Solved

SBS 2011 with Server 2008 RODC

Posted on 2016-07-21
26
103 Views
Last Modified: 2016-07-25
Hello, I currently run an SBS 2011 server environment and I am wanting to deploy a Server 2008 RODC.  The forest and domain functional level is 2008 R2.  The issue I am having is that when I run DCPROMO on the new Server 2008 server I am getting an error that states, "You will not be able to install a read-only domain controller in this domain because "adprep /rodcprep" was not yet run."  

I'm guessing that this may be due to the fact that this is only a Windows Server 2008 OS and my functional levels are at 2008 R2, but maybe I am wrong?  Is it possible to accomplish adding this Server 2008 RODC into my existing SBS 2011 environment with the functional levels set the way they are, or would there be something else causing this issue?  

Thank you
0
Comment
Question by:ColumbiaMarketing
  • 9
  • 7
  • 6
  • +1
26 Comments
 
LVL 11

Expert Comment

by:Old User
ID: 41723862
Have you run adprep /rodcprep?
0
 

Author Comment

by:ColumbiaMarketing
ID: 41723866
No I haven't.  I didn't know if it would be a good idea since it's a Server 2008 operating system trying to be joined as a RODC in a Server 2008 R2 domain/forest functional level environment.  Do you think this is still fine and I should go ahead and run adprep /rodcprep on my SBS 2011 server anyway?
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723871
See here for steps needed to add a read only DC.

https://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
0
 
LVL 11

Assisted Solution

by:Old User
Old User earned 200 total points
ID: 41723873
Before you can install a read-only domain controller (RODC) in a Windows Server 2003 forest or in a forest in which you have upgraded the domain controller to Windows Server 2008 or Windows Server 2008 R2, you must prepare the forest by running the adprep /rodcprep command. You can run adprep /rodcprep from the installation DVD on any computer in the forest. In Windows Server 2008, Adprep.exe is located in the /Sources/adprep folder of the operating system installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /Support/adprep folder.
0
 

Author Comment

by:ColumbiaMarketing
ID: 41723875
Thank you for the information.  I will definitely pursue this more later tonight.  So basically you think adding a Server 2008 RODC to a 2008 R2 domain/forest functional level environment is fine without having to change the functional level back to just 2008?
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723880
It won't work with both Domain and Forest functional levels at 2008 R2.

You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...

You will need to do ADPrep /RODCPrep, but only after a DCDIAG to make sure your AD is healthy.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723881
No, you can't add a 2008 DC to a 2008R2 forest it must be 2008R2 or 2012 etc
0
 

Author Comment

by:ColumbiaMarketing
ID: 41723882
That's what I was afraid of.  I was thinking it may not be the best approach to add a 2008 server as a RODC if the current forest/domain functional levels are higher and set to 2008 R2.  

Thanks again.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723883
Hope it has been helpful
0
 

Author Comment

by:ColumbiaMarketing
ID: 41723884
Since I have an SBS 2011 domain controller I don't think my current user CAL's will work with a Server 2012 RODC right?  I believe I would need to purchase new 2012 CAL's in order to be in compliance.  Am I right to assume that?
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723888
Yes best stick with 2008R2
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723895
Why do you need an RODC? There may be more than one way to skin this particular cat...

Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS.  You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 300 total points
ID: 41723922
There has been much said here that I disagree with and that is incorrect or at a minimum, misleading.

1.  *IF* you have raised your SBS domain and forest functional levels to 2008 R2, then you CANNOT add ANY DC running LESS than 2008 R2.  BUT SBS does not by default set the levels at 2008 R2, so unless you did it yourself, you may be able to - check your levels!
2. Unless you're using Microsoft SQL server, you DO NOT need SBS Premium licenses / CALs NOR do you want the SBS Premium Add-on.  They are all unnecessary - again, unless you need SQL Server.
3. You can ABSOLUTELY add a 2008 R2 DC to an SBS 2011 domain.  There is NO RESTRICTION on having other servers running Windows "Standard", "Enterprise", or "Data Center" editions *OR* other DCs using one of these versions.  PERIOD.  THERE *IS* a restriction on having other SBS servers (including "Essentials" class servers and "Foundation" class servers in the domain - this is because the SBS server MUST hold the FSMO roles.  You can't have two servers hold FSMO roles so if you introduced a second SBS server, you'd have to pick one to be your role holder and the other would start shutting down after 21 days.
4. You CAN buy Windows Server 2012 R2 *NOW* but INSTALL Windows Server 2008 R2 instead using downgrade rights (VERY EASILY DONE if you purchase a volume license).  By doing this, you do not need any additional CALs.  The SBS 2011 CALs cover access to other servers in your network running Server 2008 R2 or older.  *IF* you wanted to run Server 2012 or 2012 R2, THEN you would need additional 2012 CALs.
5. *IF* you want an RoDC (WHY?) then you MUST run ADPREP /RODCPREP but you must run it using the ADPREP from SBS (the 2008 R2 version), NOT from a potentially older server edition (like 2008).  ADPREP "prepares" AD - adding fields and values necessary to support the functionality.  You don't run it, you don't have an AD capable of handling an RoDC.  But RoDCs are really for more security conscious environments where the server may not be possible to lock away physically.  They should be SITE based - adding one to an existing site with an existing standard DC wouldn't likely serve much of a purpose (that I can think of).
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723931
The only misleading info you cleared up related to how the CALs work?

Thanks for clearing that up.  I got my wires crossed.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723932
Windows SBS 2011 license terms do not allow you to create another AD DS domain, whether in the same forest or in a different one. You can, however, configure it to function as a second domain controller in your existing Windows SBS 2011 domain.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41723935
Lee W

I don't feel any advice I have given is either misleading or incorrect. If I am incorrect please let me know where so I don't make the same mistake again.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41724086
I didn't say EVERYTHING was misleading or incorrect.  

Areas of concern:
In Windows Server 2008, Adprep.exe is located in the /Sources/adprep folder of the operating system installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /Support/adprep folder.
Not wrong per se, but misleading in that this is SBS 2011 - which is based on 2008 R2 - you do NOT want to be suggesting they run ADPREP from the 2008 (non-R2 system, which as I read it, is misleading.
You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...
Forget the CALs for a moment, the SBS Premium License itself is a waste of money in this case and should not be recommended unless they use SQL.  If you can even find it.

THEN there's the CALs which DO NOT need to changed in this scenario.  Only users accessing SQL require the SBS Premium CALs whether you have the premium add-on or not.

Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS.
This is incorrect.  SBS Standard CALs provide access to all other Servers of equal or lesser version on the SBS network.  Whether they are a DC or not.  Microsoft hasn't licensed per server in years.
You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
The SBS Premium CALs would be a waste of money and if SQL is not used, they would be nothing more than a waste of money.

There are and have been a lot of confusion over licensing and SBS over the years.  Some people understand it... some don't... plenty of really smart people I know don't understand licensing well at all. That's fine.  But I would encourage those who don't to be honest about their lack of licensing knowledge - I'm HORRIBLE at dealing with VDI licensing, but this aspect I know quite well.
0
 
LVL 11

Expert Comment

by:Old User
ID: 41724127
You are linking advice I didn't give to me. No advice I gave was incorrect. Any advice on 2008 or 2008 R2 was based on the original question quoting both versions
0
 

Author Comment

by:ColumbiaMarketing
ID: 41724786
Lee W,

1.  Yes.  I have manually raised both levels to 2008 R2 years ago so going back isn't an option for me.

2.  SQL is installed on the SBS server but it would have been installed with the installation media.  I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.

3.  I plan on my original SBS to still hold all FSMO roles so this isn't a problem.

4.  I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure.  Is it difficult to do that; or would a simple call to Microsoft take care of this during activation?  Not sure how the downgrade process works.

5.  My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down.  I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well.  So my idea was to have a replica domain controller that could at least handle authentication and DNS.  

I guess my question now is would this be the best approach to what I am trying to accomplish?  All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41724880
You are linking advice I didn't give to me. No advice I gave was incorrect. Any advice on 2008 or 2008 R2 was based on the original question quoting both versions
I didn't single you out in EITHER post.  Multiple people have responded.  My response was to illustrate exactly what I meant with the statement "There has been much said here that I disagree with and that is incorrect or at a minimum, misleading."
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41724924
1.  Yes.  I have manually raised both levels to 2008 R2 years ago so going back isn't an option for me.
Ok - so you need Server 2008 R2 or later if you want to add a second DC. Period.

2.  SQL is installed on the SBS server but it would have been installed with the installation media.  I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.
FULL SQL or SQL Express?  FULL SQL should not be running on the SBS Server - it's already got memory demanding Exchange on it.  It should be on another server.  SQL Express has memory limited and while you can have additional performance issues if it's a highly accessed database, it's relatively ok to do that.

CAL wise (and mostly for FYI of others), If you purchased the SBS 2011 Premium Add-on, then you need SBS Premium CALs for any user accessing the SQL database.  Users NOT accessing the SQL database don't need a Premium CAL.  I'm not sure the SBS Premium CALs would cover access to FULL SQL purchased separately or if you would have to purchase SQL CALs specifically (I'd advise contacting a reseller - if you were my client, I would in turn contact the licensing desk at my distributor to confirm what can and cannot be done.

SQL Express doesn't require CALs.

3.  I plan on my original SBS to still hold all FSMO roles so this isn't a problem.
Good.  It must also be a Global Catalog (GC), but other servers CAN be GCs (you can (and should) have more than one).

4.  I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure.  Is it difficult to do that; or would a simple call to Microsoft take care of this during activation?  Not sure how the downgrade process works.
It really depends on how you obtained the license.  If you purchased a volume license, you would just sign in to the Volume License Service Center (VLSC), download Server 2008 R2 and note your key (all available at the VLSC).  If you have any other method of distribution, for example, If you purchased your copy in a retail box / full packaged product (FPP), you DO have the rights, but you don't get any help beyond activation - you have to have an existing copy of Server 2008 R2 with the appropriate key - if you have a problem downgrading, you call MS and tell them you are exercising downgrade rights and they SHOULD fix the activation for you.  If you have an OEM copy, same rule applies about activation, but you can't move it off the server.  Friends don't let friends buy OEM!  Always buy Volume! It MAY cost a *LITTLE* bit more to start, but the rights you get and the access to prior versions makes it easily worth the $50-200 "increased" price compared to other distribution methods.

5.  My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down.  I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well.  So my idea was to have a replica domain controller that could at least handle authentication and DNS.  

If that's the case, you DO NOT want an RoDC!  RoDCs have selective databases of users and do not necessarily provide the level of full redundancy you're looking for.  You want a second DC.  Which means you can skip the RoDC prep.

I guess my question now is would this be the best approach to what I am trying to accomplish?  All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
That said, BE CERTAIN you study how to perform a restore in the case of DCs when you have more than one.  Doing restores incorrectly could corrupt everything.  In many cases, while the redundancy is good, it can be SAFER to have a system in place that restores the SBS server quickly rather than providing completely uninterrupted user access to the internet.  If you understand AD well, DEFINITELY have a second DC.  IF NOT, LEARN IT!

You COULD (I'd recommend) virtualize the SBS server with Hyper-V and replicate it to another server.  In the event of a hardware failure, you can get things going pretty quickly.  There are also BDR devices and image based backups that can allow you quick restoration in an emergency.
1
 

Author Comment

by:ColumbiaMarketing
ID: 41724962
The SQL instance states it's SQL Server 2008 R2.  I don't see anything regarding an "Express" version installed.  That being said, this is whatever the SBS 2011 installation media would have installed on it's own and I have not configured anything on my own so I don't appear to have any users connecting to it at the moment.

I apologize for the confusion on the RODC.  I simply would like a second DC is all in the case the SBS server went down.

Currently I am running bare metal image/system state backups on the entire SBS server so I already have a way to restore it relatively quickly if it went down again.  Now I am questioning if adding a second DC is more trouble in my environment than what it's worth.  The biggest issue I noticed when my SBS server went down was no DFS file share access, or authentication in general.  Would there be another method to work around that besides adding a second DC at all?  Maybe virtualization it would be better, as you said, to have the redundancy in that way instead of adding another node that could unnecessarily complicate things and provide greater risks of corruption.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41725068
SBS 2011 doesn't come with SQL (except for SQL Express to manage some services) but SQL Express also is available for download.  If you have the full version of SQL then you either purchased it separately OR you purchased the SBS Premium Add-on which includes it.  In which case, you need those SBS Premium CALs for users accessing it.  Again, this is more FYI and I acknowledge this is not part of the original question per se.

I USED to recommend two DCs for every environment but then I participated in/read a discussion with another that made a great deal of sense to me - two DCs complicates restores and so only when people understand AD should you have two or more DCs.  It's easier for those who don't understand AD to simply do a full restore and not worry about USN rollback and authoritative restores and the like.

Virtualization can help with redundancy and recovery but it too can be complicated if you don't know what you're doing.  When you start worrying about things like this it's worth evaluating what you have, what you need, what skill sets you have and what kind of budget you have.  There are solutions you can use yourself and there are things that may require (for the wise admin) support from outsiders to ensure you implement properly and maintain...  Your doctor can help you with basic footpain, but for serious things, he knows to send you to a specialist.  The IT department (internal or otherwise) should be just as smart about managing the network.
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725153
I second Lee W's comments, if you were going with a second DC, just make it a DC and global catalog server, an RoDC is pointless for that role (I was contemplating the same last year, but went with a normal DC instead of RoDC after realising it was pointless).

Virtualising the SBS could make restoring quicker or even help with avoiding a restore altogether.

I take a snapshot / checkpoint of any virtual servers before applying updates.  If there's an issue I can just roll back the Server to the last snapshot in less than 10 minutes.  

If you have the SBS Installation Media, Full SQL & the Server 2008 R2 disk would be labelled as SBS Premium, if they're the originals (I believe).
0
 

Author Comment

by:ColumbiaMarketing
ID: 41725185
Do you guys have any opinions about using either HyperV or VMWare for virtualization redundancy?  I know this is a little off topic.  Currently I do have one VMWare virtual server that is really nice to have for snapshots, but I am only using the free license so I don't have any option for fault tolerance.  I haven't used HyperV before so I don't have much comparison with it and VMWare either.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41725262
They are both type 1 Hypervisors and for small business the performance / ease of use is fairly comparable.  I prefer Hyper-V - it includes one major Disaster Recovery feature that ESXi requires you pay through the nose for - VM Replication with Hyper-V Replica.  If implemented using 1+2 licensing of Windows Server, it's also far easier to manage the VMs on the host.  

But be careful - you don't want to use Checkpoints or snapshots on production servers except in EXTREME circumstances and especially not with an Exchange Server or DC (when the DC is in a multiple DC environment)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now