Configuring a 2nd domain controller capable to fully replace the first one...


S

SammyBar

Hi,

In our office we have only one W2K domain controller server attending logins
for Win98, Win2K and WinXP workstations and servers. We want to add a second
domain controller to the domain, but this should be a identical server, it
should be capable to replace 100% the first one. We want to protect us
against a complete failure on the first server.
Initially I thought it would be enought to setup an additional W2K server
and promote it to domain controller on the same domain of the first server
by using dcpromo, and install WINS for supporting Win98 PCs. I did that and
conducted the following test: Disconnected the new domain controller from
the office's LAN and connected it to an independent switch. Then connected a
Win98 PC to that but I couldn't login. The error was "wrong password or
access denied".
Interneting around I was advised I should configure specially the second
domain controller in order to fully replace the first one: I should
"transfer roles" and activate global catalog on the second DC.
Can you point me to some article detailing how to properly configure the
replacement server? The goal is that both servers should be running on pair.
If one of the server fails catastrofically (is lost without any chance to
recover data), the second should be capable of assuming all the work of the
first server automatically and transparent, or at least with minimum user
intervention on the configuration of the server, no intervention on the
configuration of the clients.
Thanks in advance
Sammy
 
Ad

Advertisements

P

Phillip Windell

The best way is to not create a "replacement",...you aren't "replacing"
anything. You simply have two running DCs at the same time,...think in terms
of "redundant" instead of "replacement". All machines (including the DCs)
will have the IP# of both of them intheir DNS Settings. The DNS on both
DCs will have the same Forwarders Setup for the ISP's DNS.

The reason your test failed is because the client would not be aware of the
other DC when the original was down because the client probably did not have
the IP# of that DC in its TCP/IP settings. All of the DC/DNSs must be
listed in the clients DNS Settings,..not just the original DC.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
 
F

Frankster

Additionally, as far as the "replacement" aspect, in case of failure,
assuming you are using this for other things such as user account profile
directories and shares, just create all the same shares and directories on
this box as you have on the original. Make sure all the permissions are the
same. Keep them updated with the original data from the other DC via
replication or simple scheduled xcopy script. Then, if/when necessary due to
a failure, you can make a quick reconfiguration of the client's login
shares/profile directory and be up and running again in no time. That's
what I do. It's not a transparent switchover, but it is a very fast manual
switchover.

-Frank

Phillip Windell said:
The best way is to not create a "replacement",...you aren't "replacing"
anything. You simply have two running DCs at the same time,...think in
terms
of "redundant" instead of "replacement". All machines (including the DCs)
will have the IP# of both of them intheir DNS Settings. The DNS on both
DCs will have the same Forwarders Setup for the ISP's DNS.

The reason your test failed is because the client would not be aware of
the
other DC when the original was down because the client probably did not
have
the IP# of that DC in its TCP/IP settings. All of the DC/DNSs must be
listed in the clients DNS Settings,..not just the original DC.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



SammyBar said:
Hi,

In our office we have only one W2K domain controller server attending logins
for Win98, Win2K and WinXP workstations and servers. We want to add a second
domain controller to the domain, but this should be a identical server,
it
should be capable to replace 100% the first one. We want to protect us
against a complete failure on the first server.
Initially I thought it would be enought to setup an additional W2K server
and promote it to domain controller on the same domain of the first
server
by using dcpromo, and install WINS for supporting Win98 PCs. I did that and
conducted the following test: Disconnected the new domain controller from
the office's LAN and connected it to an independent switch. Then
connected a
Win98 PC to that but I couldn't login. The error was "wrong password or
access denied".
Interneting around I was advised I should configure specially the second
domain controller in order to fully replace the first one: I should
"transfer roles" and activate global catalog on the second DC.
Can you point me to some article detailing how to properly configure the
replacement server? The goal is that both servers should be running on pair.
If one of the server fails catastrofically (is lost without any chance to
recover data), the second should be capable of assuming all the work of the
first server automatically and transparent, or at least with minimum user
intervention on the configuration of the server, no intervention on the
configuration of the clients.
Thanks in advance
Sammy
 
Ad

Advertisements

P

Paul Bergson

Also, there is no need to transfer any of the fsmo roles as it appears you
were alluding too.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


Frankster said:
Additionally, as far as the "replacement" aspect, in case of failure,
assuming you are using this for other things such as user account profile
directories and shares, just create all the same shares and directories on
this box as you have on the original. Make sure all the permissions are
the same. Keep them updated with the original data from the other DC via
replication or simple scheduled xcopy script. Then, if/when necessary due
to a failure, you can make a quick reconfiguration of the client's login
shares/profile directory and be up and running again in no time. That's
what I do. It's not a transparent switchover, but it is a very fast
manual switchover.

-Frank

Phillip Windell said:
The best way is to not create a "replacement",...you aren't "replacing"
anything. You simply have two running DCs at the same time,...think in
terms
of "redundant" instead of "replacement". All machines (including the DCs)
will have the IP# of both of them intheir DNS Settings. The DNS on both
DCs will have the same Forwarders Setup for the ISP's DNS.

The reason your test failed is because the client would not be aware of
the
other DC when the original was down because the client probably did not
have
the IP# of that DC in its TCP/IP settings. All of the DC/DNSs must be
listed in the clients DNS Settings,..not just the original DC.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



SammyBar said:
Hi,

In our office we have only one W2K domain controller server attending logins
for Win98, Win2K and WinXP workstations and servers. We want to add a second
domain controller to the domain, but this should be a identical server,
it
should be capable to replace 100% the first one. We want to protect us
against a complete failure on the first server.
Initially I thought it would be enought to setup an additional W2K
server
and promote it to domain controller on the same domain of the first
server
by using dcpromo, and install WINS for supporting Win98 PCs. I did that and
conducted the following test: Disconnected the new domain controller
from
the office's LAN and connected it to an independent switch. Then
connected a
Win98 PC to that but I couldn't login. The error was "wrong password or
access denied".
Interneting around I was advised I should configure specially the second
domain controller in order to fully replace the first one: I should
"transfer roles" and activate global catalog on the second DC.
Can you point me to some article detailing how to properly configure the
replacement server? The goal is that both servers should be running on pair.
If one of the server fails catastrofically (is lost without any chance
to
recover data), the second should be capable of assuming all the work of the
first server automatically and transparent, or at least with minimum
user
intervention on the configuration of the server, no intervention on the
configuration of the clients.
Thanks in advance
Sammy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top