d4nnyo
asked on
SBS 2011 Server -- add Windows 2008 R2 server to network
We just bought a Windows 2008 R2 server for specific purposes that would never require user interaction. But now we may need to fold it into our domain, if possible.
The issue is that the domain is being driven by an SBS 2011 server.
Can we migrate AD to this Windows 2008 R2 server, bringing all usernames and passwords, and keep it sync'ed with the SBS 2011 server? I.e., can we run SBS 2011 as a PDC and the Windows 2008 R2 box as a BDC?
The PDC is stored in one location, and the BDC is stored in another location. We have a Cisco S2S tunnel connecting the two.
The issue is that the domain is being driven by an SBS 2011 server.
Can we migrate AD to this Windows 2008 R2 server, bringing all usernames and passwords, and keep it sync'ed with the SBS 2011 server? I.e., can we run SBS 2011 as a PDC and the Windows 2008 R2 box as a BDC?
The PDC is stored in one location, and the BDC is stored in another location. We have a Cisco S2S tunnel connecting the two.
Cliff Galiher
The terms PDC and BDC date back to NT4 and don't apply to Active Directory domains. With that clarification in mind, yes there can be multiple domain controllers in a domain containing an SBS server. The licensing restrictions to SBS apply. No cross domain trusts. No child domains. All FSMO roles stay on SBS.
In Active Directory there are no PDCs or BDCs.
You don't need to have the new 2008 R2 server be a Domain Controller. It CAN be. But it doesn't have to.
A lot of people don't understand what the restriction with SBS is - put simply, you cannot have two SBS servers in the network - but you can definitely have two servers. SBS must be the FSMO Master DC and you cannot move the FSMO roles off it. This is why you can't have to SBS servers - both would require holding the roles and only one could. Other than that, you can have as many other servers and domain controllers as you want.
You don't need to have the new 2008 R2 server be a Domain Controller. It CAN be. But it doesn't have to.
A lot of people don't understand what the restriction with SBS is - put simply, you cannot have two SBS servers in the network - but you can definitely have two servers. SBS must be the FSMO Master DC and you cannot move the FSMO roles off it. This is why you can't have to SBS servers - both would require holding the roles and only one could. Other than that, you can have as many other servers and domain controllers as you want.
ASKER
OK, great, thanks. Last (related) question:
Can the 2008 R2 box run as an AD backup? If the SBS 2011 server goes away, can we recover AD and transfer roles to the 2008 R2 box?
Can the 2008 R2 box run as an AD backup? If the SBS 2011 server goes away, can we recover AD and transfer roles to the 2008 R2 box?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As I said, It CAN be. But it doesn't have to. If you are not an AD expert you shouldn't. If you try to recover a failed server and you don't understand the issues surrounding AD and a recovered server you COULD destroy your domain.
ASKER
It sounds like you guys are advising against running the 2008 R2 server as a DC.
But what if I need to transfer -- and then synchronize -- the SBS 2011 logins and passwords to this 2008 R2 box? So whenever I add a user to SBS, it copies that login info to the 2008 R2. Seems like this should be feasible without too much risk.
And if the SBS 2011 box went away, it then seems reasonable to assume that those logins and passwords would remain on the 2008 R2 server.
It's unclear to me whether you guys think this is either not possible, or it is possible, but ill-advised.
But what if I need to transfer -- and then synchronize -- the SBS 2011 logins and passwords to this 2008 R2 box? So whenever I add a user to SBS, it copies that login info to the 2008 R2. Seems like this should be feasible without too much risk.
And if the SBS 2011 box went away, it then seems reasonable to assume that those logins and passwords would remain on the 2008 R2 server.
It's unclear to me whether you guys think this is either not possible, or it is possible, but ill-advised.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, this is clear. I'm not offended at all. It's a given that this is a rudimentary AD question, so your response is entirely appropriate.
The primary goal is to not have to create users, password resets, etc. twice, so we can work with maximum efficiency and organization.
Secondarily, it would be nice to have a backup DC to recover from if necessary.
We have multiple layers of backup. I'm not concerned about that.
The primary goal is to not have to create users, password resets, etc. twice, so we can work with maximum efficiency and organization.
Secondarily, it would be nice to have a backup DC to recover from if necessary.
We have multiple layers of backup. I'm not concerned about that.