newbee questions

[wilbur]

Hi,
I recently took over a small shop. It has 3 windows 2000
single domain DCs running in mixed mode. The #1 server
was the PDC role, also global catalog and master. #2
server running an application, and #3 server running
exchange 2000. #1 and #2 servers are running DNS - active
directory integrated. I took #1 server down for
maintenance, and then users that were not logged into
exchange could not log into it. I thought that if one DC
was not available that another one would take its place
for authentication. Did this happen because the servers
were in mixed mode? I am not sure about the whole "role"
setup, how should this be?

Thanks

 

[Cary Shultz [A.D. MVP]]

Wilbur,

Exchange 2000 really needs to have a Global Catalog Server available. When
you took #1 down - the only GC - your users started immediately complaining
about Outlook not working anymore, right? Typically simply closing Outlook
and then opening it up back again would resolve this issue - assuming that
there is a second GC. However, in your situation this is not the case.
There is no second GC. Also, a GC is typically needed for logon and for
accessing the Exchange Server ( Outlook uses dsaccess / dsproxy ).

I would suggest that you make #3 - since it is a Domain Controller as well -
a Global Catalog Server. This way Exchange will pretty much use the GC that
it is on. You will have to restart the Server once you have done this.
Now, how to do this? Take a look at the following MSKB Article:

http://support.microsoft.com/?id=313994

This will now give you three Domain Controllers and two Global Catalog
servers. Redundancy has been met!

This is the quick and dirty approach.

You might want to think about making #2 the Global Catalog Server and
dcpromo'ing #3 down from a Domain Controller to Member Server status. You
typically do not want to have Exchange installed on a Domain Controller.
Check out the Exchange2000.Admin NewsGroups! I am sure that there are
several very good explanations as to why.

HTH,

Cary

 

[Chriss3]

Exchange required to communicate with a Global Catalog Server I suppose. You
can make one of your other servers as global catalog for redundancy.

Set a Computer as Global Catalog Server:
http://www.microsoft.com/windows2000/en/server/help/msmq_inst_set_gc.htm

 

[Cary Shultz [A.D. MVP]]

Wilbur,

Sorry. Answered only part of your questions.

The 'roles' would not necessarily have anything to do with Exchange not
functioning properly. That was a Global Catalog issue. Here is a brief
explanation of the five FSMO Roles that a Domain Controller can hold:

Schema Master and Domain Naming Master are forest-wide roles. There can be
only one Schema Master and one Domain Naming Master throughout the entire
forest.

PDC Emulator Master, RID Master and Infrastructure Master are domain-wide
roles. So, if you have four domains you would have four PDC Emulator
Masters, four RID Masters and four Infrastructure Masters - naturally, only
one of each in each domain.

Any DC in the domain can hold any of these roles. By default, the first DC
in the first domain / forest holds all five of these roles. Roles can be
transferred easily using either the GUI ( the various MMCs ) or via
NTDSUtil.

There is not necessarily any reason to have the roles held by different
DCs - other than a sense of not having all your eggs in one basket.

Now, to the 'Mode'.

There are two modes in WIN2000 Active Directory and two modes in Exchange
2000. In both cases there is Mixed Mode and Native Mode. This would not
have necessarily had anything to do with what you experienced. Again, this
was a Global Catalog issue.

HTH,

Cary

 

[Chriss3]

A recommendation can be to have PDC and RID FSMO Roles in same site as
Exchange Master Server or are I'm wrong there?

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

 

[Wilbur]

Thanks for the info
What about the FSMO stuff? should I monkey with any of
that?

 

[Wilbur]

Thanks again for the info, it will save me some trouble.

 

[Cary Shultz [A.D. MVP]]

Wilbur,

Sorry for the lack of a response.

I would not necessarily monkey around with any of the five fsmo roles. The
first DC in the domain / tree / forest is going to hold all five (
naturally, at that time there would not be any second DC! ). Upon adding
additional DCs to your environment you have that choice. Some people will
tell you that you do not want to have all your eggs in one basket while
others will tell you 'don't worry about that'. In a small environment it
should be fine if the first DC holds all five.

However, if you do 'monkey around' with them it is suggested that the DC
that holds the PDC Emulator role also holds the RID Master role. You may
read about 'the Infrastructure Master role should not be held by a DC that
is also a Global Catalog Server'. This is mostly true. What does that
mean? Well, in a single domain environment there is no other domain (
doh! ). So, there can be no phantoms. So this problem does not exist in a
single domain environment. Should you ever add a second domain ( a child
domain, for example ) then you would very much need to take this into
account. One possible solution is to make a DCs also Global Catalog
Servers....

HTH,

Cary

 

[Paul Williams]

Sure,

In fact it's recommended.

If you've only one domain, make all your DCs GCs.


Paul.
__________________________________

is it possible Cary to have two GC's running, one on the PDC and one on

the BDC, so this would be all avoidable?

 

[Guest]

Thanks Paul.. just wanted to make sure, since yesterday I rebooted my PDC and all hell broke loose with exchange.

 

[ptwilliams]

No problem


Paul.
____________________________

Thanks Paul.. just wanted to make sure, since yesterday I rebooted my PDC

and all hell broke loose with exchange.

 

[Cary Shultz [A.D. MVP]]

Sorry for the no response. This post shows up a bit toward the bottom of OE
for me and I do not always scroll down that far.

Anyway, to answer your question: yes, it is very good practice to have at
least two Global Catalog Servers in your environment. I would like to
correct what is simply a 'WINNT' mode of thinking - there is no more concept
of Primary and Backup Domain Controller. This is a WINNT concept and is no
longer applicable. We need to get this thought process out of our heads!
;-)

HTH,

Cary

 

[Andrew Mitchell]

Sorry for the no response. This post shows up a bit toward the bottom
of OE for me and I do not always scroll down that far.

Anyway, to answer your question: yes, it is very good practice to have
at least two Global Catalog Servers in your environment. I would like
to correct what is simply a 'WINNT' mode of thinking - there is no more
concept of Primary and Backup Domain Controller.

Although that is true for the most part and DC's exist in a multi-master
environment, not all DC's are created equal and some are more critical than
others depending on which FSMO roles they perform.

 

[Cary Shultz [A.D. MVP]]

Andrew,

Absolutely Correct.

However, to simplify things for people who might not yet understand this
area of Active Directory I am trying to impress upon them that the concept
of PDC / BDC does not exist like it used to in WINNT 4.0. I think that it
is better for people to start from this perspective than from the other
perspective.

I think that Dave Shaw puts it well when he states that "All Domain
Controllers are equal. But, some Domain Controllers are more equal than
others ( read: fsmo roles ).

Cary

 

[Andrew Mitchell]

Andrew,

Absolutely Correct.

However, to simplify things for people who might not yet understand this
area of Active Directory I am trying to impress upon them that the
concept of PDC / BDC does not exist like it used to in WINNT 4.0.

We need to be careful to explain that this only applies to which servers can
accept changes to AD objects though.

I think I think that it
is better for people to start from this perspective than from the other
perspective.

The only potential danger is that some admins will take that literally and
shutdown a domain controller believing that their other DC's will just pick
up the slack, only to find that they have shut down the server that's
performing all of their FSMO roles and their network management ability (or
your entire network if you have NT clients and kill the PDC emulator) falls
in a heap.

I think that Dave Shaw puts it well when he states that "All Domain
Controllers are equal. But, some Domain Controllers are more equal than
others ( read: fsmo roles ).

Commie ;-)

 

[Cary Shultz [A.D. MVP]]

Andrew,

Okay. Good points. I will expand my 'default' statement to include a
little bit more information, specifically mentioning the PDC Emulator role.
We will eventually fine tune it so that it works better for everyone!

Cary