What's minimum setup and general purpose of secondary domain controller

Hi, if you have sbs2011 and it runs as a domain controller, then I gather that I should have a secondary domain controller within the domain, right?

My question is, since I know very little about network setup, is this just like setting up a domain service that works like active directory, and provides the domain authentication to users if the primary domain controller (ie the server) goes down?

And if that's right, why couldn't I just run it on a windows 7 domain client? I mean it's a service, like IIS, and why shouldn't it run on a lowly pc. It would just have to tide the naming over for a little while, not run the network or anything. Ok, that's a beginner's view, so expert, what's the real case?

Then, I'd like to simplify the question into real hardware. What's the minimum I need from a financial perspective on the basic level of box and license. But, really, it's more about identifying intermediate range options, as well as the minimum, for introducing a secondary domain name controller. For example, currently with sbs2011 standard, if I had an upgrade (or is it new purchase?) to a premium version, that'd be an option. While for the minimum option, maybe just an old SBS 2003 license, running on some old neglected box would do fine. This is a question ideally suited to someone who has setup and designed their own networks. In my context I'm the administrator of my own small business, so I'm free to look at whatever routes appeal, and I'd like to learn about the general purpose and function for the secondary. And, if you like, how the sql server would normally (optimally) sit in the network (probably on the secondary?).

I'm hoping for a general guidance answer here. Ideally: Brief purpose of secondary, and simple  discussion of hardware & license combinations that meet my goal of understanding minimum and intermediate range options for the secondary name controller.
JeReLoAsked:
Who is Participating?
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
No, licenses from Foundation are not additive to SBS.  SBS CALs cover access (for authentication and standard resource access) to all Windows servers on your network.  SBS uses ONLY SBS CALs - you cannot use standard CALs or a Foundation edition server for access to SBS resources.  (SBS CALs include Exchange access, Foundation does not, SBS Premium CALs include SQL Server access - you can mix them, but the CALs are either for named users or for specified devices - they are not simply specifying a concurrent connection limit).

In other words:

Device CALs are best used when your users will NEVER access the systems remotely, either through RWA or through cell phones and similar items for e-mail purposes.  For example, if you have a classroom for 10 students and these students come and go and NEVER connect remotely to the systems, then those 10 systems would be best licensed with DEVICE CALs.

User CALs are best used when your users will access the server from their office PCs, laptops, cell phones, ipads, home computers, public computers (like those at a library), etc.  Then, you need a CAL for each NAMED user, whether or not they are always connected to the system.  The CAL can be reassigned if an employee leaves the company or (I believe) after 90 days if you just want to "stop" licensing that employee.

In MOST cases, you will likely want USER CALs.

RDS (Terminal Services) CALs are NOT covered by any kind of SBS CAL - they are "special" CALs that must be purchased separately if they are to be used for the purposes of Terminal Services.

To be clear - BWaring was correct when he stated that Foundation server is limited to 15 users and there are NO CALs used by it (or you can consider them included, if it's the only server on the network).  But if added to another network with an SBS or Standard server, then that network still needs CALs and the Foundation system does absolutely nothing to contribute CALs to it.

0
 
BWaringCommented:
SBS 2011 (SBS in general) has special licensing requirements, so you don't really have as many choices as you may think....

In simple terms, the 'purpose' of the BDC is disaster recovery. If the PDC dies, and there is no backup BDC (or backup at all), you lose all Active Directory information, which essentially means you are reinstalling your complete network from scratch. If you have adequate backups (tape, disc, etc...) that stored all AD info, its possible, but time consuming, to get back to a working state. With the BDC, if the PDC fails, you promote the BDC to the PDC role, then just restore any data you need from the old PDC machine, then reinstall Windows on the old machine.... SBS is different in that the licensing is locked to specific numbers of domain controllers, there's other stuff to do to get it back up in the original configuration, and there's so much on Server A anyway, that you're going to need to reinstall/restore a bunch of stuff... but at least you don't have to recreate the whole AD network...

Now for licensing, you only have one option. SBS is locked in "Standard" to one domain controller. If you upgrade with the "Premium Add-on", you get a second Win2K8 license and that server has the abillity to be a BDC... that's it... no other choice... you can then also use that server as the SQL2K8 server with the SQL license it comes with....

So as for hardware, if you're adding the Premium Add-on to get the second BDC and that is ALL it's going to do, then you just need a basic entry level SERVER class machine that is certified to run Win2K8 (you asked, so no you cannot run a BDC on Win7 or any desktop version, even a 'regular' BDC that is not SBS). I'm not sure that anyone would buy a second server AND the Add-on just to run a BDC, so if you don't need SQL then figure out something else it can do with it....

But again, as most of the stuff is on Server A (Exchange 2010 SP1, SharePoint Foundation 2010, Windows Software Update Services, etc...), I'd put my money in to redundancy on that server and good backups....

You can look here: http://www.microsoft.com/sbs/en/us/compare-features.aspx for more info on the SBS versions and what you get.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
> Hi, if you have sbs2011 and it runs as a domain controller, then I gather
> that I should have a secondary domain controller within the domain, right?
SHOULD you, strictly speaking for redundancy and backup, yes.  BUT in general, if you backup regularly, AND you are a small business of, I would say 10 or fewer users, then you can get away without one without too much risk.

> My question is... is this just like setting up a domain service that works like
> active directory, and provides the domain authentication to users if the
> primary domain controller (ie the server) goes down?
Active Directory is not JUST authentication - AD is a system of managing logically grouped systems.  You only get Group Policy through through AD.

> And if that's right, why couldn't I just run it on a windows 7 domain client?
Active Directory requires a Windows Server, excluding Storage server lines, Home Server lines, and Web server lines.  If you just want authentication, you would need some kind of LDAP server and a method of joining workstations to it.  You could use Linux as well, but again, you ONLY get authentication, no group policy.  And you CANNOT add a non-AD domain controller to an SBS domain.

> I mean it's a service, like IIS, and why shouldn't it run on a lowly pc. It
> would just have to tide the naming over for a little while, not run the
> network or anything.
I don't follow...

> I'd like to simplify the question into real hardware. What's the minimum I need
> from a financial perspective on the basic level of box and license.
Depends on how big your company is.  If it's under 15 users (I'd say really, under 10) then you can get Windows Server 2008 R2 Foundation edition which would be about $300 for the license when purchased with a low-end OEM server that would probably cost as little as $800 - so about $1100.

> But, really, it's more about identifying intermediate range options, as well as
> the minimum, for introducing a secondary domain name controller. For example,
> currently with sbs2011 standard, if I had an upgrade (or is it new purchase?)
> to a premium version, that'd be an option.
You don't have to get the premium add-on - in fact, if you aren't going to use SQL, I wouldn't - it's too expensive.  The premium add-on is $1600.  Server 2008 R2 Standard is $1100 (or less).
If you ARE going to use SQL, then this is the best option - assuming you cannot use SQL Express.

> While for the minimum option, maybe just an old SBS 2003 license, running on
> some old neglected box would do fine.
Not possible.  There can only be one SBS box (of any version) in a domain.  Adding another will start shutting down the one that is not the FSMO master DC after a grace period.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
BWaringCommented:
The Premium Add-on is what does give you the ability in SBS 2011 to have the second BDC....
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
BWaring is incorrect about several things:

> SBS 2011 (SBS in general) has special licensing requirements, so you
> don't really have as many choices as you may think....
Misleading.  There are limiting features, but the only REQUIREMENT that affects the question as asked is that you can only have ONE SBS server in a domain.  You can have as many Standard, Enterprise, Web, Data Center servers as you like, any version, though any NEWER version than the version of Windows that runs the SBS server will require additional CALs.

> In simple terms, the 'purpose' of the BDC is disaster recovery.
First, there is no such thing in an Active Directory Domain.  
Second, they are used for redundancy, not disaster recovery.  A reboot is not a disaster but without a second DC, the workstations would be unable to access the internet (in a properly setup network) while the server rebooted.  

> If the PDC dies, and there is no backup BDC (or backup at all), you lose all
> Active Directory information, which essentially means you are reinstalling
> your complete network from scratch. If you have adequate backups (tape,
> disc, etc...) that stored all AD info, its possible, but time consuming, to get
> back to a working state. With the BDC, if the PDC fails, you promote the
> BDC to the PDC role, then just restore any data you need from the old PDC
> machine, then reinstall Windows on the old machine....
This is a greatly simplified and incorrect description that really would be more applicable to an NT4 domain.

> SBS is different in that the licensing is locked to specific numbers of domain
> controllers,
Untrue.  You can have as many DCs as you like.  Again, the restriction is only ONE SBS server - this is because SBS MUST hold the FSMO master roles.  Other DCs are possible and welcome, just cannot hold any FSMO masters.

> there's other stuff to do to get it back up in the original configuration, and
> there's so much on Server A anyway, that you're going to need to
> reinstall/restore a bunch of stuff... but at least you don't have to recreate
> the whole AD network...
Any time you have a true systems failure you can expect LOTS of work to get back to normal...

> Now for licensing, you only have one option. SBS is locked in "Standard" to
> one domain controller.
Again, incorrect.  See above.

> If you upgrade with the "Premium Add-on", you get a second Win2K8 license
> and that server has the abillity to be a BDC... that's it... no other choice...
Again, incorrect. See above.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
To clarify the limiting features:
*Only ONE SBS server per domain (because it MUST be the FSMO master DC).
*NO TRUSTS with other domains
*The SBS Server CANNOT be a Terminal Server (though another server CAN be added to the domain)
*Maximum of 75 users
*MUST be a Global Catalog (Other Global Catalogs are fine).
*MUST have the SBS included Exchange server installed on it.
0
 
BWaringCommented:
If you read the first thing I wrote, I said "In simple terms".... he doesn't have 50 servers, just one, and he seemed to want to know if he should spend the money for a second server to act as a BDC, so I made it a simple explanation. I'm sure he doesn't need or want to hear about FSMO's, LDSP servers, or Linux, if he doesn't know that AD connot run on Win7. And I'm not sure where I said "Active Directory Domain"....

And yes, sorry, there is more than one option, other than the Prem Add-on for a BDC, but again simple.
0
 
JeReLoAuthor Commented:
Ok, good.
So BDC maintains the ability of domain members to log in while server restarts.
Promoting bdc to pdc seems like an interesting, at least possible, practice for some situations...

Options I can feed back:
If I want to run sql (currently using sql express 2008 r2, and probably should use sql when I start charging money) then premium on the second server is efficient.

Else, if going with express version, then Windows Server 2008 R2 Foundation edition is lower cost route.

thanks.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
AD is not overly complicated unless you make it so.  There is no BDC or PDC - this is NT terminology and should not be used here.  If you are using Server 2000, 2003, 2008, or 2008 R2 (including SBS versions) you are using Active Directory.  Doesn't matter if you said it or not - it IS Active Directory.

And if you truly knew this, why did you try to "correct" me
> The Premium Add-on is what does give you the ability in SBS 2011 to have the second BDC....
This is completely WRONG.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
> So BDC maintains the ability of domain members to log in while server restarts.
If you want to prevent complications in the future and possibly incorrect advice, I strongly recommend you try to understand the terminology.  "BDC" is not used.  I've seen people given wrong advice - such as the suggestion (which you are now using) that you would "promote" another server in Active Directory to be a PDC.

Since BWaring is fond of simplicity, it's simple - In Active Directory Domains (of which every Windows domain created with any version of Windows Server since 2000) all DCs are just that - DCs.  Period.  There are 5 master roles, known as FSMO masters - in an SBS domain, the SBS server must hold all of them.  But in a non-SBS domain, the roles can be split amongst up to 5 servers.  At which point which one would you call a "PDC"?  Proper terminology is essential to GOOD help.

> Promoting bdc to pdc seems like an interesting, at least possible, practice for some situations...
There is no such action in Active Directory domains.  This was proper terminology in NT4, now it's just wrong.  In a disaster it MIGHT be necessary to seize FSMO roles.  But to be blunt, if installing Windows networks is not what you do on at least a semi regular basis, it's unwise to start randomly trying to recover a major systems failure (or even INSTALLING the network) without professional ON-SITE help.  I would suggest you read this: http://www.experts-exchange.com/blogs/leew/B_4284-Installing-Upgrading-SBS-in-My-Small-Business.html


> Options I can feed back:
> If I want to run sql (currently using sql express 2008 r2, and probably should use
> sql when I start charging money) then premium on the second server is efficient.
I have no idea what your business is.  To me, this is more a licensing question that should be discussed with Microsoft to ensure you remain legal.  I'm under the impression that you might need a SQL server with PER PROCESSOR licensing, which the SBS SQL wouldn't be (and per processor is VERY expensive) depending on what you are doing.  You might want to look into MS programs like BizSpark.

> Else, if going with express version, then Windows Server 2008 R2 Foundation edition is lower cost route.
If you don't want to use Exchange, then there's no reason to purchase SBS.  The CALs are more expensive and the product is more expensive.  Another option, if you want workstation backup and features like RWA (Remote Web App), then you should look into SBS essentials which was released to manufacturing today and should be available in a few weeks.
0
 
BWaringCommented:
Once again, trying to give simple answers is an easy to understand manner.... obviously (to me at least) you not really in to that, so whatever....

JeReLo,you didn't mention how small your company is: SBS 2011 Essentials is limited to 25 users, there are no CALs, and you are not licensed to access other 2008 servers in the domain. SBS 2011 Standard is limited to 75 users, comes with 5 Standard CALs, and they are licensed for access to other 2008 servers in the domain. You can add Premium to either (which also comes with 5 Premium CALs - something to consider when comparing to other 2008 second server options) and to access the Premium features (SQL for example), you need the Premium CALs for either version. Server 2008 Foundation is limited to 15 users, so if you plan to have more than that, you would need 2008 Standard. And if you choose SBS Essentials, you would need CALs for that server. It can get complicated quickly, so the best thing to do is determine how many users you will have (SBS is only named users or devices, not concurrent) and what services on which servers they will need to access, then speak with a MS licensing specialist for specifics (as leew mentioned).
0
 
JeReLoAuthor Commented:
Interesting that there appears to be a conflict in terms of teaching approaches, with bwaring in the role of simple and leew in the role of refined. Well, carry on, because I definitely am learning from both sides, and the critiques of each side are usefull too.

My business is as a small entrepreneur, and the work should be considered as similar to having a small school. I am learning to administer it and that's non-negotiable. There are currently two teachers and it is being set up to have about 3 students at a time. So, very small with 5 accounts, SBS2011 seemed just fine. Now I'm introducing media services and I was trying to install it on the server, but I was getting an error when I ran the web platform installer; it referenced a problem in running SQL (express) on the domain controller, with the system service account. (Specific error: Network Service or Local Service account is not permitted for the SQL Server service on a domain contoller.) Anyway, that got me thinking about the problem, and hence the need to get familiar with the network.

A trip to wikipedia enhanced my understanding of what leew was describing. I found the flexible single master of operations has three roles in domains: 1) Relative ID master - relating to groups and principlals in Active Directory, 3) Infrastructure master - relating to globally unique identifiers related to each account and file permissions and 3) Primary Domain Controller Emulator - related to password authentication. The remaining 2 FSMO roles only apply to forests of domains and are shema master - relating to types of objects in the forest, and domain naming master - tracking the names of domains in the forest. In SBS2011 I'm guessing that only the first 3 are active, as I don't remember seeing forest or setting it up.

This question came up today, because I was trying to install media services on the Domain Controller, and the web platform installer couldn't update SQL 2008 R2 Express. The error was "Network Service or Local Service account is not permitted for the SQL Server service on a domain contoller." I have used the system account for the SBS instances (SBSMONITORING and SHAREPOINT) and another domain administrator account for a personal SQL instance.

So that got me thinking that I needed to run my personal SQL instance on another pc. Then I remembered recommendations from SBS that I have a secondary domain name controller.

So, is it correct to use the term secondary domain controller emulator? And this can be implemented on a second server running either through SBS premium or with the addition of Windows Server 2008 Foundation?

Finally, anyone know what account SQL express should run as, if it's running on a domain controller. I must admit that as this is a very small domain, which I can be rather experimental in running, I can live with situations that would never fly in a big business, but which are acceptable in my thrifty situation.

I understand why you'd both recommend I speak with a licensing specialist, and I will. But I can tell you that the better I know the situation, and what I really need, the more efficient I can be as I resource my project.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
JeReLo,

Until his BWaring's last comment, the information BWaring was providing was, in my opinion, misleading at best and I would call it frequently wrong and based on my experience both in understanding the technology and in seeing (and answering) MANY questions on SBS here.  I checked BWaring's profile and found no evidence of experience.  Much of the information BWaring posted is often posted here by people who simply don't understand the product.  A common misconception is that SBS can be the only server/only domain controller.  And I've seen people say the only way you get another is by using the Premium version - this is all false and frankly, I don't see why it's easier to claim you can only run another DC by spending excessively on the premium add-on rather than just buying another server.  BWaring's last comment is correct in what it states, but sounds to me like a summary of a blog entry describing the product.  I suspect he took offense to my stating he was incorrect and is trying to prove he knows what he's talking about by saying he's just trying to simplify things by effectively giving you old terminology and half-truths. (And I'm sure he'll find this offensive as well - anyone who knows SBS and AD knows what I've said to date is correct on a technical level and if I am wrong about BWaring's motivations, fine - that part is opinion based on his comments and my interpretation of them, both the actual statements and my interpretation of motivation.  If I'm incorrect, fine, I'm incorrect.  But about the statements in regards to the technology, I am extremely confident I am not (I've been doing this a long time and working with some extremely knowledgeable people).

Actually there are 5 FSMO roles - http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm - Schema Master, Domain Naming Master, Infrastructure Master, PDC Emulator, and RID Master.

A PDC (Primary Domain Controller) was the ONLY writable copy of the user/computer database in an NT4 domain. BDCs were only replicating copies of the PDC.  BDCs were capable of authenticating you at logon, but if you created a new user or joined a computer to the domain, the PDC HAD to be on and that's where the account was created.  If the PDC failed, you could then Promote a BDC (Backup Domain Controller) to be the PDC - this changed its database from a read-only copy to the authoritative read/write copy that now replicated out to the other BDCs.

In Active Directory, everything is a DC because the FSMO Roles govern certain aspects of the domain (based on role) so that ALL DCs are WRITABLE copies of the database. (2008 introduced Read Only DCs - RoDCs - which have some similarities to BDCs but are different).  All the DCs replicate with one another so one or more of the FSMO masters can be down without affecting domain function.  EVENTUALLY, a down FSMO master will create problems, but being down for a day - even a week or a month in a small environment won't bother you (except with SBS since one way MS enforces that it is JUST used in a small domain is by ensuring the FSMO roles all run on the one SBS Server).  One example - In NT4 and Active Directory, everything gets a unique Security ID (SID).  In NT4, the PDC tracks these which is why it MUST be on when attempting to create an account.  In AD, the RID master hands out blocks of SIDs to each DC so each DC can create accounts until they run out of SIDs - when they go back to the RID master and ask for more.

You can add a Server 2008 Foundation system to an SBS domain - but if you have more than 15 accounts in the domain (the reason I recommended 10 is that you essentially have to throw away the license once you go over 15, so you at least have some growth if you have 10 accounts to start (or less).  Foundation will tell you you are violating licensing if it is installed in a domain with more than 15 user-created users.  A Foundation system can be a DC or a member server, so long as your domain doesn't exceed 15 users.

In general, it's recommended that SQL services run as a user account - a specifically created user account that JUST runs SQL services.  On a DC or otherwise.

As for terminology - it's either a DC, or a DC that holds one or more FSMO roles.  there are no official terms such as "SDC" as in secondary DC or "ADC" as in additional DC - I've seen both posted from time to time, but neither is correct.  Reasons you should be told CORRECT terminology from the start include that it can affect your attempts to obtain help in the future - someone starts calling these things PDCs and BDCs and now you're searching google for them and you get a lot of VERY OLD information that no longer applies.  I've seen someone post a question here and get advice on how to do something but the advice was completely wrong because it applied to NT4 - and if they were talking about NT, they would have been completely correct... but now, getting wrong terminology, your getting frustrated because your searches tell you to "promote the BDC" but you can't find any way to promote a DC in 2000/2003/2008 - because you CAN'T.  So I don't see how this is "Simpler" or helping you, especially in the long term.
0
 
BWaringCommented:
Sorry no "summary of a blog entry"... just getting the point across that MS licensing is complex. I haven't taken offense to anything you've said, nor do I have anything to prove, just trying to offer help in the most understandable manner. You obviously have this under control, so JeRelo, good luck with everything.
0
 
JeReLoAuthor Commented:
You'll get no argument from me in terms of the desirability of using current terms appropriate to specific technology. In this case, the context is SBS2011, and the question was about options for introducing a second Domain Controller. As for terms the current SBS server could be referred to as the DC and the next server would be a DC with one or more FSMO roles (specifically it would run a replicated primary domain controller emulator to handle log ons if the primary server was off or restarting).

Using Windows Server Foundation would seem to add a licensing benefit of 10 users (and here I move into unsure territory) from the current 5 (with SBS 2011) to a total of 15. Is that correct?
0
 
JeReLoAuthor Commented:
Many thanks for the level of support on this question.

Given the fact that I'm already invested in SBS, using exchange, and interested in using sql under license, things are pointing to the 'overpriced' sbs premium option.

It's been helpful hearing from both parties, and I'll close the question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.