SBS 2011 with Server 2008 RODC
Hello, I currently run an SBS 2011 server environment and I am wanting to deploy a Server 2008 RODC. The forest and domain functional level is 2008 R2. The issue I am having is that when I run DCPROMO on the new Server 2008 server I am getting an error that states, "You will not be able to install a read-only domain controller in this domain because "adprep /rodcprep" was not yet run."
I'm guessing that this may be due to the fact that this is only a Windows Server 2008 OS and my functional levels are at 2008 R2, but maybe I am wrong? Is it possible to accomplish adding this Server 2008 RODC into my existing SBS 2011 environment with the functional levels set the way they are, or would there be something else causing this issue?
Thank you
I'm guessing that this may be due to the fact that this is only a Windows Server 2008 OS and my functional levels are at 2008 R2, but maybe I am wrong? Is it possible to accomplish adding this Server 2008 RODC into my existing SBS 2011 environment with the functional levels set the way they are, or would there be something else causing this issue?
Thank you
Old User
Have you run adprep /rodcprep?
ASKER
No I haven't. I didn't know if it would be a good idea since it's a Server 2008 operating system trying to be joined as a RODC in a Server 2008 R2 domain/forest functional level environment. Do you think this is still fine and I should go ahead and run adprep /rodcprep on my SBS 2011 server anyway?
See here for steps needed to add a read only DC.
https://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the information. I will definitely pursue this more later tonight. So basically you think adding a Server 2008 RODC to a 2008 R2 domain/forest functional level environment is fine without having to change the functional level back to just 2008?
It won't work with both Domain and Forest functional levels at 2008 R2.
You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...
You will need to do ADPrep /RODCPrep, but only after a DCDIAG to make sure your AD is healthy.
You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...
You will need to do ADPrep /RODCPrep, but only after a DCDIAG to make sure your AD is healthy.
No, you can't add a 2008 DC to a 2008R2 forest it must be 2008R2 or 2012 etc
ASKER
That's what I was afraid of. I was thinking it may not be the best approach to add a 2008 server as a RODC if the current forest/domain functional levels are higher and set to 2008 R2.
Thanks again.
Thanks again.
Hope it has been helpful
ASKER
Since I have an SBS 2011 domain controller I don't think my current user CAL's will work with a Server 2012 RODC right? I believe I would need to purchase new 2012 CAL's in order to be in compliance. Am I right to assume that?
Yes best stick with 2008R2
Why do you need an RODC? There may be more than one way to skin this particular cat...
Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS. You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS. You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The only misleading info you cleared up related to how the CALs work?
Thanks for clearing that up. I got my wires crossed.
Thanks for clearing that up. I got my wires crossed.
Windows SBS 2011 license terms do not allow you to create another AD DS domain, whether in the same forest or in a different one. You can, however, configure it to function as a second domain controller in your existing Windows SBS 2011 domain.
Lee W
I don't feel any advice I have given is either misleading or incorrect. If I am incorrect please let me know where so I don't make the same mistake again.
I don't feel any advice I have given is either misleading or incorrect. If I am incorrect please let me know where so I don't make the same mistake again.
I didn't say EVERYTHING was misleading or incorrect.
Areas of concern:
In Windows Server 2008, Adprep.exe is located in the /Sources/adprep folder of the operating system installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /Support/adprep folder.
Not wrong per se, but misleading in that this is SBS 2011 - which is based on 2008 R2 - you do NOT want to be suggesting they run ADPREP from the 2008 (non-R2 system, which as I read it, is misleading.
You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...
Forget the CALs for a moment, the SBS Premium License itself is a waste of money in this case and should not be recommended unless they use SQL. If you can even find it.
THEN there's the CALs which DO NOT need to changed in this scenario. Only users accessing SQL require the SBS Premium CALs whether you have the premium add-on or not.
Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS.
This is incorrect. SBS Standard CALs provide access to all other Servers of equal or lesser version on the SBS network. Whether they are a DC or not. Microsoft hasn't licensed per server in years.
You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
The SBS Premium CALs would be a waste of money and if SQL is not used, they would be nothing more than a waste of money.
There are and have been a lot of confusion over licensing and SBS over the years. Some people understand it... some don't... plenty of really smart people I know don't understand licensing well at all. That's fine. But I would encourage those who don't to be honest about their lack of licensing knowledge - I'm HORRIBLE at dealing with VDI licensing, but this aspect I know quite well.
Areas of concern:
In Windows Server 2008, Adprep.exe is located in the /Sources/adprep folder of the operating system installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /Support/adprep folder.
Not wrong per se, but misleading in that this is SBS 2011 - which is based on 2008 R2 - you do NOT want to be suggesting they run ADPREP from the 2008 (non-R2 system, which as I read it, is misleading.
You may be able to pick up an SBS 2011 Premium License relatively cheaply which will give you 2008 R2, but I think (don't hold me to it) you'd need to change your SBS CAL's too...
Forget the CALs for a moment, the SBS Premium License itself is a waste of money in this case and should not be recommended unless they use SQL. If you can even find it.
THEN there's the CALs which DO NOT need to changed in this scenario. Only users accessing SQL require the SBS Premium CALs whether you have the premium add-on or not.
Your SBS Standard CALs (if that's what you have!) won't be sufficient with another DC anyway, regardless of OS.
This is incorrect. SBS Standard CALs provide access to all other Servers of equal or lesser version on the SBS network. Whether they are a DC or not. Microsoft hasn't licensed per server in years.
You will need to, at minimum, get SBS Premium CALs for those PCs that will be accessing resources via your RODC.
The SBS Premium CALs would be a waste of money and if SQL is not used, they would be nothing more than a waste of money.
There are and have been a lot of confusion over licensing and SBS over the years. Some people understand it... some don't... plenty of really smart people I know don't understand licensing well at all. That's fine. But I would encourage those who don't to be honest about their lack of licensing knowledge - I'm HORRIBLE at dealing with VDI licensing, but this aspect I know quite well.
You are linking advice I didn't give to me. No advice I gave was incorrect. Any advice on 2008 or 2008 R2 was based on the original question quoting both versions
ASKER
Lee W,
1. Yes. I have manually raised both levels to 2008 R2 years ago so going back isn't an option for me.
2. SQL is installed on the SBS server but it would have been installed with the installation media. I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.
3. I plan on my original SBS to still hold all FSMO roles so this isn't a problem.
4. I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure. Is it difficult to do that; or would a simple call to Microsoft take care of this during activation? Not sure how the downgrade process works.
5. My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down. I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well. So my idea was to have a replica domain controller that could at least handle authentication and DNS.
I guess my question now is would this be the best approach to what I am trying to accomplish? All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
1. Yes. I have manually raised both levels to 2008 R2 years ago so going back isn't an option for me.
2. SQL is installed on the SBS server but it would have been installed with the installation media. I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.
3. I plan on my original SBS to still hold all FSMO roles so this isn't a problem.
4. I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure. Is it difficult to do that; or would a simple call to Microsoft take care of this during activation? Not sure how the downgrade process works.
5. My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down. I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well. So my idea was to have a replica domain controller that could at least handle authentication and DNS.
I guess my question now is would this be the best approach to what I am trying to accomplish? All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
You are linking advice I didn't give to me. No advice I gave was incorrect. Any advice on 2008 or 2008 R2 was based on the original question quoting both versionsI didn't single you out in EITHER post. Multiple people have responded. My response was to illustrate exactly what I meant with the statement "There has been much said here that I disagree with and that is incorrect or at a minimum, misleading."
1. Yes. I have manually raised both levels to 2008 R2 years ago so going back isn't an option for me.
Ok - so you need Server 2008 R2 or later if you want to add a second DC. Period.
2. SQL is installed on the SBS server but it would have been installed with the installation media. I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.
FULL SQL or SQL Express? FULL SQL should not be running on the SBS Server - it's already got memory demanding Exchange on it. It should be on another server. SQL Express has memory limited and while you can have additional performance issues if it's a highly accessed database, it's relatively ok to do that.
CAL wise (and mostly for FYI of others), If you purchased the SBS 2011 Premium Add-on, then you need SBS Premium CALs for any user accessing the SQL database. Users NOT accessing the SQL database don't need a Premium CAL. I'm not sure the SBS Premium CALs would cover access to FULL SQL purchased separately or if you would have to purchase SQL CALs specifically (I'd advise contacting a reseller - if you were my client, I would in turn contact the licensing desk at my distributor to confirm what can and cannot be done.
SQL Express doesn't require CALs.
3. I plan on my original SBS to still hold all FSMO roles so this isn't a problem.
Good. It must also be a Global Catalog (GC), but other servers CAN be GCs (you can (and should) have more than one).
4. I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure. Is it difficult to do that; or would a simple call to Microsoft take care of this during activation? Not sure how the downgrade process works.
It really depends on how you obtained the license. If you purchased a volume license, you would just sign in to the Volume License Service Center (VLSC), download Server 2008 R2 and note your key (all available at the VLSC). If you have any other method of distribution, for example, If you purchased your copy in a retail box / full packaged product (FPP), you DO have the rights, but you don't get any help beyond activation - you have to have an existing copy of Server 2008 R2 with the appropriate key - if you have a problem downgrading, you call MS and tell them you are exercising downgrade rights and they SHOULD fix the activation for you. If you have an OEM copy, same rule applies about activation, but you can't move it off the server. Friends don't let friends buy OEM! Always buy Volume! It MAY cost a *LITTLE* bit more to start, but the rights you get and the access to prior versions makes it easily worth the $50-200 "increased" price compared to other distribution methods.
5. My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down. I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well. So my idea was to have a replica domain controller that could at least handle authentication and DNS.
If that's the case, you DO NOT want an RoDC! RoDCs have selective databases of users and do not necessarily provide the level of full redundancy you're looking for. You want a second DC. Which means you can skip the RoDC prep.
I guess my question now is would this be the best approach to what I am trying to accomplish? All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
That said, BE CERTAIN you study how to perform a restore in the case of DCs when you have more than one. Doing restores incorrectly could corrupt everything. In many cases, while the redundancy is good, it can be SAFER to have a system in place that restores the SBS server quickly rather than providing completely uninterrupted user access to the internet. If you understand AD well, DEFINITELY have a second DC. IF NOT, LEARN IT!
You COULD (I'd recommend) virtualize the SBS server with Hyper-V and replicate it to another server. In the event of a hardware failure, you can get things going pretty quickly. There are also BDR devices and image based backups that can allow you quick restoration in an emergency.
Ok - so you need Server 2008 R2 or later if you want to add a second DC. Period.
2. SQL is installed on the SBS server but it would have been installed with the installation media. I haven't configured anything related to SQL myself so whatever is installed would all be defaults from the original SBS installation.
FULL SQL or SQL Express? FULL SQL should not be running on the SBS Server - it's already got memory demanding Exchange on it. It should be on another server. SQL Express has memory limited and while you can have additional performance issues if it's a highly accessed database, it's relatively ok to do that.
CAL wise (and mostly for FYI of others), If you purchased the SBS 2011 Premium Add-on, then you need SBS Premium CALs for any user accessing the SQL database. Users NOT accessing the SQL database don't need a Premium CAL. I'm not sure the SBS Premium CALs would cover access to FULL SQL purchased separately or if you would have to purchase SQL CALs specifically (I'd advise contacting a reseller - if you were my client, I would in turn contact the licensing desk at my distributor to confirm what can and cannot be done.
SQL Express doesn't require CALs.
3. I plan on my original SBS to still hold all FSMO roles so this isn't a problem.
Good. It must also be a Global Catalog (GC), but other servers CAN be GCs (you can (and should) have more than one).
4. I do have a spare Server 2012 R2 license so your idea of downgrading may be worth checking out in my case for sure. Is it difficult to do that; or would a simple call to Microsoft take care of this during activation? Not sure how the downgrade process works.
It really depends on how you obtained the license. If you purchased a volume license, you would just sign in to the Volume License Service Center (VLSC), download Server 2008 R2 and note your key (all available at the VLSC). If you have any other method of distribution, for example, If you purchased your copy in a retail box / full packaged product (FPP), you DO have the rights, but you don't get any help beyond activation - you have to have an existing copy of Server 2008 R2 with the appropriate key - if you have a problem downgrading, you call MS and tell them you are exercising downgrade rights and they SHOULD fix the activation for you. If you have an OEM copy, same rule applies about activation, but you can't move it off the server. Friends don't let friends buy OEM! Always buy Volume! It MAY cost a *LITTLE* bit more to start, but the rights you get and the access to prior versions makes it easily worth the $50-200 "increased" price compared to other distribution methods.
5. My purpose for adding a second domain controller is to have redundancy for domain authentication and DNS resolution at a minimum for in the instance that the primary SBS box went down. I had this happen to me recently and had to restore SBS from a backup, and during that time users were unable to authenticate on the network, DFS shares weren't accessible, and DNS resolution was down as well. So my idea was to have a replica domain controller that could at least handle authentication and DNS.
If that's the case, you DO NOT want an RoDC! RoDCs have selective databases of users and do not necessarily provide the level of full redundancy you're looking for. You want a second DC. Which means you can skip the RoDC prep.
I guess my question now is would this be the best approach to what I am trying to accomplish? All I want to achieve is having redundancy on my domain for login/DFS authentication and DNS at a minimum if the SBS 2011 domain controller went down.
That said, BE CERTAIN you study how to perform a restore in the case of DCs when you have more than one. Doing restores incorrectly could corrupt everything. In many cases, while the redundancy is good, it can be SAFER to have a system in place that restores the SBS server quickly rather than providing completely uninterrupted user access to the internet. If you understand AD well, DEFINITELY have a second DC. IF NOT, LEARN IT!
You COULD (I'd recommend) virtualize the SBS server with Hyper-V and replicate it to another server. In the event of a hardware failure, you can get things going pretty quickly. There are also BDR devices and image based backups that can allow you quick restoration in an emergency.
ASKER
The SQL instance states it's SQL Server 2008 R2. I don't see anything regarding an "Express" version installed. That being said, this is whatever the SBS 2011 installation media would have installed on it's own and I have not configured anything on my own so I don't appear to have any users connecting to it at the moment.
I apologize for the confusion on the RODC. I simply would like a second DC is all in the case the SBS server went down.
Currently I am running bare metal image/system state backups on the entire SBS server so I already have a way to restore it relatively quickly if it went down again. Now I am questioning if adding a second DC is more trouble in my environment than what it's worth. The biggest issue I noticed when my SBS server went down was no DFS file share access, or authentication in general. Would there be another method to work around that besides adding a second DC at all? Maybe virtualization it would be better, as you said, to have the redundancy in that way instead of adding another node that could unnecessarily complicate things and provide greater risks of corruption.
I apologize for the confusion on the RODC. I simply would like a second DC is all in the case the SBS server went down.
Currently I am running bare metal image/system state backups on the entire SBS server so I already have a way to restore it relatively quickly if it went down again. Now I am questioning if adding a second DC is more trouble in my environment than what it's worth. The biggest issue I noticed when my SBS server went down was no DFS file share access, or authentication in general. Would there be another method to work around that besides adding a second DC at all? Maybe virtualization it would be better, as you said, to have the redundancy in that way instead of adding another node that could unnecessarily complicate things and provide greater risks of corruption.
SBS 2011 doesn't come with SQL (except for SQL Express to manage some services) but SQL Express also is available for download. If you have the full version of SQL then you either purchased it separately OR you purchased the SBS Premium Add-on which includes it. In which case, you need those SBS Premium CALs for users accessing it. Again, this is more FYI and I acknowledge this is not part of the original question per se.
I USED to recommend two DCs for every environment but then I participated in/read a discussion with another that made a great deal of sense to me - two DCs complicates restores and so only when people understand AD should you have two or more DCs. It's easier for those who don't understand AD to simply do a full restore and not worry about USN rollback and authoritative restores and the like.
Virtualization can help with redundancy and recovery but it too can be complicated if you don't know what you're doing. When you start worrying about things like this it's worth evaluating what you have, what you need, what skill sets you have and what kind of budget you have. There are solutions you can use yourself and there are things that may require (for the wise admin) support from outsiders to ensure you implement properly and maintain... Your doctor can help you with basic footpain, but for serious things, he knows to send you to a specialist. The IT department (internal or otherwise) should be just as smart about managing the network.
I USED to recommend two DCs for every environment but then I participated in/read a discussion with another that made a great deal of sense to me - two DCs complicates restores and so only when people understand AD should you have two or more DCs. It's easier for those who don't understand AD to simply do a full restore and not worry about USN rollback and authoritative restores and the like.
Virtualization can help with redundancy and recovery but it too can be complicated if you don't know what you're doing. When you start worrying about things like this it's worth evaluating what you have, what you need, what skill sets you have and what kind of budget you have. There are solutions you can use yourself and there are things that may require (for the wise admin) support from outsiders to ensure you implement properly and maintain... Your doctor can help you with basic footpain, but for serious things, he knows to send you to a specialist. The IT department (internal or otherwise) should be just as smart about managing the network.
I second Lee W's comments, if you were going with a second DC, just make it a DC and global catalog server, an RoDC is pointless for that role (I was contemplating the same last year, but went with a normal DC instead of RoDC after realising it was pointless).
Virtualising the SBS could make restoring quicker or even help with avoiding a restore altogether.
I take a snapshot / checkpoint of any virtual servers before applying updates. If there's an issue I can just roll back the Server to the last snapshot in less than 10 minutes.
If you have the SBS Installation Media, Full SQL & the Server 2008 R2 disk would be labelled as SBS Premium, if they're the originals (I believe).
Virtualising the SBS could make restoring quicker or even help with avoiding a restore altogether.
I take a snapshot / checkpoint of any virtual servers before applying updates. If there's an issue I can just roll back the Server to the last snapshot in less than 10 minutes.
If you have the SBS Installation Media, Full SQL & the Server 2008 R2 disk would be labelled as SBS Premium, if they're the originals (I believe).
ASKER
Do you guys have any opinions about using either HyperV or VMWare for virtualization redundancy? I know this is a little off topic. Currently I do have one VMWare virtual server that is really nice to have for snapshots, but I am only using the free license so I don't have any option for fault tolerance. I haven't used HyperV before so I don't have much comparison with it and VMWare either.
They are both type 1 Hypervisors and for small business the performance / ease of use is fairly comparable. I prefer Hyper-V - it includes one major Disaster Recovery feature that ESXi requires you pay through the nose for - VM Replication with Hyper-V Replica. If implemented using 1+2 licensing of Windows Server, it's also far easier to manage the VMs on the host.
But be careful - you don't want to use Checkpoints or snapshots on production servers except in EXTREME circumstances and especially not with an Exchange Server or DC (when the DC is in a multiple DC environment)
But be careful - you don't want to use Checkpoints or snapshots on production servers except in EXTREME circumstances and especially not with an Exchange Server or DC (when the DC is in a multiple DC environment)