Solved

Network Redundancy / Add cheap additional DC

Posted on 2009-07-05
22
484 Views
Last Modified: 2012-08-14
I am trying to add some redundancy to a small windows network (15-20) pc's.  Currently only one Windows 2003 domain controller with (DHCP, DNS, WINS etc.).  If the only DC halts since its the gateway and DNS server access to the Internet (which is critical) is not possible.  Trying to find another cheap solution so the business always has access to the internet (hopefully without adding another server).  Any other ways to achieve this?  Thanks!
0
Comment
Question by:nstefanov
  • 6
  • 4
  • 4
  • +4
22 Comments
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
Your DC should not be dependent on the internet access for local clients to get access to the Server..

If the internet goes down, it should still allow clients to login..

Are you saying that this is not the case?

0
 

Author Comment

by:nstefanov
Comment Utility
Thanks debuggerau, internet connectivity is fine but if the server halts/fails since its the dns server, the clients have no access to the internet.  Thanks!
0
 
LVL 24

Expert Comment

by:Ken Boone
Comment Utility
Well in your DHCP scope provide the clients with a pimary DNS of your DC, and a secondary DNS of one of the public DNS servers from your ISP.  That way if the DC crashes, the clients will still be able to resolve external DNS for internet access.
0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
Why not configure the secondary DNS address in the clients to use the ISP's DNS server then?

Or maybe your router could serve this function?

Then again, would people really miss the internet if they couldn't login, print, save etc..
0
 

Author Comment

by:nstefanov
Comment Utility
Thanks kenboonejr that fixes the dns issue but what if dhcp is down when the server is down.  Looking for a cheap redundant solution.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
Comment Utility
> Why not configure the secondary DNS address in
> the clients to use the ISP's DNS server then?

and

> Well in your DHCP scope provide the clients with a
> pimary DNS of your DC, and a secondary DNS of
> one of the public DNS servers from your ISP


DO NOT DO THE ABOVE RECOMMENDATIONS.

Why?  Because, Active Directory RELIES on DNS for finding network resources.  And even though we'd like to BELIEVE that the secondary DNS server is, in fact, a "secondary" DNS server that only responds to requests when the primary is down, THAT IS NOT THE CASE.  I've heard some people say it's because the clients will do lookups in a Round-Robin fashion while I've read articles that say there is no rhyme or reason for it, but the secondary servers ARE used seemingly randomly.

IF YOU DO THE ABOVE RECOMMENDATIONS, your users COULD experience RANDOM slow logons and sporadic delays in accessing resources on your domain.

You said the server is also your gateway - if that's the case, then if the server is down, what's the point of having another* DNS server since no client can get through a failed gateway!

*For a network that size, I DO recommend having a second server.  You can consider using a BUSINESS CLASS gateway device like a Fortinet Fortigate device.  But the second server is really more of a backup to ensure you can at least work and logon locally and that your Active Directory is not lost in the event of a major primary server failure.

You don't need a PHYSICAL computer, but you will need another Server license in order to do this.  You can use an old physical computer or find a powerful workstation and install Virtual machine software like VMWARE Server or Virtual PC and run the second server there.  TECHICALLY, you could also run it on the primary system, though this will limit the effect of it's redundancy to essentially only be a "certain" backup to Active Directory.
0
 

Author Comment

by:nstefanov
Comment Utility
Thanks leew that's pretty much the solution I am looking for but trying to do it as cheap as possible.  Any free linux/unix solutions/appliances that could serve as the main server backup?
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
Install two servers using VMWare ESXi(FRee).
0
 

Author Comment

by:nstefanov
Comment Utility
Currently only one physical server (looking for physical redundancy also)...
0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
"You don't need a PHYSICAL computer, but you will need another Server license in order to do this.  You can use an old physical computer or find a powerful workstation and install Virtual machine software like VMWARE Server or Virtual PC and run the second server there.  TECHICALLY, you could also run it on the primary system, though this will limit the effect of it's redundancy to essentially only be a "certain" backup to Active Directory."

- yes, well having another server is the best alternative, and I would not be suggesting whacking another Virtual Machine on your existing DC as that would make your existing DC unreliable, and if that was out, so would the secondary DC, so seriously, please don't consider this..

If your DC experiences outages, and you want the clients to still surf, there is not to much you can do apart from the recommendations earlier..
If AD is unavailable, what does it matter if the DNS to it is unavailable? You cant get access anyway!

I'd also trying to move the default gateway off your DC box, try the router instead..
Routers usually support DHCP, so you could move them off, or preferably change everyone to static IP's..


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
@debuggerau -
As I stated - if you ran a second DC on the first physical server all you get is an extra backup of AD (if the server failed, you could LIKELY - if the drive wasn't corrupt - simply copy the VHD off the dead drives and run it off another system).  You can technically do it - but I wouldn't as it limits the effectiveness of the redundancy.

SBS 2003 was designed to run as the router - and you could break wizards and generate alerts if you disable DHCP on the server.  I've not heard any good reason to move DHCP to a router OR to switch to static addressing - that won't resolve the issues of a second DNS server and could simply complicate things.

@nstefanov
No, no version of Linux will be able to create a secondary DC.  You MAY be able to use a couple of linux servers as your DNS servers, provided they allow dynamic updates.  But really, that's not a very good idea - from a support perspective, it's better to run core AD services off Windows systems.  

IF you have an older PC or buy a CHEAP PC you can run server on that - but again, you need another copy of server (NOT SBS - if you are using it now - there can only be ONE SBS server on a domain - other servers are fine, but only one running SBS).  You're going to have to buy another copy of Server.

Consider the costs involved - you can spend HOURS trying to get a linux system as a backup... but the time you spend trying to get it working and the amount of redundancy provided will be incomplete at best.  This solution may be checkbook cheaper, but the amount of time you spend on it costs money too.  And that may well negate any benefit.  Plus, it would be a NON-STANDARD way of doing it so supporting it and getting help could be more difficult.  Simply getting another server license is likely the simplest, most cost-effective (when you consider all factors) solution.  
0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
Yea, not my recommendation either..

Statics are recommended by Microsoft, security issues of course..
You could disable DHCP, but not if your using RAS services, but it does work with zero leases.

I do recommend another server, best practice is at least one additional server for redundancy, but I suspect regular backups would be as helpful without the cost and added maintenance of another server, unless it would take too long to rebuild..

I like to get two servers the same, at least you have some spares if required..





0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Can you show me a link to a document that states you should be using "Statics are recommended by Microsoft" - I've been doing this a long time and never have I seen or heard anything like that, that includes attending 3 MVP summits at MS Campus and seeing probably a dozen server/workstation network presentations as part of the Technet presentations given around the country.

I've recently come to the conclusion that the BEST option for installing all new servers (unless there's a VERY GOOD reason not to in a given instance) is to install ESXi or HyperV and then run the actual desired OS in a VM.  Why?  Because, servers run the business.  They should always be under a 24x7x365 warranty with 4 hour on-site response support.  BUT.... that can be costly - especially after the third year.  And in this economy, maintaining that support/replacing that server is not an "easy" thing financially to do.  So, by using VMs, you make the OS hardware independent.  If the hardware fails, you COULD run the server off a laptop or a desktop while you wait for parts.  All you need to do is pull the VHD from the hard drives of the failed server. Or restore it from tape or other backup medium to a different system.

0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
flexibility does not equate to security though..

Nor, does it equate to reliability.

Although virtualization is the latest cash cow for IT, I'm still not convinced it is everyone prays answered..

VMware does allow snapshots done quickly, but whenever adding another layer of functionality, there is the labor cost, licensing, maintenance, patches etc etc..

The static IP is just best practice security wise, I prefer 802.11X but that goes quite a bit deeper. It just prevents people from getting network access unless you configure MAC addresses for all machines which is a heavy admin task, and can still be compromised.

Obviously, if your in a closed network, DHCP is easier to administer, and static addressing requires administrators to maintain a table of addresses, so it is more maintenance, granted..


0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
You cannot have absolute security - you need to BALANCE the risks of your decisions with the ease of use.

Suggesting that going static here is a good idea is, in my opinion, failing to acknowledge the general realities of small business.

Going static CAN be more secure, but is it the kind of security one needs in a small business?  I can understand not wanting to provide easy access (via DHCP) to a network at a government tax department or bank, but most mall businesses it simply does not make sense.  Yes, a consultant can do it but it can create an unnecessary problem for the client and/or cause additional costs.

While I know there are some VERY LARGE IT organizations on EE, many of those on this site are consultants and/or small business owners (they FAR outnumber larger orgs).  In an IDEAL network, you would have one server per service so that you could restart that service/bring it down for maintenance without interrupting other services AND you would have at least two servers handling each service for redundancy.  But, in a small business, this is simply not possible.  And even in larger businesses, it's not generally practical.  It makes sense to put some services on their own machines and to have those systems be redundant when the business costs of NOT having those services available would be significant.

Let me rephrase - I am not saying that, in a perfect world, your comments are not accurate - I think they would be - but they seem to be inappropriate for a question about a small windows network of 20 or so PCs where costs for hardware and administration are clearly a concern.
0
 
LVL 32

Expert Comment

by:nappy_d
Comment Utility
A mentioned, the only redundancy I see is a second server, which is physical reduncancy.  Now, that being said, it does not mean very, very powerful machines.  To do this, I would suggest:
  1. Virtualizing the current server you have
  2. Install(in your case) XenServer http://citrix.com/English/ps2/products/feature.asp?contentID=1686939 It comes wth additional features for free and it sounds like you don't want to spend a lot of money
  3. If you can afford two machines with 8GB or RAM that is all you would need.
Basically, the OS is virtualized and run on one of the machines.  If machine A fails, then machine B can start up the guest OS in minutes of the outage.

I am not sure how else you want to accomplish redundancy without additional hardware.
0
 
LVL 3

Expert Comment

by:raj27962
Comment Utility
i agrea with nappy, just virtualise, you can do this for free. Though i'd use esxi and only bother with 4 gig servers.
0
 
LVL 1

Expert Comment

by:incera
Comment Utility
An alternative solution is to use Windows built-in Dynamic IP address configuration with alternate configuration. If the DHCP server is unavailable, it can use the alternate static configuration. This will keep your workstations going even if the DHCP server is unavailable.

[ See: http://technet.microsoft.com/en-us/library/cc779231(WS.10).aspx ]

As for DNS, since you are using Active Directory you'll have various timeouts on your workstations as the local cache expires, but as mentioned above, the Internet will be functional. Additionally, if you have NetBIOS enabled on your network adapters, a workstation will assume the Browse Master role and allow for name based computer-to-computer communications. It's a crippled, but functional state.
0
 
LVL 1

Expert Comment

by:incera
Comment Utility
To clarify: As for DNS, since you are using Active Directory you'll have various timeouts on your workstations as the local cache expires, but as mentioned above, the Internet will be functional. Additionally, if you have NetBIOS enabled on your network adapters, a workstation will assume the Browse Master role and allow for name based computer-to-computer communications. It's a crippled, but functional state.

If you have an alternative secondary DNS specified. Despite claims otherwise, my experience is that this will be functional for external name resolution.
0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
I suspect this has been trashed around to exhaustion, how about an even points split with contributors?
 
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now