Solved

highly available domain controllers

Posted on 2009-05-16
4
366 Views
Last Modified: 2012-05-07
I have 1 server that is the main domain controller.  I have a 2nd server that I ran dcpromo on to replicate the existing domain controller.  I also made this server a global catalog.   Now I am reading about FSMO roles and a little unsure on how I can make my domain function if my main server were to go down.  I see I can seize them or transfer.  How would one seize if the main server was completely down?  Can both server have the FSMO roles?  If so how is this done?
0
Comment
Question by:jcs1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24404694
If your first DC went down and you could not recover it and it was totally dead you can seize the roles
http://support.microsoft.com/kb/255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
There are two forest wide FSMO roles (schema and domain naming master) and three domain wide fsmo roles (PDC emulator, RID Master, and Infrastructure Master)
You can split the roles between DCs but you can't have the same FSMO role on two servers simultaneously.
So what happens if your main server went down due to a hardware issue and you are watiing a day or so for a part.  In that case you probably don't need to seize the roles right away.   Brian Puhl (on the Microsoft AD team) has a really good blog entry on that here
http://blogs.technet.com/bpuhl/archive/2005/12/07/415761.aspx
What to do with FSMO roles
One thing you didn't mention, how is DNS setup on your network?
Thanks
Mike
0
 

Author Comment

by:jcs1977
ID: 24404720
Thanks for the reply.

As for DNS I have a watchguard firewall and in there I have the IP for the domain controller server and a DNS IP gave to me by my IP provider.  I havent done anything wiith the DNS on DC 2

I think what I need to configure is Universal Group Membership Caching but still trying to find setting.  It is not a big deal if my DC goes down but it is if my users cannot login to their PC's to access the internet.  Am I correct?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24405186
Ok so your DNS is not Windows DNS, the reason I ask is because if it was and your DC1 went down then something would have to carry the DNS duties but your firewall is doing that.
As for Universal group caching...you don't need it since both your DCs are global catalogs.  Making them both GCs is the best practice.  Actually its good to always make your DCs GCs (see bullet 1 in the blog below)
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
 
For reference the setting is located in sites and services
  • Expand the Sites container, expand the name of the site
  • Right-click on NTDS Site Settings, select Properties
  • Select the checkbox Enable Universal Group Membership Caching
  • See screenshot
Thanks
Mike

UniversalGroupCaching.jpg
0
 

Author Comment

by:jcs1977
ID: 24406016
Thank you for your help!!  Off to work to go to test logging in when the main global catalog is powered off.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question