promoting a 2008 R2 to a domain controller

Posted on 2011-02-25
Last Modified: 2012-05-11
We are running a Windows 2008 SBS Server and recently purchase a second server for a specific application.  After speaking with a friend, he recommended upgrading the 2008 R2 server to a domain controller as a backup - its currently a member of the domain.  I have a few questions that you might be able to help with:

1. We only have 5 lisences with the 2008 R2 and we have 40 SBS Lisences.  If the SBS server went down (for whatever reason) and users validated their user accounts to the domain, how would this affect the lisences?

2. other than users being able to log on to the domain, what would the advantage be?

3. I've never ran DCPromo to upgrade a domain controller.  I've read a few books/videos and looks straight forward, is there any potential issues i need to look into?

The SBS server has direct storage and holds all the exchange and shares.  

Any help/suggestions is appreciated, thanks.  
Question by:resolver1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 142 total points
ID: 34979990
The benefit would be if your SBS server does go down you would be able to login. Plus say your SBS server went down for good you would still have a secondary DC that holds all of your domain info so you wouldn't be starting from scratch.

You can run with Windows 2008 Server R2 without the extra licenses on the SBS domain.

To add a Windows 2008 Server R2 to the domain you need to run through this link which explains schema update that needs to be done on SBS server

After schem update you can just add the server as a DC by running dcpromo
LVL 25

Assisted Solution

-MAS earned 71 total points
ID: 34980016
LVL 25

Expert Comment

ID: 34980033
Importanat note:

Best practice is not to install Infrastructure Master (IM) role on the same domain controller as the Global Catalog server (.i.e.Primary DC). If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.


Expert Comment

ID: 34980040
Unfortunally you can't add a windows 2008 Server as additional domain controller, this is a SBS limitation, you need a SBS Premium to do that.
Your new server can only be a member server.

LVL 59

Expert Comment

by:Darius Ghassem
ID: 34980046
We are talking about SBS which is required to keep infrastruture master role on the same server as a GC.

Important note this is not important on a domain that only has one domain or all DCs are GCs
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 142 total points
ID: 34980064

You can add the Windows 2008 Server R2 as an additional domain controller this is not a problem.

Premium just gives you a license to install a extra Windows 2008 Server with the purchase of the Premium software license
LVL 23

Assisted Solution

ormerodrutter earned 71 total points
ID: 34980070
I believe your SBS2008 CALs cover the usage of any Windows 2008 server(s) in your network, so I don't think you need to buy extra license. Problem is that the Microsoft has updated their website to SBS2011, so if you want to be 100% it is best you speak to one of the licensing resellers.

To have a "backp" DC is mainly for failover purchase. It is not only the AD you require, it is also DNS and Global Catalog that you will need if the SBS box is not present. So it is a good practise to have 2 DCs in your network. However you need to consider what are you doing with the Windows 2008 server at the moment. If you use that as a Terminal Server then you can't promote it, or you will loss your Terminal Service completely.

Dcpromo is fairly straight-forward. All you need to make sure is to promote the server as a DC in an existing domain (instead of new domain). And the process will take care itself until finish. Need to install DNS after though.
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 72 total points
ID: 34980796
Clarifying in my own words what other people have tried to clarify in theirs...

> Unfortunally you can't add a windows 2008 Server as additional domain controller,
> this is a SBS limitation, you need a SBS Premium to do that.
> Your new server can only be a member server.

This is incorrect.  Yes, SBS Premium Comes with a second server license.  HOWEVER, there is NO RESTRICTION on having additional domain controllers with any version of SBS.  

> Best practice is not to install Infrastructure Master (IM) role on the same domain
> controller as the Global Catalog server (.i.e.Primary DC).

There is no choice here.  SBS is REQUIRED to hold all FSMO roles and be a GC.  If it doesn't it will begin shutting down in a few days to weeks.
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 144 total points
ID: 34983492
Fortunately you've gotten some good advice here, and unfortunately you've also gotten some bad advice. To recap (and to add something nobody else has added)

1) SBS *can* have multiple domain controllers.
2) Recovering a server in a multi-DC environment is *significantly* more complex. Don't add a DC unless you KNOW how to do this. Taking advice from a friend isn't recommended.
3) SBS 2008 CALs cover any Windows 2008 servers and any Exchange 2007 servers in your environment. Additionally SBS 2008 Premium CALs cover any SQL Server 2008 servers in your environment.....

What is notable about #3 is the versions.

SBS CALs ***DO NOT*** Windows Server 2008 R2. Separate CALs must be purchased. Similarly, you could not introduce Exchange 2010 into an SBS 2008 environment and expect the CALs to cover it. SBS CALs have always been written in a way where they cover version N and downlevel, but NEVER uplevel. So your 4 CALs for 2008 R2 would not allow users to authenticate against your server as a DC even if your SBS server *did* fall over.

In short, my recommendation is to have a good backup/disaster recovery scenario, and let your LOB app server be a LOB app server. Pass on by the DC impelemtation.


Author Comment

ID: 34999218
Thanks for all your comments, they are all appreciated.  And a special thanks for cgaliher and leew for summarizing and advising on the previous post.  

Why does microsoft recomend 2 or more dc's if its complex to restore a backup? Im asking this question to further my understanding multi DC sites.  How much more complex would it be to restore to a multi DC enviroment?

Please correct me if you think im on the wrong track here:

Taking into consideration that multi dc restore is more difficult then probably a good backup and restore will be the best method.  This is because all the data is held on the SBS server using direct storage, users still wont be able to access their data (Files, Exchange, Sharepoint) until the primary SBS has been restored.  

LVL 58

Accepted Solution

Cliff Galiher earned 144 total points
ID: 34999460
Restoring becomes a careful balance of keeping AD stable both during tge restore and after the restore completes and te DCs resync. It is a significant investment and commitment to education, TESTING, and then follow-through in an actual DR scenario.

As far as the multi-DC message from MS, it is a problem systemic in MS in general, and one that I just had a lengthy conversation with some of the win-server management team. MS has a bad habit of writing advice ONLY for tge enterprise...and te large enterprise at that. They forget to "scale down" and provide advice for small organizations.

For example, Lync is a great product. But reading the dice, you'd thing a deployment is too complex for the SMB. it actually isn't, but all tge docs talk of redundancy, edge, mediation, and such and present a portrait of a 3or 4 server minimum deployment. In actuality, you can easily go smaller, but the message isn't there.

Similarly, MSs message of multiple DCs is geared towards multiple exchange, multiple storage (DFS/SAN) and similar where a down DC JUST does domain services. So multiple DCs provide redundancy where one being down will go unnoticed by te end user. So the cost of the extra complexity of restoring is offset by the productivity of a server going down and seamless failover of services to another server. End users keep working as you restore.

In most SBS environments, if SBS is down, you are losing other services as well. Restoring to regain email, files, SQL, sharepoint, etc becomes a priority anyways, even if you HAVE a second DC. So if there us service interruption regardless, a majority of the benefits of a second Zdc goes away, but the cost of complexity is still there.

Again, this is a matter of MSs messaging targeting large enterprises and offering true high availability. And that message, thus that advice doesn't scale down.


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question