Solved

highly available domain controllers

Posted on 2009-05-16
4
356 Views
Last Modified: 2012-05-07
I have 1 server that is the main domain controller.  I have a 2nd server that I ran dcpromo on to replicate the existing domain controller.  I also made this server a global catalog.   Now I am reading about FSMO roles and a little unsure on how I can make my domain function if my main server were to go down.  I see I can seize them or transfer.  How would one seize if the main server was completely down?  Can both server have the FSMO roles?  If so how is this done?
0
Comment
Question by:jcs1977
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24404694
If your first DC went down and you could not recover it and it was totally dead you can seize the roles
http://support.microsoft.com/kb/255504
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
There are two forest wide FSMO roles (schema and domain naming master) and three domain wide fsmo roles (PDC emulator, RID Master, and Infrastructure Master)
You can split the roles between DCs but you can't have the same FSMO role on two servers simultaneously.
So what happens if your main server went down due to a hardware issue and you are watiing a day or so for a part.  In that case you probably don't need to seize the roles right away.   Brian Puhl (on the Microsoft AD team) has a really good blog entry on that here
http://blogs.technet.com/bpuhl/archive/2005/12/07/415761.aspx
What to do with FSMO roles
One thing you didn't mention, how is DNS setup on your network?
Thanks
Mike
0
 

Author Comment

by:jcs1977
ID: 24404720
Thanks for the reply.

As for DNS I have a watchguard firewall and in there I have the IP for the domain controller server and a DNS IP gave to me by my IP provider.  I havent done anything wiith the DNS on DC 2

I think what I need to configure is Universal Group Membership Caching but still trying to find setting.  It is not a big deal if my DC goes down but it is if my users cannot login to their PC's to access the internet.  Am I correct?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24405186
Ok so your DNS is not Windows DNS, the reason I ask is because if it was and your DC1 went down then something would have to carry the DNS duties but your firewall is doing that.
As for Universal group caching...you don't need it since both your DCs are global catalogs.  Making them both GCs is the best practice.  Actually its good to always make your DCs GCs (see bullet 1 in the blog below)
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
 
For reference the setting is located in sites and services
  • Expand the Sites container, expand the name of the site
  • Right-click on NTDS Site Settings, select Properties
  • Select the checkbox Enable Universal Group Membership Caching
  • See screenshot
Thanks
Mike

UniversalGroupCaching.jpg
0
 

Author Comment

by:jcs1977
ID: 24406016
Thank you for your help!!  Off to work to go to test logging in when the main global catalog is powered off.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now