Solved

Does Group Policy Settings replicate to a new Secondary Domain controller?

Posted on 2008-06-26
15
692 Views
Last Modified: 2011-04-14
Hi,
 I have a few questions about secondary dc and group policy.
NB: Server A
            Exchange server2003, AD, DNS, DHCP
            File Server
      Server B(new)
            Server 2003Will Setup as secondary DC and GC

Presently Server A is operational and clients can login ok.  I however want to take some load off the one server.
I am proposing to setup secondary dc and have clients login to this instead of server A.  I do want to keep Group policy settings and Folder Redirection.  Is this possible and how  will it affect exchange client and exixting user profiles?

Thanks in advance
0
Comment
Question by:TechGSC
  • 6
  • 5
  • 2
  • +1
15 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 21878439
Group Policy will be automatically replicated to the new server when it is promoted as a Domain Controller.

You cannot easily take load off either server because as long as both servers are in the same site, they will both be contacted to process user logons. Doing simple Active Directory actions like logons isn't a too difficult job for any server though. Even if you moved one DC to another site, you would then find the DC on the workstation's local subnet will always receive the logon requests first.

What I do suggest you do is ensure the DNS service is installed to the new DC, and perhaps configure the new DC in your DHCP scope settings to be the preferred (highest preference) DNS server for the network. That may reduce some workload from DC A.

For roaming profiles, they will still work from Server A unless you move them to Server B. Adding a new DC won't actually affect the operation of roaming profiles though.

Furthermore, Exchange will remain on Server A until it is moved to another server. Since Exchange is installed on a Domain Controller, it is ONLY going to use Server A to process Active Directory lookup requests, and Server B will not be seen by Exchange at all. This is the reason why you must keep Server A as a DC and GC at all times.

I should remind you that running the dcpromo wizard on any server with Exchange installed WILL break Exchange - do not do this to demote or promote any server whilst Exchange is still installed.

-tigermatt
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21878471
Cracking answer tigermatt.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21878479
Thanks ;-)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:TechGSC
ID: 21879940
tigermatt:

Thanks for the response.
I would also like to transfer fsmo to secondary dc as well.  If this can be done or recommended pls let know how.
Also I will Tranfer  ' Shared Data'  and 'My Documents'(Folder Redirected) to the secondary server.  I am assuming I have to change the UNC path in Group policy for folder redirection to work.
\\SecondaryDC\newshare\%username%    ?


Please let me know if there are other considerations.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21879992
sure you can move them over - are you looking at replacing that original DC, if so follo wmy guide here it covers everything
http://www.block.net.au/help/replace-dc/
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21881384
You can move FSMO roles as per what James as mentioned above. There's also a guide at http://www.petri.co.il/transferring_fsmo_roles.htm which you can read too. Whatever you do go and read, ensure you are reading about *transferring* the roles - anything which mentions seizing them should be disregarded in this situation.

For your other data folders, you just need to create the share and then change the shortcuts at workstations and the path in the Group Policy. At their next logon, users' data will be moved to their new redirected location.

-tigermatt
0
 

Author Comment

by:TechGSC
ID: 21888231
Hi Guys:
I setup the secondary DC.  AD is setup  and enabled GC.  
However DNS seems to have not replicated.  Please advise on best way to setup dns on secondary dc keeping in mind that i want users to login to the secondary DC instead of the first

tigermatt:
how do I "configure the new DC in your DHCP scope settings to be the preferred (highest preference) DNS server" ?

Your prompt response is appreciated as I have to implement tomorrow.
Thanks
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21889719
restart the netlogon and dns server services - or youc an force replication in sites and services....

under your scope options in DHCP - you need to specify the new server as the first DNS server
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21889893
Have you installed DNS and are your zones AD integrated?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21890114
TechGSC,

You need to open the DHCP console on your DHCP server and find the scope settings. Within there, you can see all your configured DNS servers, Add the IP of the new server, but then use the Up and Down buttons to move it to the top of the list, making it the DNS server with highest preference.

For DNS, you will need to ensure your zones are Active Directory-integrated zones so they replicate automatically. See http://support.microsoft.com/kb/198437
0
 

Author Comment

by:TechGSC
ID: 21902839
tigermatt:
   I was able to do everything as planned with your help.   One last question which might be quite simple but I don't know.  How do can you know/verify that users  are logging into the secondary domain and not the PDC?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21902862
You cannot control which server the users are logging into, except perhaps to a certain extent through Active Directory Sites and Services. However, you can find out which server a client used for processing their login by opening a command prompt and typing the SET command. Look for the LOGONSERVER variable.

-tigermatt
0
 

Author Comment

by:TechGSC
ID: 21903493
ok
How would I control(to a extent) which server the user logs into using 'Active Directory Sites and Services' ?

thanks
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21905346
You'd have to open Active Directory Sites and Services, create a new Site, then move the existing server into that site. The complicated part is that the server in the other site must be on a different IP subnet to the server in the local site and all the workstations, which means you are going to need a lot of additional network hardware to achieve this.

There shouldn't be any requirement to control which server is used for logons - Active Directory manages this itself, automatically.

-tigermatt
0
 

Author Closing Comment

by:TechGSC
ID: 31471158
Thanks for the assistance. It was really helpful.
Cheers
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question