Solved

Second AD Domain Controller

Posted on 2011-02-25
9
585 Views
Last Modified: 2012-08-13
I have a server which runs 4 virtual machines on Hyper-V, and is also a DC, DNS, DHCP. I want to obvously have a backup of this. I have two older machines which I premarily use as SQL batch operation machines.

Should I install promote a virtual machine, or one of the old physical machines? what happens when the old physical machine dies? Does that leave rouge crap in AD forever that is always causing errors? I have had this problem before on another network where one of the DCs died, and I could never get rid of some phantom issues where it was looking for the other machine first.

the only reason I could think to use a virtual machine as the secondary DC would be because I can redeploy that from backup image, and bam I have my AD back. the physical old machine I think would be the best route, but if it dies, I dont want to replace right away likely. So what happens when a secondary DC just drops off the face of the earth I guess is the real question?
0
Comment
Question by:markterry
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Accepted Solution

by:
Mattrw earned 500 total points
ID: 34984429
Virtual DC's can be a bit of a problem.  If the virtual DC has a problem with it's network connectivity it will opt to receive it's time source from the the clock on the hardware it's hosted.  This in turn can cause problems because it may fall out of sync with other DC's while it thinks it has the correct time.  MS recommend you stick with physical DC's where ever possible.  If your physical DC is lost foreever then seize the roles this broken DC held, rebuild  a new  server promote it and name it accordingly it will start to replicate all of the information from the other domain controllers.
0
 
LVL 2

Assisted Solution

by:Mattrw
Mattrw earned 500 total points
ID: 34984469
Further Clarification:  Your DC's should have an NTP time source set such as an atomic clock which can be updated over the internet.  If your virtual dc loses this NTP time source it will opt for the hardware time source in the BIOS.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 34984485
In an only-two DC environment (which is what minimally what you should have). Opt for one physical.

VM based DCs have been far too prevalent and they are supported by MS.

Regarding the tim sync issue mentioned above, see my blog post http://www.shariqsheikh.com/blog/index.php/200912/time-synchronization-for-virtualized-dcs/
0
 
LVL 6

Author Closing Comment

by:markterry
ID: 34984487
Thank you! that is very informative and exactly what I was hoping/expecting to hear.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 11

Expert Comment

by:RickSheikh
ID: 34984510
Only the PDCe (the FSMO role) should be setup as NTP (with an external source), the other DC(s) should be setup with NT5DS i.e setup to sync its time with the PDCe (by default).

http://support.microsoft.com/kb/816042
0
 
LVL 6

Author Comment

by:markterry
ID: 34984567
I guess I accepted the answer to the question a bit too early. Now I am a bit torn. So should I go virtual then?

I still think I will go for physical over virtual as if the host goes down, so do the virtuals, and I have to wait to be able to restore for AD to be online.

I will take heed the time issues, that is very informative, Thank you!
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 34984600
0
 
LVL 6

Author Comment

by:markterry
ID: 34985096
Restore from a backup image (windows backup image) just as bad as well?
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 34985445
True as it is an image, take a look at the links regarding the USN issue with doing so.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now