Hi,

I want to configure a second domain controller in our windows 2000
domain. The main reason for this is to have a "backup" of the
users/groups/policies. Replication just has to work from DC # 1 to DC #
2 and not the other way around. What I also want is that the first DC
stays the logonserver and that the second (new) dc does not have the
role for logon. How can I accomplish this?

Thanks in advance.

You can't really stop replication from flowing both ways. However, you can
configure it so that one will always be favoured over the other.

Firstly, you should add a new DC to the existing domain. You should also
make this DC a GC and a DNS server. Clients should point to both DCs for
DNS.

Once this is done, you must change the SRV record priorities, so that one is
always favoured over the other. To better control the frequency of
replication, you should also install this new DC in a separate VLAN, and
configure a subnet and site for that VLAN and ensure the DC's server object
resides in this site.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Thanks for the information. The only problem here is that the DNS
server is in another (remote) location and that I don't have the rights
to adminster it. Is there another way (like a preferred
logonserver/registry settings/hosts file or something like that?).

Paolo


Paul Williams [MVP] schreef:

> You can't really stop replication from flowing both ways. However, you can
> configure it so that one will always be favoured over the other.
>
> Firstly, you should add a new DC to the existing domain. You should also
> make this DC a GC and a DNS server. Clients should point to both DCs for
> DNS.
>
> Once this is done, you must change the SRV record priorities, so that one is
> always favoured over the other. To better control the frequency of
> replication, you should also install this new DC in a separate VLAN, and
> configure a subnet and site for that VLAN and ensure the DC's server object
> resides in this site.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net

As long as the DNS server supports dynamic updates, you are fine. You must
change this via a registry key - as NETLOGON triggers (well, tries to) an
update every 60 minutes.

See kb306602 for more info.
-- http://support.microsoft.com/?id=306602

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net