2003 Domain Controller Question

[Lamar Thomas]

We are just getting ready to upgrade from an NT 4.0 domain to a Windows 2003
domain with DNS and AD. I just want to know what "role" the second (aka
BDC) in an AD domain plays other then backup when there is only two (2) DCs?
Here is what I mean. In my NT 4.0 domain if the BDC was down no one would
be able to log onto the domain or access domain resources.

So..., in a Window 2003 AD domain what services would I lose if my second DC
was down (let's say it was down for a week). I know that they say the DCs
in AD are "Active Active". But let's face it, only the first DC has the
FSMO roles.

So what would happen if my second (and only backup) DC was offline for a
week? Just for kicks lets just say that during that week I also needed to
add/delete users and other resources to my network. Inquiring minds just
want to know.

Thanks for any input.


Lamar

 

[Chriss3]

There are a set of Flexible Single Master Operations (FSMO) which can only
be done on a single controller. An administrator determines which operations
must be done on the master controller. These operations are all set up on
the master controller by default and can be transferred later. FSMO
operations types include:

a.. Schema Master - Makes changes to the database schema. Applications may
remotely connect to the schema master.
b.. Domain Naming Master - Adds or removes domains to or from the forest.
c.. PDC Emulator - When Active Directory is in mixed mode, the computer
Active Directory is on acts as a Windows NT PDC. The first server that
becomes a Windows 2000 domain controller takes the role of PDC emulator by
default. Functions pewrformed by the PDC emulator:
a.. User account changes and password changes.
b.. SAM directory replication requests.
c.. Domain master browser requests.
d.. Authentication requests.
The NTLM protocol is used by the PDC emulator to contact non-Windows 2000
clients and servers for exchange of authentication information. When
contacting Windows 2000 servers , the Windows 2000 protocol is used.
d.. Relative ID Master (RID Master) - All objects have a Security
Identifier (SID) and a domain SID. The RID assigns relative IDs to each
domain controller.
e.. Infrastructure Master - Updates group membership information when
users from other domains are moved or renamed. If you transfer this
function, it should not be transferred to the domain controller that is the
global catalog server. If this is done, the Infrastructure Master will not
function.
When operating in mixed mode, the PDC emulator will allow non Windows 2000
clients to use NTLM authentication protocol rather than Kerberos. If a
Windows 2000 client cannot find a Windows 2000 domain controller for logon
purposes, it will attempt to contact a Windows NT PDC using the NTLM
protocol. If the Windows 2000 client successfully logs on using an NT
server, group policy objects cannot be loaded.

The Global Catalog Server (GCS) maintains an Active Directory global catalog
with information about all objects the forest along with universal groups
and group members. It has a copy of all objects in its domain and some
objects in other domains. It has a copy of domain local and global groups,
but not members of those groups. It provides universal group membership
information and allows users to find resources. It is used to search for
objects in the forest.

Normally the first domain controller is a global catalog server. The "Active
Directory Sites and Services tool: in "Administrative Tools" is used to move
the global catalog server or create another one.

A global catalog server must be available or the user cannot logon to the
domain unless the user is in the group "Domain Admins".

A Universal group may contain users and groups from any domain in a forest,
This can how ever be cached with a new feture in Windows Server 2003

Adding more global catalog servers will make searching the forest faster,
but more network bandwidth will be required for replication between global
catalog servers any Domain Controller can become a Global Catalog Server.

 

[Lamar Thomas]

So what about my example? What if I took my backup DC offline for a week?
What if I did a "DCPROMO" and demoted the only backup DC. That would
transfer ALL of the FSMO roles to the "first" DC. Isn't that where the
Global Catalog is? What about the "Infrastructure Master" and the "Global
Catalog" being on the same server. You said that would cause
"Infrastructure Master" not to work. But what if I ONLY installed ONE DC
and only ONE DC. They would all be on the same server then wouldn't they?
Help me understanding. Thanks for your input.


Lamar

 

[Chriss3]

Lamar I'm self in the middle of promote of new Domain Controllers right now
and have less of time so it was answers from a page. How ever what they
recommend is true for the enterprise. Running DCPROMO in order to demote a
Domain Controller will transfer any current FSMO roles off to another Domain
Controller yes. There roles can also be transferred manually. In your case
you can also make both Domain Controllers as Global Catalogs because it
doesn't make much traffic in your environment I suppose. RID and PDC
Emulator are recommended to have at same Domain Controller also deploy
Exchange in same site since there is much traffic between them. Post another
post if there is some thing more you wounder about.

(Sorry for the quick answers I'm give you, have a lot of thing to do here)

 

[Enkidu]

We are just getting ready to upgrade from an NT 4.0 domain to a Windows 2003
domain with DNS and AD. I just want to know what "role" the second (aka
BDC) in an AD domain plays other then backup when there is only two (2) DCs?
Here is what I mean. In my NT 4.0 domain if the BDC was down no one would
be able to log onto the domain or access domain resources.

In an NT Domain, if the BDC is down it should be possible to logon!

So..., in a Window 2003 AD domain what services would I lose if my second DC
was down (let's say it was down for a week). I know that they say the DCs
in AD are "Active Active". But let's face it, only the first DC has the
FSMO roles.

It depends on whether or not the Domain is in native mode or mixed
mode. In mixed mode the Domain acts a bit like a WinNT Domain with the
PDC Emulator processing logons. In a native mode, all Win2000 clients
are able to authenticate with any DC.

So what would happen if my second (and only backup) DC was offline for a
week? Just for kicks lets just say that during that week I also needed to
add/delete users and other resources to my network. Inquiring minds just
want to know.

When it comes back replication would update it. For a little while it
wouldn't know about the changes

Cheers,

Cliff

 

[Mike Brannigan [MSFT]]

We are just getting ready to upgrade from an NT 4.0 domain to a Windows 2003
domain with DNS and AD. I just want to know what "role" the second (aka
BDC) in an AD domain plays other then backup when there is only two (2) DCs?
Here is what I mean. In my NT 4.0 domain if the BDC was down no one would
be able to log onto the domain or access domain resources.

So..., in a Window 2003 AD domain what services would I lose if my second DC
was down (let's say it was down for a week). I know that they say the DCs
in AD are "Active Active". But let's face it, only the first DC has the
FSMO roles.

So what would happen if my second (and only backup) DC was offline for a
week? Just for kicks lets just say that during that week I also needed to
add/delete users and other resources to my network. Inquiring minds just
want to know.

Thanks for any input.

If your second DC was off line for a week, the only impact would be that
clients would not be able to use it for authentication. So if that DC was
in one office and the other (first installed) DC was in another office then
all users would be forced to use the first DC instead of one 'close' to
them.
You would also loose any other services you were running on that server.
If you ignore the Operation Master roles (FSMOs) the other person have
talked about then all DCs are equal peers in the sense of read write
capabilities to the directory.
Remember the Operation Master roles play very little use in an extremely
simple environment (such as a forest of one domain).

E.G. if you only have one domain the Infrastructure Master can be on any
server a DC or a GC, it doesn't matter.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Mike Brannigan [MSFT]]

So what about my example? What if I took my backup DC offline for a week?
What if I did a "DCPROMO" and demoted the only backup DC. That would
transfer ALL of the FSMO roles to the "first" DC. Isn't that where the
Global Catalog is? What about the "Infrastructure Master" and the "Global
Catalog" being on the same server. You said that would cause
"Infrastructure Master" not to work. But what if I ONLY installed ONE DC
and only ONE DC. They would all be on the same server then wouldn't they?
Help me understanding. Thanks for your input.

If you only have one and only one DC

Firstly you are running with an accute single point of failure and this
should never be used ini a production environment.
If you only have one DC then you have a forest of one Domain - so the
placement of the Infrastructriie Master on a GC (which this only server will
be) is not an issue.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Lamar Thomas]

Hey Mike,

Thanks for the reply. I was just using the example as a worst case. My
boss wanted to know. We will be running two (2) DCs. My boss wanted me to
get the answer to what does "Active Active" REALLY mean? Right now in our
NT 4.0 domain if the BDC goes down then users can't log onto the domain. My
boss wanted to know if moving to Win 2003 and AD would remove THAT single
point of logon failure. That's why I asked - If the secound DC was down for
a week what would be the impact? Any feedback?

Thanks,

Lamar

 

[Mike Brannigan [MSFT]]

OK.

Active Active - both DCs are fully capable of authenticating users but more
importantly - unlike NT 4.0 with the PDC BDC - with Windows Server 2003 (or
2000) BOTH DCs are fully read an write. In that you can create objects ,
user can change their passwords etc etc against either DC and they will
replicate until the directory converges to a common view across all DCs in
the Domain.

We still have the 5 Operation Master roles (FSMOs) that can only exists on a
single server at any one time because what they do cannot be allowed to work
in a multi master environment. E.g the Schema Master - so you would never
want the ability to change the Schema on 2 DCs at the same time - you must
only have a single master for this.

So the 5 roles may exist on any DC at any one time and the roles may be
spread across multiple machines (all 5 do not need to be on one server).

For discussion of placement of the Operations Master roles and the impact of
the loss of each one see
http://www.microsoft.com/resources/...erver/reskit/en-us/distsys/part1/dsgch07.mspx

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Lamar Thomas]

Cool, now we're getting down to the nut and bolts! In a single domain
forest with two 2003 DCs the first one as the FSMO roles AND the GC right?
What we want to do is remove the first DC and install an NEW DCs to replace
it. We will upgrade our NT 4.0 PDC to Win 2003 AD. Then we will install a
NEW second Win 2003 DC. I will then take my old NT 4.0 BDC offline for safe
keeping in case I have to recover. Then I will make the second Win 2003 DC
a GC server. Then last I will run "DCPROMO" on the first (upgraded) DC to
move the FSMO roles to the second DC. I will then install another NEW Win.
2003 server with more horse power and also make it a GC server. I will then
change the "Funtional level" to "Windows Server 2003 domain functional
level" and "Windows Server 2003 forest functional level". We do have some
workstations running Windows 98 and our Exchange 5.5 server is running on NT
4.0 (but it is on the list to move to Exchange 2003 on a Windows 2003 box).
What do you think about my plan? Thanks for any feedback.


Lamar

 

[Mike Brannigan [MSFT]]

Cool, now we're getting down to the nut and bolts! In a single domain
forest with two 2003 DCs the first one as the FSMO roles AND the GC right?

Yes - the first Windows Server 2003 DC installed in a forest holds all 5
Operations Masters and is a Global Catalog server.

What we want to do is remove the first DC and install an NEW DCs to replace
it.

I do not understand this statement, are you taking about an NT 4.0 domain or
a 2003 domain??

We will upgrade our NT 4.0 PDC to Win 2003 AD. Then we will install a
NEW second Win 2003 DC. I will then take my old NT 4.0 BDC offline for safe
keeping in case I have to recover.

OK so far

Then I will make the second Win 2003 DC
a GC server. Then last I will run "DCPROMO" on the first (upgraded) DC to
move the FSMO roles to the second DC.

No you do not use DCPROMO to move the Operations Master roles to another
sever.
You use the appropriate admin tool , such as the Schema Manager MMC snap in
etc.

I will then install another NEW Win.
2003 server with more horse power and also make it a GC server. I will then
change the "Funtional level" to "Windows Server 2003 domain functional
level" and "Windows Server 2003 forest functional level".
OK

We do have some
workstations running Windows 98

Then you must look into working around the newer tighter security in Server
2003, by looking at the Help and Support for information on how to deal
with old clients

and our Exchange 5.5 server is running on NT
4.0 (but it is on the list to move to Exchange 2003 on a Windows 2003 box).
What do you think about my plan? Thanks for any feedback.

Seems OK. But ideally you should thoroughly test it in a lab environment
prior to implementation.

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Lamar Thomas]

news:%[email protected]...

Hey Mike,

Thanks for you reply. Are the "appropriate admin tools" on the 2003 CD or
in "Administrative Tools"? What are the names of them? I take it that the
"Schema Manager MMC" snap in will only move the "Schema" right? Again
thanks for you help. I am just about ready to do this upgrade and you have
been a BIG help. I feel that I have a MUCH better understanding on this
whole prossess now.


Lamar

 

[Mike Brannigan [MSFT]]

Hey Mike,

Thanks for you reply. Are the "appropriate admin tools" on the 2003 CD or
in "Administrative Tools"? What are the names of them? I take it that the
"Schema Manager MMC" snap in will only move the "Schema" right? Again
thanks for you help. I am just about ready to do this upgrade and you have
been a BIG help. I feel that I have a MUCH better understanding on this
whole prossess now.

see
http://support.microsoft.com/?id=255690

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

news:%[email protected]...

Hey Mike,

Thanks for you reply. Are the "appropriate admin tools" on the 2003 CD or
in "Administrative Tools"? What are the names of them? I take it that the
"Schema Manager MMC" snap in will only move the "Schema" right? Again
thanks for you help. I am just about ready to do this upgrade and you have
been a BIG help. I feel that I have a MUCH better understanding on this
whole prossess now.


Lamar


DC

to

No you do not use DCPROMO to move the Operations Master roles to another
sever.
You use the appropriate admin tool , such as the Schema Manager MMC snap in
etc.

 

[Lamar Thomas]

Thanks Mike,

I will take a look at the link in a little bit and get back to you. Thanks
again for all your help.


Lamar