We help IT Professionals succeed at work.

Geo cluster and domain controllers

thedude0901 used Ask the Experts™

I'm in the process of building a geographical cluster for DR purposes using NeverFail as the cluster solution.  We will be connected to the DR site with a dedicated WAN link and the network and VLANs will be extended across this link to the DR site.  All servers are running 2003 RTM and the AD is 2003.

I currently have two domain controllers on my network named AD1 and AD2.  Both are configured identical to each other with DNS, DHCP (50/50 split on the available pool), NTP and Global Catalog. Everything is AD integrated where possible.  My primary controller, AD1, has the FSMO roles and is the authorative time server.  All of the servers and workstations have their DNS settings pointing to thse two boxes.

I had origionally planned on adding a thirdand maybe a forth domain controller at the DR site and simply allow Active Directory to naturally replicate itself to these additional domain controllers.  They would be named AD3 and AD4.   That, however, leaves me with several problems:

1.  Assuming the worst and the primary site blows up, the servers will fail over to the DR site but will now be pointing to DNS servers that no longer exist.  

2. Again, if the primary blows up the FSMO roles will be gone.  

3. This must be a fully automated solution. I can't make any changes to the DR site to fix any fail over related issues.  

So, my questions are as follows:
1.  Do I move one of my existing  domain controllers to the DR site so that there will be a configured DNS there as well?  That way the primary DNS will be at the main site and the secondary DNS willb e at the DR site.  

2. I've configured the DNS servers in my DHCP scopes.  Can I simply add one or more DNS server  at the DR site and add them into my DNCP scopes?  Can XP, Win7, Win 2008 use more than 2 DNS settings?  

3. Assuming the primary site blows up and I have to rebuild the domain controllers on that side.  How would I remove then readd the blown up servers from AD?  I assume there's a manual process to remove a dead domain controller from the domain?

Any and all suggestions will be greatly appreciated
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Yes you can have more than two DNS servers so you can add AD3 and then use that as the third DNS server

or just have all the servers at the DR site point to AD3 and AD4 as primary DNS.  If the primary site has a catastropic failure (act of nature etc) then nothing in that site will be around anyway  (obviously hope that never happens)

You remove failed DCs using a procedure known as metadata cleanup.  There are many good guides on that process.  One good one is on Daniel's site





OK, I see how the workstations running DHCP will pick up more then 2 DNS servers because they'll be passed in the DHCP configuration.  Since the IP configuration on my servers are manually set, how would I add in more than 2 DNS servers in the IP configuration?  The reason I can't point the DR servers to the DR located AD/DNS servers is the way the NeverFail software works.

NeverFail actually clones a server - SID, IP and Host Name - to back up box.  It then blocks the back up server from the network via a packet filter to prevent any name/sid/ip conflicts on the network.  As changes are made to the primary the data is transfered via a dedicated heart beat and applied to the back up node.  If the primary fails then the back up is allowed on the network as a perfect clone of the primary.  Because it has the same SID, IP and host name the client machines don't even know the primary died and a seemless fail over occures.

That is my problem.  The back up nodes at the DR site won't technically be on the network until the primary site fails.  When that happens they will come on the network as a perfect clone of the primary computers with their preconfigured IP settings.  Since I'm planning on the worst case - I'm dead - the back up servers must be able to function without any additional changes.  

Soooooo.....  If I can add more then 2 DNS servers to a manually configured 2003 network configuration my problem would be solved.  Simply add two more AD controllers at the DR site with DNS installed and have them in the DNS search order.  

Would I have to configure my servers to use DHCP and then create reservations for them so they always get the same IP address?  That way I could use DHCP to pass 3 or more DNS servers to them.
Top Expert 2013

You can add more than two DNS servers on static clients too.   Yeah the plan to just have two more DCs at the DR site is what we do too.  You don't have to use reservations but you can.  just configure all 3 DNS servers.

One other thing if the DC that holds the FSMO roles dies then you would have to seize the roles to the DR site.  (also using ntdsutil like you would do for the metadata cleanup)




Jeez... Now I see where to add the additional servers. Now I feel stupid.  :-)

A few last questions for you:

1. Is there any harm in not seizing the FSMO roles to the working AD servers at the DR site?  Is there any adverse affect on the network?  The reason I ask is if I'm dead and gone there won't be anyone capable of doing the work.

2. If I list the DNS search order as AD1, AD2, AD3 and AD4 but the first two are blown up in a disaster will there be any preformance impact on name resolution since it won't get a working server until it tries the third address on the list?
bigh1tSr Sys admin

 1. You can limp along without the FSMO roles for a day or as long as either Ad3 or 4 is a global catalog server but you will have to have the PDC for any password changes and the RID master RID pool requests up fairly quickly.
     2. As long as there is no response Windows DNS will conitinue to the next server in the list.

Are you running your own certificate server? That would also require some special steps to recover.
Awarded 2009
Top Expert 2010

This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.