Solved

highly available domain controllers

Posted on 2009-05-16
4
362 Views
Last Modified: 2012-05-07
I have 1 server that is the main domain controller.  I have a 2nd server that I ran dcpromo on to replicate the existing domain controller.  I also made this server a global catalog.   Now I am reading about FSMO roles and a little unsure on how I can make my domain function if my main server were to go down.  I see I can seize them or transfer.  How would one seize if the main server was completely down?  Can both server have the FSMO roles?  If so how is this done?
0
Comment
Question by:jcs1977
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24404694
If your first DC went down and you could not recover it and it was totally dead you can seize the roles
http://support.microsoft.com/kb/255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
There are two forest wide FSMO roles (schema and domain naming master) and three domain wide fsmo roles (PDC emulator, RID Master, and Infrastructure Master)
You can split the roles between DCs but you can't have the same FSMO role on two servers simultaneously.
So what happens if your main server went down due to a hardware issue and you are watiing a day or so for a part.  In that case you probably don't need to seize the roles right away.   Brian Puhl (on the Microsoft AD team) has a really good blog entry on that here
http://blogs.technet.com/bpuhl/archive/2005/12/07/415761.aspx
What to do with FSMO roles
One thing you didn't mention, how is DNS setup on your network?
Thanks
Mike
0
 

Author Comment

by:jcs1977
ID: 24404720
Thanks for the reply.

As for DNS I have a watchguard firewall and in there I have the IP for the domain controller server and a DNS IP gave to me by my IP provider.  I havent done anything wiith the DNS on DC 2

I think what I need to configure is Universal Group Membership Caching but still trying to find setting.  It is not a big deal if my DC goes down but it is if my users cannot login to their PC's to access the internet.  Am I correct?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24405186
Ok so your DNS is not Windows DNS, the reason I ask is because if it was and your DC1 went down then something would have to carry the DNS duties but your firewall is doing that.
As for Universal group caching...you don't need it since both your DCs are global catalogs.  Making them both GCs is the best practice.  Actually its good to always make your DCs GCs (see bullet 1 in the blog below)
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
 
For reference the setting is located in sites and services
  • Expand the Sites container, expand the name of the site
  • Right-click on NTDS Site Settings, select Properties
  • Select the checkbox Enable Universal Group Membership Caching
  • See screenshot
Thanks
Mike

UniversalGroupCaching.jpg
0
 

Author Comment

by:jcs1977
ID: 24406016
Thank you for your help!!  Off to work to go to test logging in when the main global catalog is powered off.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange 2013 search-mailbox question 7 42
AD user profile  integration 5 24
Creating a Vendor Admin user 23 55
Run Secure WMI query from CentOS 5 33
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question