Solved

Adding secondary Domain Controller

Posted on 2008-10-29
4
358 Views
Last Modified: 2010-04-18
I understand there is no PDC / BDC since NT4.
I want to add a secondary DC for backup and redundancy, The current DC is a live webserver, AD users are used for all MS FTP accounts and is integrated with our CMS system. Within the Subnet of the server we have 2 other Win03 SP2 servers, one WEB Server and another Database server.  I would like to use one of these as the secondary DC. I understand the DCPROMO process for adding a secondary DC when setting up a new server. Both the servers I have mentioned are allready in use with local user accounts. will these be removed if I run DCPROMO?
Can you advise the best process for premoting an allready in use server to a secondary DC
0
Comment
Question by:eonic
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22830094


Join the new machine to the existing domain as a member server (you may have already done this)

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select - Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22830098

If you promote a server with local user accounts as an Additional Domain Controller, those user accounts will be lost - there is no concept of local user accounts on Domain Controllers.

Your only option in this case would be to (somehow) export and re-import the accounts into the domain. That is the best place for them anyway, for SSO purposes, security and to prevent inconvenience during times like this.

-tigermatt
0
 
LVL 1

Author Comment

by:eonic
ID: 22830255
If the local user accounts would be removed in place of the AD accounts this will not work for me. We also use Helm and other apps which use these local users accounts. Removing these accounts would be catastrophic
We also have a win03 SP1 server in a totally different Datacentre.
Can I use a server not within the same LAN as a secondary DC?
Can I use a SP1 Server as a secondary DC and what is the premotion process? DCPROMO will not work!
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 125 total points
ID: 22830285

Yes, you can use a server on another LAN as an additional domain controller; the only point to remember is the two DCs must be able to communicate with each other.

KCTS has posted the procedure for promoting it, and I've posted one below too. Dcpromo should work; it should be a case of simply going to Start, Run, typing dcpromo and pressing OK. If it does not open up, I would check to see the version of the server you are running isn't Windows Server 2003 Web Edition (that server OS cannot be promoted as a Domain Controller).

-Matt

--

Install Windows Server 2003 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of the existing domain controller on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://support.microsoft.com/kb/814591 You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.

-tigermatt
0

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration, of the HP EVA 4400 SAN Storage. The name , IP and the WWN ID’s used here are not the real ones. ABOUT THE STORAGE For most of you reading this, you …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now