Solved

AD checks before adding new DC

Posted on 2010-09-03
14
331 Views
Last Modified: 2012-08-13
I am planning on adding a second DNS/DC to my network.  What utilities/checks should I run on my existing server to make sure things are healthy before adding another machine?
0
Comment
Question by:smantz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3
14 Comments
 
LVL 5

Assisted Solution

by:Greg Jacknow
Greg Jacknow earned 150 total points
ID: 33598748
Run DCdiag on your current DC.
 
0
 

Author Comment

by:smantz
ID: 33598778
I ran straight  DCdiag, without any switches, and all tests passed, anything else?
0
 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 150 total points
ID: 33598852
ok.. it is great the the DCDIAG came clean
you might want to run  netdiag /q .. you should not get any output for this command as /q displays only errors

.. once you are done
configure new dc with proper newwork settings and promote the server to become new DC

dns part can be done either before or after dcpromo ..
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33598911
I also like repadmin  (not needed in your case with only one DC)
CHeck your event logs too.
A decent health checklist is here   http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
Make the new DC a GC...and try and get it up as soon as you can...gives you redundancy.
Thanks
Mike
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33598926
additionally you can also check your DNS condition before setting up new DNS server

use also dcdiag with patameter /test:dns

dcdiag /test:dns
0
 
LVL 5

Expert Comment

by:Greg Jacknow
ID: 33598930
If those are clean, there is not much else to it.  You can check you event logs to make sure there is nothing alarming.
As for DNS, I prefer to have the new DNS server without DNS and pointing to the existng one for the install, and then add DNS.
Greg J
0
 

Author Comment

by:smantz
ID: 33599712
Hey,
I ran the netdiag /q and received a failurel for the default gateway test: FATAL  no gateways are reachable.  My NIC is configured properly and I can reach the interenet and I'm using remote desktop with server. I'm sure this is related to my event system error DCOM 10009.  Any ideas?
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 200 total points
ID: 33599953
The most important check prior to promoting a server into the domain is a DNS check.

1)You can do this one of two ways. On this new server, you can edit the nic card configuration to have the preferred DNS server AS, the existing DNS server. If you do it this way, I would install DNS on this new machine, and then make it an alternate UNTIL it replicates between the two.  Also, prior to replication, I would recommend making this new server a Global Catalog server..

2) The second method is to install the DNS services prior to promoting the server. If you do so, you will need to make sure it is a fixed IP and then register itself within DNS. Then, you should set the preferred DNS server to be this new machine, with the alternate DNS server as the existing DNS server... After doing so, when promoting, it will ask you if it is the only server on the network. If you say no, it will go out and find the existing server and add the SRV records and the HOST A records within DNS.

The whole idea is to make sure both DCs see each in DNS other prior to DCPROMO... Otherwise, you will have replication problems with the AD objects.

One last thing to consider is native mode versus mixed mode. Can to verify the two operating systems on both DCs with us?? In some cases, you have to prep the domain for new servers, especially if one is an SBS or a 2008 server while the other is a 2003 standard...
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33599960
Also, Windows firewall will block AD authentication and netlogon services. Watch out for that, if confiigured on the new DC.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33599974
I see that you have a multihomed DC. "One nic for the network, and the other as a private link to your firewall." I never recommend multihoming a DC and would suggest you only use one network adapter to communicate with on a DC.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33600026
good point about the multihomed DC Chief.

Please look at this great blog entry from Ace  
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

thanks

Mike
0
 

Author Comment

by:smantz
ID: 33600406
Negative on the multihome.  One NIC, configured with static ip address, DNS pointing to itself,and plugged into a switch that goes to the backbone and private interface of the firewall.  As for my error, I noticed that I have DNS forwarding set to the default gateway.  I'm sure this has to do with my OpenDNS and firewall rules to allow some sites to some and some not to others.  Comments?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33600564
There is no issue with having your forwarders set to the Gateway IP, IF and only IF your ISP is providing you with a dynamic IP and their DNS servers on the WAN interface of the router. This configuration set up will make your ISP's forwarders dynamic. In other words, if your ISP makes changes to their servers, you automatically get those changes, because they are dynamically passing down to you the ISP's DNS servers.

It's actually a pretty cool trick..
0
 

Author Comment

by:smantz
ID: 33601055
The dns on the gateway goes to OpenDNS.  That works as it should.  I've since rebooted and I will watch for any other issues like the DCOM 10009 event.  Thanks for all the help.
--Steve
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question