Creating Backup Domain Controller

DHCP Server in DC1/PDCIPCONFIG from Workstation PCHi,

  I have SBS2011 as DC in a single domain network and created a backup domain controller in Windows 2012 server.
 
  OS                 Computer Name     IP Address     Role
  *******       **************     **********   ***********************
  SBS2011       DC1                           192.168.1.5    Primary Domain Controller
  Win2012       TS2                            192.168.1.8    Backup Domain Controller

  After adding Active Directory Service & DNS Service and running DCPROMO in Win2012, I see the same contents in DNS and Active directory on both computers.
 
  (1) Now my question is if I should I add 192.168.1.8 in DHCP server in SBS2011/DC1 so that workstation PCs show two IP addresses (192.168.1.5 and 192.168.1.8) under DNS server when I run IPCONFIG /all?
  If I don't add the IP address of the backup domain controller in DHCP server , then the workstation PCs can't log in to the network or surf the internet if my SBS2011/DC1 goes down right?

  (2) Is it necessary to add PDC IP address in DNS server section of Backup Domain Controller's TCP/IP Property and add BDC IP address in DNS  server section of Primary Domain Controller's TCP/IP Property?
LVL 1
sgleeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:
I have SBS2011 as DC in a single domain network and created a backup domain controller in Windows 2012 server.
Remember: it is NOT a backup domain controller; that NT-era concept went away when Windows 2000 was introduced. It is an additional domain controller, which has (almost all) the same capabilities as the SBS server.

I should I add 192.168.1.8 in DHCP server in SBS2011/DC1 so that workstation PCs show two IP addresses (192.168.1.5 and 192.168.1.8) under DNS server when I run IPCONFIG /all?
  If I don't add the IP address of the backup domain controller in DHCP server , then the workstation PCs can't log in to the network or surf the internet if my SBS2011/DC1 goes down right?
Yes; if both DCs are located at the same site, this would be a wise idea; DNS is required for Active Directory to be discovered.

However: if the SBS server goes down, you will lose DHCP services, so machines won't be able to obtain IP addresses anyway. You would need to consider either: moving DHCP to some other device, such as the network router, or running multiple DHCP servers with split IP ranges across them.

Is it necessary to add PDC IP address in DNS server section of Backup Domain Controller's TCP/IP Property and add BDC IP address in DNS  server section of Primary Domain Controller's TCP/IP Property?
Ideally, you would have each DC use the OTHER DC as the "preferred" DNS server, and then use itself (using the 127.0.0.1 or ::1 loopback interface address) as the "alternate" DNS server, to avoid causing DNS islanding issues.

You should also -- if you have not already -- promote the additional DC to be a Global Catalog server.

Do remember that when playing with SBS, you have the wizards to contend with, which means you need to exercise additional caution to ensure the actions you take conform to the "SBS philosophy". Do not, for example, move the FSMO operations roles away from the SBS server; they MUST be on that box for lIcensing reasons.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sgleeAuthor Commented:
Thanks for the information. I will make the changes tonight, shutdown SBS2011 and see if user workstations can log on, access shared folders (on other servers) and surf the internet.
0
it_saigeDeveloperCommented:
I agree with tigermatt on all points except two.

First, while people do recommend using the loopback address as an alternate address they warn against using the loopback as the primary DNS entry can because Active Directory might not be able to resolve it's replication partners.
If the loopback IP address is the first entry in the list of DNS servers, Active Directory might be unable to find its replication partners.
Source

Trying to maintain a different set of rules really makes no sense when using the statically assigned ip address as the alternate, primary, tertiary or otherwise, works in all situations.

Secondly, you cannot implement another DHCP server on an SBS domain while using DHCP on the SBS server.  When the SBS server detects the other DHCP server, it's own DHCP service will shutdown automatically.

You can, however, modify this behaviour as addressed in this additional EE PAQ: http:/Q_27968986.html#a38694314

-saige-
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sgleeAuthor Commented:
I actually used MS engineer to configure Win2008 server as a backup controller in another network environment. MS engineer did not use 127.0.0.1 in DNS server section, although he maintained both dns server addresses on each domain controller (itself and the other in that order)
As to DHCP goes, I can live without active DHCP server on backup DC as it will be used during emergency. Besides ip address is good for 8 days and I can always start DHCP server on the BDC  manually if needed.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Based on the comments above when you configure DNS on the domain controllers it really is a preference when it comes to using itself as Primary or another DC in the same site as primary. Personally I always use the Primary DNS as itself, using the IP address and not the loopback address. I then add the other DC/DNS IP addresses in the secondary.

As stated this is a personal preference, but I have always done it this way and never had any issues with a DC becoming an island state.

However: if the SBS server goes down, you will lose DHCP services, so machines won't be able to obtain IP addresses anyway

Also based on this comment above it is true, but this only applies to nodes that currently need to renew their IP or devices trying to obtain an IP address. For all other machines that have got a DHCP lease there machines will continue to function normally until their lease expires.

In any situation it is always a good idea to split DHCP scopes across multiple DC's or (servers) for redundancy but as Saige has stated there are certain limitations when you are using SBS.

Will.
0
sgleeAuthor Commented:
Thanks for all the comments above and I appreciate it.
0
tigermattCommented:
Regarding the issue of DHCP, it is NOT a licensing violation to have DHCP on multiple servers.

Error 1053 will occur, SBS or not SBS, when DHCP responses are observed to originate from an unauthorized DHCP server according to the list in AD. This is standard behavior by the MS DHCP service.

SBS networks are perfectly at liberty to run the DHCP role on multiple machines and split the scopes across them (or preferably double them up so a single machine has sufficient IP addresses to service 100% of the clients which request IPs). Care must simply be taken to ensure additional machines are authorized in Active Directory to run; since Enterprise Admins must authorize DHCP servers (or delegate this privilege), the logic assumes an authorized server is properly configured and does not have overlapping scopes, and hence the DHCP server does not shut down in this instance.

DR procedure: while 8 days lease time provides some time, take care in the event of a DR situation in which you must start a DHCP server on another host, e.g. if the SBS box has gone away for an extended period -- if the second DHCP server is started with the same IP scope as the original, you could run into trouble.
While well-behaved DHCP client libraries SHOULD perform an ARP request on the network after the DHCP process completes -- to verify the address they have been assigned is not a duplicate of one held by another host (previously leased from the SBS) -- this is not guaranteed behavior by the standard and hence cannot be relied upon. This is particularly the case if any embedded systems or similar with "bespoke" (read: poorly implement) DHCP stacks exist. RFC 2131, §3.1 point 5 refers:
The client SHOULD perform a final check on the parameters (e.g., ARP for allocated network address)...
0
tigermattCommented:
Sorry saige, misinterpreted your post and now see the point you were making; not the same as mine, apologies. Edited post above.
0
sgleeAuthor Commented:
While I was at TCP/IP Property, I unchecked IPv6 on both PDC and BDC.
Do we have an use for IPv6?
0
tigermattCommented:
Do we have an use for IPv6? [sic.]
In a word, yes. All PI IPv4 space has already been assigned, so IPv6 is going to have to become a reality for many people in the coming years.

It won't harm to leave the IPv6 settings enabled and in their default (unconfigured) state. The boxes will negotiate link-local IPv6 addresses (beginning fe80) but it shouldn't impact you in any way.

While I was at TCP/IP Property, I unchecked IPv6 on both PDC and BDC.
Note that you have not disabled IPv6 properly; you have unbound it from the network adapter, which is a different process.

I highly recommend reading this article for more information: http://blogs.technet.com/b/askpfeplat/archive/2013/06/17/ipv6-for-the-windows-administrator-why-you-need-to-care-about-ipv6.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.