Help: One and only global catalog DC down. 5 FSMO on 1st site DC working.

[alvin]

Thanks in advance.

We have Active directory in a mixed mode environment (w2ks and NTs).
The active directory as only 2 DCs.
(1 having all FSMOs, DNS, WINS - the other Global Catalog)

2 days ago, the DC which hosts the only Global catalog crashed.
We had done a rebuild on the server and rejoined the domain as a member server.

Our first-site DC is still online; having all FSMO and DNS.
- (but not a Global Catalog server)

all our users are still able to login - via the remainding DC.
But, we cannot create new user accounts as there isnt a global catalog server.

Question:
Could we goto NTDS settings and enable the DC as Global Catalog?


All feedback appreciated, thank you for your time.

 

[Ryan Hanisco]

Alvin,

In an environment with only one Domain controller, it is perfectly fine to
have all of the FSMO roles and the GC on the same box. Enable the GC and
you'll be fine.

 

[alvin]

Thank you Ryan for the fast reply.

Once I get the Global catalog to reside on my First-site-name DC,
do i need to clean up the active directory enteries of metadata?

This is because my old global catalog serveris still being listed as a DC.

Thank you.

 

[Ryan Hanisco]

Alvin,

Being a GC is not nearly as touchy as the FSMO roles. You can go through
the SRV records on the DNS and pull the old references out but you'll not
see a huge difference.

There isn't anything you should do with NTDSUTIL when moving a GC.

 

[alvinalf1]

Hi Ryan and all,

I've just enabled Global catallog on the 1st Domain Controller with the
FSMOs.

Glad to feedback that once I checked the "enable as Global Catalog"
box, the server prompted a minimal 5 minutes of wait time was needed to
prepare it - After 5 mins, Event viewer reported the server is now a
GC.
All the GC not found errors have also stopped once it was assigned the
new GC role.

From AD Replication monitor on another memeber server, I verified that

the 1st DC has the new GC role.

Is this enough to confirm GC is working again?
Do I need to test by added a new user account on one of the NT4 servers
and see if it gets replicated to the W2k DC?
Or, run dcdiag?

I will be doing a dcpromo on the failed DC with the original GC later -
having the same computername.
Will be giving it a GC role too so that, we have GC redundancy. (learnt
the hard way).
Is it as simple as enabling it at NTDS again?

Thanks

 

[alvinalf1]

After the 1st DC was enabled with GC role, I reinstalled the crashed
DC2.

Was able to do a dcpromo and subsequently, enabled GC to DC2.
I did not do a ntdsutil metadata cleanup, but after enabling GC on DC2,
active directory was smart enough to do cleanup automatically.

Finished off by running dcdiag /v - all tests passed.

So now I'm back with 2DCs with 2GCs - but only 1 DNS on DC1.

Anything I need to check/take note?

Ryan, thank you again!

 

[ptwilliams]

So now I'm back with 2DCs with 2GCs - but only 1 DNS on DC1.

Make both DCs AD-Integrated DNS servers.

 

[alvinalf1]

Hi Williams,

Thank you for the reply.
I'll need to find out more if my current DC1's DNS is an AD-integrated
DNS.
(seriously, I dont think it is setup as such now)
It really does make sense to add redundency after this wake-up call.

I running AD in mixed mode: 2DCs, 6 w2k member servers, 5 NT BDCs
all pointing to DC1 for DNS.

Any issues with setting up AD-integrated with the NT4 servers?

Thanks

 

[Enkidu]

Hi Williams,

Thank you for the reply.
I'll need to find out more if my current DC1's DNS is an AD-integrated
DNS.
(seriously, I dont think it is setup as such now)
It really does make sense to add redundency after this wake-up call.

I running AD in mixed mode: 2DCs, 6 w2k member servers, 5 NT BDCs
all pointing to DC1 for DNS.

Any issues with setting up AD-integrated with the NT4 servers?

As long *they* don't run DNS, no, I'd say.

Cheers,

Cliff

 

[alvinalf1]

Hi all!

DC1's DNS is actually setup as AD-integrated DNS.
now I need to get my hands on some HowTo's to check if I can juz
install DNS onto DC2 and let AD replicate the zones...

 

[ptwilliams]

No need for a how-to --that's exactly what you do!

Once DNS is installed on a DC, when the DC starts it will load the zone
(unless it's configured _not_ to pull from AD -which isn't the case by
default).

 

[alvinalf1]

Hi!
once DNS was installed on DC2.. it replicated forward and reverse zones
at once.

on comparing zones with the primary DNS server on DC1, the new DNS
server does not have the "." zone...

is this normal?

Also, on the new DNS server DC2... do I need to change the DNS server
ip to point to itself?
It is now pointing to DNS on DC1...

Thanks!

 

[ptwilliams]

is this normal?

Yes, and no. That . zone is there because the DNS Installation wizard
couldn't contact another DNS server during setup. It is not needed;
especially if you wish to resolve Internet names. Personally, I would
delete the root ('.') zone.

Also, on the new DNS server DC2... do I need to change the DNS server ip
to point to itself? It is now pointing to DNS on DC1...

That's up to you. It really doesn't matter. If this were a remote site,
I'd say yes -point to self. If there are other DCs/ DNS servers on the LAN
then you can do what you want - point to self; point to each other; point to
a central -it's up to you.

What is important is that there is more than on DNS server configured in the
list (if you are not pointing to self - it should be there even if you are
pointing to self, but lets be fair -what DNS server on a DC is going to be
up if the DC isn't ;-)

 

[alvinalf1]

Hi Paul,
Thanks for the input. This thread is fast becoming to :
"How to add failsafes after a crash ...." ;P

I found this article:

http://support.microsoft.com/kb/291382/

Question: How do I set up DNS for other domain controllers in the
domain that are running DNS?

Answer: For each additional domain controller that is running DNS, the
preferred DNS setting is the parent DNS server (first domain controller
in the domain), and the alternate DNS setting is the actual IP address
of network interface.

I guess I'll follow that and set the 2nd DNS server's preferred DNS
setting as DC1 and alternate as pointing to itself....

And for the other non-DNS DCs & member servers, I'll do the same:
preferred DNS: DC1 DNS
alternate DNS: DC2 DNS

Thanks

 

[ptwilliams]

Hi Alvin,

For each additional domain controller that is running DNS, the preferred
DNS setting is the parent DNS server (first domain controller in the
domain), and the alternate DNS setting is the actual IP address of network
interface.

This is just one way of doing it. There's no real hard and fast rule. I
recommend a similar setup:

[Remote Site]
1. A DC in the same site OR Self.
2. Another DC in the same site (this step can be skipped, but is worth
doing if you have expensive and slow WANs)
3. Another DC in the central site, or a well-connected site.

[Main Site]
1. A DC.
2. Self

Self obviously only applies to DNS servers (usually DCs). Try and localise
DNS though.

All the best to you!!!