Solved

Active Directory - Adding & Backing up Domain Controllers

Posted on 2012-03-21
4
452 Views
Last Modified: 2012-06-27
Ive inherited a domain environment and i need a little bit of help, pointers, best practices, suggestions,etc...you get the point. First here is my environment, then i will ask the questions:

Two Domain Controllers DC1 & DC2, two locations Site A & Site B both on two diffrent subnets however they can communicate with each other. Both boxes are running Windows 2008 Server r2.

Site A DC1 Roles and services:

Schema Master
Domain Naming Master
RID
PDC
Infrastructure Master
Operations Masters

Active Directory Domain Services
DHCP
DNS
File Services
Print and Document Services
Multiple Group Policies

Site B DC2:
**Schema Roles/AD roles...How do i tell??

Active Directory Domain Services
DNS
File Services
Remote Desktop Services

So now on to my questions..

#1 - I know through arcserve we are backing up the system state on both of these servers just once a month? Is this acceptable? Should i be backing something else up? Should it be more frequent? Should i be backing it up from the server itself with the backup utility?

#2 I want to add another DC to site A. What version of 2008 r2 do i need? When i do dcpromo, do i just follow the prompts? I know that it will ask to install DNS, do i need this for this domain controller? What is the best way? My goal for this DC, is that in the event that DC1 goes down hard users at site A can get DHCP, DNS, File services,  and authenticate and minamize down time? My understanding the way we have it, if DC1 went down DC2 could authenticate and use DNS however dhcp would be broke.

Im very new to this company and dont want to break anything by implementing a new DC. Thanks in advance and i look forward to hearing all the answers.

Earlyriser
0
Comment
Question by:earlyriser99
4 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 250 total points
ID: 37750371
Alright so, you can add a second DC without any issues you just go through the steps to add another DC. You need to have DNS installed as well

http://technet.microsoft.com/en-us/library/cc733027(v=ws.10).aspx

On the DHCP issue you can create one scope on one DC that gives out half of the addresses for your subnet and allow the other DC to give out the second half so, DC1 192.168.1.5-125 and DC2 125-250

File services you can use DFS.

If you are running one domain then you only have one set of FSMO roles

http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm

Backing System State daily is the recommended practice.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 37750431
I wholeheartedly agree with the previous comments - you can add any version as an additional DC without issues, just follow the prompts and select additional DC for existing domain. Make the new machine a DC, then add DNS.

Reconfigure the DCs to use each other as there preferred DNS server and themselves as alternate DNS. Reconfigure DHCP to give the addresses of both machines as DNS servers.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 37750450
Site B DC2:
**Schema Roles/AD roles...How do i tell??

Active Directory Domain Services
DNS
File Services
***Remote Desktop Services***
<--THIS IS BAD ON A DC!!!!! (more below)

1 - I know through arcserve we are backing up the system state on both of these servers just once a month?
I think you mean "." and not "?"

Is this acceptable?
Kind of.  I'll explain more below, but in short, since I wouldn't restore a DC in most circumstances unless it were my only DC, I wouldn't worry too much about it.

Should i be backing something else up?
DATA.  File server data, databases - anything that's important to you.

Should it be more frequent?
TYPICALLY people do daily backups.  Further, since System States should be pretty small, I usually do them nightly.  I rarely expect (and can't remember the last time) to do anything with a system state backup, but given how small, it doesn't generally hurt to do them nightly.

Should i be backing it up from the server itself with the backup utility?
If you want.  Generally third party tools are considered better... the important things are that you're backing up AND that you know how to restore - you have done/do plan on doing a test restore, right?

#2 I want to add another DC to site A. What version of 2008 r2 do i need?
Any version of Windows Server Standard, Enterprise, or Datacenter equal to or later than the domain functional level.  Since you want to add a 2008 R2 DC, you just need to be concerned with the version of server (Standard, Enterprise, Datacenter).  Editions like Storage Server, Web Server, Home Server, Multipoint Server CANNOT be domain controllers.

When i do dcpromo, do i just follow the prompts?
Generally, yes, but READ them.

I know that it will ask to install DNS, do i need this for this domain controller?
NEED to, no.  Should you?  Why not?  An additional DNS server can help ensure users can logon and access the internet if the first DC fails.

What is the best way?
I'll answer in the broader sense below.

My goal for this DC, is that in the event that DC1 goes down hard users at site A can get DHCP, DNS, File services,  and authenticate and minamize down time? My understanding the way we have it, if DC1 went down DC2 could authenticate and use DNS however dhcp would be broke.

Ok, so this is the broad comment:
First, you don't know what you're doing.  This is not intended as an insult or suggestion that you can't learn it, but I always want to point out (if I don't always do it) that if this is NOT your primary job function and you're not properly experienced and trained, it's unwise to proceed without getting more experience and training.  Would you go to a nurse to have heart surgery?

Adding a DC isn't a terribly complicated process, but I would still recommend hiring a pro to do it correctly and question his ear off.  Whenever I talk to other techs helping me with an issue, I pick their brains, especially those who specialize in one product, I try to ask them questions about the product to get more knowledge and experience with it.

1. Run DCDIAG /C /E /V on EACH DC and make sure the domain is healthy first. Correct any unexplained errors first.

2. Join the machine to the domain if necessary and promote the system to be a DC in the domain.

3. Let it replicate for a time (like a day - though in small networks, it should be done within minutes) and verify that the new DC is functioning properly (running DCDIAG again).  I've too frequently seen issues replicating the netlogon share.  It's a fairly easy fix, but it's not an uncommon problem.

With regards to DHCP, you want to setup a split scope.  This is where you authorize both DHCP servers and setup two scopes with different address ranges.  For example:
DHCP Server 1:
Scope: x.x.x.51-125

DHCP Server 2:
Scope x.x.x.126-200

BOTH servers should hand out addresses, just keep in mind, they won't necessarily do so evenly - this is to be expected.  Whichever server answers first is the server that provides the IP.

For file services, you can setup DFS as dariusg suggests.  I don't think this is terribly hard, but I've got a client who's another consultant who keeps having me do it since he's not comfortable doing it himself.

Rather than adding a DC (unless you have a copy of Server Enterprise and are virtualizing), I would add a dedicated RDS server.  RDS (Terminal Services) SHOULD NEVER be installed on a DC - this is a security nightmare and the possibility for users doing stupid things that ultimately bring down the server is too great.

In the event of a failure, since you have two DCs already, I would just delete the failed DC from AD (metadata cleanup, seizing roles if necessary) and then rebuild.  Restoring a DC isn't terribly difficult, but I recall there are issues ESPECIALLY if you restore a FSMO master DC.
0
 

Author Closing Comment

by:earlyriser99
ID: 37755109
I may still have a few other questions about backups. Being new to E-E, should this be in the form of a new question or can i add to this? Which is preferred?

Thanks.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now