It was really helpful.
Cheers
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now