[Last Call] Learn how to a build a cloud-first strategyRegister Now


promoting a 2008 R2 to a domain controller

Posted on 2011-02-25
Medium Priority
Last Modified: 2012-05-11
We are running a Windows 2008 SBS Server and recently purchase a second server for a specific application.  After speaking with a friend, he recommended upgrading the 2008 R2 server to a domain controller as a backup - its currently a member of the domain.  I have a few questions that you might be able to help with:

1. We only have 5 lisences with the 2008 R2 and we have 40 SBS Lisences.  If the SBS server went down (for whatever reason) and users validated their user accounts to the domain, how would this affect the lisences?

2. other than users being able to log on to the domain, what would the advantage be?

3. I've never ran DCPromo to upgrade a domain controller.  I've read a few books/videos and looks straight forward, is there any potential issues i need to look into?

The SBS server has direct storage and holds all the exchange and shares.  

Any help/suggestions is appreciated, thanks.  
Question by:resolver1
  • 3
  • 2
  • 2
  • +4
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 568 total points
ID: 34979990
The benefit would be if your SBS server does go down you would be able to login. Plus say your SBS server went down for good you would still have a secondary DC that holds all of your domain info so you wouldn't be starting from scratch.

You can run with Windows 2008 Server R2 without the extra licenses on the SBS domain.

To add a Windows 2008 Server R2 to the domain you need to run through this link which explains schema update that needs to be done on SBS server


After schem update you can just add the server as a DC by running dcpromo

LVL 28

Assisted Solution

MAS earned 284 total points
ID: 34980016
LVL 28

Expert Comment

ID: 34980033
Importanat note:

Best practice is not to install Infrastructure Master (IM) role on the same domain controller as the Global Catalog server (.i.e.Primary DC). If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 34980040
Unfortunally you can't add a windows 2008 Server as additional domain controller, this is a SBS limitation, you need a SBS Premium to do that.
Your new server can only be a member server.

LVL 59

Expert Comment

by:Darius Ghassem
ID: 34980046
We are talking about SBS which is required to keep infrastruture master role on the same server as a GC.

Important note this is not important on a domain that only has one domain or all DCs are GCs
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 568 total points
ID: 34980064

You can add the Windows 2008 Server R2 as an additional domain controller this is not a problem.

Premium just gives you a license to install a extra Windows 2008 Server with the purchase of the Premium software license
LVL 23

Assisted Solution

ormerodrutter earned 284 total points
ID: 34980070
I believe your SBS2008 CALs cover the usage of any Windows 2008 server(s) in your network, so I don't think you need to buy extra license. Problem is that the Microsoft has updated their website to SBS2011, so if you want to be 100% it is best you speak to one of the licensing resellers.

To have a "backp" DC is mainly for failover purchase. It is not only the AD you require, it is also DNS and Global Catalog that you will need if the SBS box is not present. So it is a good practise to have 2 DCs in your network. However you need to consider what are you doing with the Windows 2008 server at the moment. If you use that as a Terminal Server then you can't promote it, or you will loss your Terminal Service completely.

Dcpromo is fairly straight-forward. All you need to make sure is to promote the server as a DC in an existing domain (instead of new domain). And the process will take care itself until finish. Need to install DNS after though.
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 288 total points
ID: 34980796
Clarifying in my own words what other people have tried to clarify in theirs...

> Unfortunally you can't add a windows 2008 Server as additional domain controller,
> this is a SBS limitation, you need a SBS Premium to do that.
> Your new server can only be a member server.

This is incorrect.  Yes, SBS Premium Comes with a second server license.  HOWEVER, there is NO RESTRICTION on having additional domain controllers with any version of SBS.  

> Best practice is not to install Infrastructure Master (IM) role on the same domain
> controller as the Global Catalog server (.i.e.Primary DC).

There is no choice here.  SBS is REQUIRED to hold all FSMO roles and be a GC.  If it doesn't it will begin shutting down in a few days to weeks.
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 576 total points
ID: 34983492
Fortunately you've gotten some good advice here, and unfortunately you've also gotten some bad advice. To recap (and to add something nobody else has added)

1) SBS *can* have multiple domain controllers.
2) Recovering a server in a multi-DC environment is *significantly* more complex. Don't add a DC unless you KNOW how to do this. Taking advice from a friend isn't recommended.
3) SBS 2008 CALs cover any Windows 2008 servers and any Exchange 2007 servers in your environment. Additionally SBS 2008 Premium CALs cover any SQL Server 2008 servers in your environment.....

What is notable about #3 is the versions.

SBS CALs ***DO NOT*** Windows Server 2008 R2. Separate CALs must be purchased. Similarly, you could not introduce Exchange 2010 into an SBS 2008 environment and expect the CALs to cover it. SBS CALs have always been written in a way where they cover version N and downlevel, but NEVER uplevel. So your 4 CALs for 2008 R2 would not allow users to authenticate against your server as a DC even if your SBS server *did* fall over.

In short, my recommendation is to have a good backup/disaster recovery scenario, and let your LOB app server be a LOB app server. Pass on by the DC impelemtation.


Author Comment

ID: 34999218
Thanks for all your comments, they are all appreciated.  And a special thanks for cgaliher and leew for summarizing and advising on the previous post.  

Why does microsoft recomend 2 or more dc's if its complex to restore a backup? Im asking this question to further my understanding multi DC sites.  How much more complex would it be to restore to a multi DC enviroment?

Please correct me if you think im on the wrong track here:

Taking into consideration that multi dc restore is more difficult then probably a good backup and restore will be the best method.  This is because all the data is held on the SBS server using direct storage, users still wont be able to access their data (Files, Exchange, Sharepoint) until the primary SBS has been restored.  

LVL 60

Accepted Solution

Cliff Galiher earned 576 total points
ID: 34999460
Restoring becomes a careful balance of keeping AD stable both during tge restore and after the restore completes and te DCs resync. It is a significant investment and commitment to education, TESTING, and then follow-through in an actual DR scenario.

As far as the multi-DC message from MS, it is a problem systemic in MS in general, and one that I just had a lengthy conversation with some of the win-server management team. MS has a bad habit of writing advice ONLY for tge enterprise...and te large enterprise at that. They forget to "scale down" and provide advice for small organizations.

For example, Lync is a great product. But reading the dice, you'd thing a deployment is too complex for the SMB. it actually isn't, but all tge docs talk of redundancy, edge, mediation, and such and present a portrait of a 3or 4 server minimum deployment. In actuality, you can easily go smaller, but the message isn't there.

Similarly, MSs message of multiple DCs is geared towards multiple exchange, multiple storage (DFS/SAN) and similar where a down DC JUST does domain services. So multiple DCs provide redundancy where one being down will go unnoticed by te end user. So the cost of the extra complexity of restoring is offset by the productivity of a server going down and seamless failover of services to another server. End users keep working as you restore.

In most SBS environments, if SBS is down, you are losing other services as well. Restoring to regain email, files, SQL, sharepoint, etc becomes a priority anyways, even if you HAVE a second DC. So if there us service interruption regardless, a majority of the benefits of a second Zdc goes away, but the cost of complexity is still there.

Again, this is a matter of MSs messaging targeting large enterprises and offering true high availability. And that message, thus that advice doesn't scale down.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question