Backup Active Directory Server

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

We have Windows 2000 Std. server [SP2] with Active Directory installed. We
have around 150 users on network. We have only one AD server and it is too.
old. We are planning to install one more active directory server or domain
controller so that in case of one server crashes for any reason, another
server authenticates the users and provides information to Exchange 2000 std.
edition. Now, I have heard about different roles of the AD server and wanted
to check with someone that, If I install new server as an backup domain
controller and If I do not transfer or sieze any roles to the new AD server
which is backup domain controller, then in case of the failure of primary AD
server, will everything will work as it is? I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I protect
my AD failure [excluding backup methods] which needs time to restore for 24X7
operations?

This will be help me to plan for what to do next.

Thanks in advance.
 
Rajesh said:
Hi,

We have Windows 2000 Std. server [SP2] with Active Directory installed. We
have around 150 users on network. We have only one AD server and it is
too.
old. We are planning to install one more active directory server or domain
controller so that in case of one server crashes for any reason, another
server authenticates the users and provides information to Exchange 2000
std.
edition. Now, I have heard about different roles of the AD server and
wanted
to check with someone that, If I install new server as an backup domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.
and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)
any roles to the new AD server
which is backup domain controller, then in case of the failure of primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers, upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.
I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to restore for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)
This will be help me to plan for what to do next.

Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>
 
Hi Herb,

Got what you are saying. Thanks. But, want to clarify that, If suppose I
have another domain controller and If my first domain controller which holds
all the five roles failes and if for any reasons I do not able to restore it
from backup, Then what are my choices? Can I run the show with second domain
controller without affcting anything? Is everything [Mainly AD] depends on
First controller set in Forest?

Thanks.

Herb Martin said:
Rajesh said:
Hi,

We have Windows 2000 Std. server [SP2] with Active Directory installed. We
have around 150 users on network. We have only one AD server and it is
too.
old. We are planning to install one more active directory server or domain
controller so that in case of one server crashes for any reason, another
server authenticates the users and provides information to Exchange 2000
std.
edition. Now, I have heard about different roles of the AD server and
wanted
to check with someone that, If I install new server as an backup domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.
and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)
any roles to the new AD server
which is backup domain controller, then in case of the failure of primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers, upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.
I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to restore for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)
This will be help me to plan for what to do next.

Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Rajesh said:
Hi Herb,

Got what you are saying. Thanks. But, want to clarify that, If suppose I
have another domain controller and If my first domain controller which
holds
all the five roles failes and if for any reasons I do not able to restore
it
from backup, Then what are my choices?

Then -- and pretty much only then -- you can seize the roles owned
by the LOST DC.
Can I run the show with second domain
controller without affcting anything? Is everything [Mainly AD] depends on
First controller set in Forest?

Yes. Make sure that both DCs are GCs and both have the DNS.

Best is to make the DNS AD-Integrated.

If the first one dies you can just seize roles and recreate the
DC, or another one.

Eventually you would have to clean the "dead" DC out of the
AD database (Ntdsutil "metadata cleanup") but it would work
fine if DNS works.

As a matter of fact, for small domains you are unlikely to even
notice the absense of the 5 roles (at least right away) but you
will notice the missing DNS (unless you have that) and likely
the missing GC but these are NOT SINGLE Master, but multi-
masterable.

The most 'noticable' of the roles will be the PDC Emulator,
but unless you make schema changes, add/remove domains from
the forest, or bulk add LOTS of users you probably want notice
the others to be missing.

The PDC Emulator does quite a bit more than be "the PDC".
(Time master, Domain Master Browser, etc.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks.

Herb Martin said:
Rajesh said:
Hi,

We have Windows 2000 Std. server [SP2] with Active Directory installed.
We
have around 150 users on network. We have only one AD server and it is
too.
old. We are planning to install one more active directory server or
domain
controller so that in case of one server crashes for any reason,
another
server authenticates the users and provides information to Exchange
2000
std.
edition. Now, I have heard about different roles of the AD server and
wanted
to check with someone that, If I install new server as an backup domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.
and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or
returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)
any roles to the new AD server
which is backup domain controller, then in case of the failure of
primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers, upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.
I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to restore
for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)
This will be help me to plan for what to do next.

Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
OP mentioned having Exchange but didn't say where it is running. Hopefully a
member server.
If not, then it gets more complicated.

--
/kj
Herb Martin said:
Rajesh said:
Hi Herb,

Got what you are saying. Thanks. But, want to clarify that, If suppose I
have another domain controller and If my first domain controller which
holds
all the five roles failes and if for any reasons I do not able to restore
it
from backup, Then what are my choices?

Then -- and pretty much only then -- you can seize the roles owned
by the LOST DC.
Can I run the show with second domain
controller without affcting anything? Is everything [Mainly AD] depends
on
First controller set in Forest?

Yes. Make sure that both DCs are GCs and both have the DNS.

Best is to make the DNS AD-Integrated.

If the first one dies you can just seize roles and recreate the
DC, or another one.

Eventually you would have to clean the "dead" DC out of the
AD database (Ntdsutil "metadata cleanup") but it would work
fine if DNS works.

As a matter of fact, for small domains you are unlikely to even
notice the absense of the 5 roles (at least right away) but you
will notice the missing DNS (unless you have that) and likely
the missing GC but these are NOT SINGLE Master, but multi-
masterable.

The most 'noticable' of the roles will be the PDC Emulator,
but unless you make schema changes, add/remove domains from
the forest, or bulk add LOTS of users you probably want notice
the others to be missing.

The PDC Emulator does quite a bit more than be "the PDC".
(Time master, Domain Master Browser, etc.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks.

Herb Martin said:
Hi,

We have Windows 2000 Std. server [SP2] with Active Directory
installed. We
have around 150 users on network. We have only one AD server and it is
too.
old. We are planning to install one more active directory server or
domain
controller so that in case of one server crashes for any reason,
another
server authenticates the users and provides information to Exchange
2000
std.
edition. Now, I have heard about different roles of the AD server and
wanted
to check with someone that, If I install new server as an backup
domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.

and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or
returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)

any roles to the new AD server
which is backup domain controller, then in case of the failure of
primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers, upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.

I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to restore
for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)

This will be help me to plan for what to do next.


Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Yes. It is in the same domain but as an member server. I hope Exchange would
not be affacted if second domain controller is configured as GC.

kj said:
OP mentioned having Exchange but didn't say where it is running. Hopefully a
member server.
If not, then it gets more complicated.

--
/kj
Herb Martin said:
Rajesh said:
Hi Herb,

Got what you are saying. Thanks. But, want to clarify that, If suppose I
have another domain controller and If my first domain controller which
holds
all the five roles failes and if for any reasons I do not able to restore
it
from backup, Then what are my choices?

Then -- and pretty much only then -- you can seize the roles owned
by the LOST DC.
Can I run the show with second domain
controller without affcting anything? Is everything [Mainly AD] depends
on
First controller set in Forest?

Yes. Make sure that both DCs are GCs and both have the DNS.

Best is to make the DNS AD-Integrated.

If the first one dies you can just seize roles and recreate the
DC, or another one.

Eventually you would have to clean the "dead" DC out of the
AD database (Ntdsutil "metadata cleanup") but it would work
fine if DNS works.

As a matter of fact, for small domains you are unlikely to even
notice the absense of the 5 roles (at least right away) but you
will notice the missing DNS (unless you have that) and likely
the missing GC but these are NOT SINGLE Master, but multi-
masterable.

The most 'noticable' of the roles will be the PDC Emulator,
but unless you make schema changes, add/remove domains from
the forest, or bulk add LOTS of users you probably want notice
the others to be missing.

The PDC Emulator does quite a bit more than be "the PDC".
(Time master, Domain Master Browser, etc.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks.

:

Hi,

We have Windows 2000 Std. server [SP2] with Active Directory
installed. We
have around 150 users on network. We have only one AD server and it is
too.
old. We are planning to install one more active directory server or
domain
controller so that in case of one server crashes for any reason,
another
server authenticates the users and provides information to Exchange
2000
std.
edition. Now, I have heard about different roles of the AD server and
wanted
to check with someone that, If I install new server as an backup
domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.

and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or
returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)

any roles to the new AD server
which is backup domain controller, then in case of the failure of
primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers, upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.

I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to restore
for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)

This will be help me to plan for what to do next.


Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Rajesh,

It would be a 'problem' for a few moments. After that Exchange would find
the other DC/GC ( actually, it already knows about it....just takes a few
minutes...something like 15 minutes...to 'use' that information ). Outlook
might also have a small problem but usually closing Outlook and then
reopening Outlook solves that problem.

This is a very general answer.

It is a good thing that you are running Exchange 2000 on a Member Server.
Makes things a bit easier.

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)



Rajesh said:
Yes. It is in the same domain but as an member server. I hope Exchange
would
not be affacted if second domain controller is configured as GC.

kj said:
OP mentioned having Exchange but didn't say where it is running.
Hopefully a
member server.
If not, then it gets more complicated.

--
/kj
Herb Martin said:
Hi Herb,

Got what you are saying. Thanks. But, want to clarify that, If suppose
I
have another domain controller and If my first domain controller which
holds
all the five roles failes and if for any reasons I do not able to
restore
it
from backup, Then what are my choices?

Then -- and pretty much only then -- you can seize the roles owned
by the LOST DC.

Can I run the show with second domain
controller without affcting anything? Is everything [Mainly AD]
depends
on
First controller set in Forest?

Yes. Make sure that both DCs are GCs and both have the DNS.

Best is to make the DNS AD-Integrated.

If the first one dies you can just seize roles and recreate the
DC, or another one.

Eventually you would have to clean the "dead" DC out of the
AD database (Ntdsutil "metadata cleanup") but it would work
fine if DNS works.

As a matter of fact, for small domains you are unlikely to even
notice the absense of the 5 roles (at least right away) but you
will notice the missing DNS (unless you have that) and likely
the missing GC but these are NOT SINGLE Master, but multi-
masterable.

The most 'noticable' of the roles will be the PDC Emulator,
but unless you make schema changes, add/remove domains from
the forest, or bulk add LOTS of users you probably want notice
the others to be missing.

The PDC Emulator does quite a bit more than be "the PDC".
(Time master, Domain Master Browser, etc.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks.

:

Hi,

We have Windows 2000 Std. server [SP2] with Active Directory
installed. We
have around 150 users on network. We have only one AD server and it
is
too.
old. We are planning to install one more active directory server or
domain
controller so that in case of one server crashes for any reason,
another
server authenticates the users and provides information to Exchange
2000
std.
edition. Now, I have heard about different roles of the AD server
and
wanted
to check with someone that, If I install new server as an backup
domain
controller

It will not be a "backup" DC (unless it is running as an NT BDC) but
rather "just another DC" if running Win200x.

and If I do not transfer or sieze

NEVER seize a role if you have ANY other choice -- once a role is
seized the original role holder cannot be left on the network (or
returned)
as a DC but must be DCPromo'd to non-DC (it may then be re-DCPromo'd
however.)

any roles to the new AD server
which is backup domain controller, then in case of the failure of
primary
AD
server, will everything will work as it is?

You should NOT seize roles and should ONLY need to transfer roles
prior to doing something "dangerous" (e.g., changing drivers,
upgrading
service packs on the first DC etc..)

You should have backups of at least the main DC (and any other role
holds) and preferably of ALL DCs.

Backups must include "System State" to be effective.

I will make that second server or
controller as an Global Catalouge. Can anyone guide me how should I
protect
my AD failure [excluding backup methods] which needs time to
restore
for
24X7
operations?

In a small forest or single domain forest you can safely make
every DC a GC (and it is generally a good idea for such small
setups.)

This will be help me to plan for what to do next.


Make backups. (And after that: Make backups.)

Include System State when you make backups. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Back
Top