awalkinthepark
asked on
Active Directory - Domain controllers
On our network the PDC is a older machine that I don't entirely trust anymore.
( the lights one drive in the raid are out, but seemingly running anyway, one power supply is red lighting as well. And I don't think it's worth putting more $ into it)
There is another machine that has active directory installed, and it is apparently also a domain controller. However, as a test, I powered down the primary to see if the other one would function as the domain controller and authenticate users logging in. It did not. In fact, I could not log onto it via terminal services as it reported that the domain controller could not be found.
I want it to know how to configure these machines so that if (when) the primary one fails, the other one will step up and function as the PDC without any interruption for our users.
Thanks
( the lights one drive in the raid are out, but seemingly running anyway, one power supply is red lighting as well. And I don't think it's worth putting more $ into it)
There is another machine that has active directory installed, and it is apparently also a domain controller. However, as a test, I powered down the primary to see if the other one would function as the domain controller and authenticate users logging in. It did not. In fact, I could not log onto it via terminal services as it reported that the domain controller could not be found.
I want it to know how to configure these machines so that if (when) the primary one fails, the other one will step up and function as the PDC without any interruption for our users.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
First verify that two DC's are able to replicate to each other.
I case you want to retain current PDC in the setup then using AD intergrated DNS configure secondary DNS on client machines with the ip of the second server.
Tranfer FSMO roles to second server.
In this cas even if PDC is down users will be authenticated.
-SS
First verify that two DC's are able to replicate to each other.
I case you want to retain current PDC in the setup then using AD intergrated DNS configure secondary DNS on client machines with the ip of the second server.
Tranfer FSMO roles to second server.
In this cas even if PDC is down users will be authenticated.
-SS
ASKER
It seems to be simpler, I added DNS to the second server, it has replicated the directory without any nudges. I took the PDC off the network, added the IP of the 2nd to a workstation for DNS, and it logged in with no trouble. Seems that DNS was all that's was needed for that, which was the original question.
I did read this suggested by SylvainDrapeau:
Use this article to transfer the roles your new DC doesn't have : http://support.microsoft.com/kb/324801/en-us
But I'm unclear on if this can be done if PDC fails. Can the second DC which currently allows authentication be promoted to assume these roles if the PDC is gone?
My guess is yes, but I'd prefer to stay one step ahead of the obstacles and know in advance
Thanks
I did read this suggested by SylvainDrapeau:
Use this article to transfer the roles your new DC doesn't have : http://support.microsoft.com/kb/324801/en-us
But I'm unclear on if this can be done if PDC fails. Can the second DC which currently allows authentication be promoted to assume these roles if the PDC is gone?
My guess is yes, but I'd prefer to stay one step ahead of the obstacles and know in advance
Thanks
If the PDC fails yes the second DC will allow authentication to continue. The fact that it is a DC means it has already been promoted.
What you would have to do if it failed hard would be to seize the FSMO roles http://www.petri.co.il/seizing_fsmo_roles.htm
...only do that if the original FSMO roles don't come back up.
One of my personal favorite FSMO role blogs is from Brian Puhl of Microsoft IT (one of the engineers that runs their internal AD) http://blogs.technet.com/b/bpuhl/archive/2005/12/07/415761.aspx
Thanks
Mike
What you would have to do if it failed hard would be to seize the FSMO roles http://www.petri.co.il/seizing_fsmo_roles.htm
...only do that if the original FSMO roles don't come back up.
One of my personal favorite FSMO role blogs is from Brian Puhl of Microsoft IT (one of the engineers that runs their internal AD) http://blogs.technet.com/b/bpuhl/archive/2005/12/07/415761.aspx
Thanks
Mike
ASKER
thanks to all who commented.
Beside DNS and GC, you have to transfer FSMO roles over to the "new" DC.
Use this article to transfer the roles your new DC doesn't have : http://support.microsoft.com/kb/324801/en-us
and this to create or move the GC : http://support.microsoft.com/kb/313994/en-us
Syldra