Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How long does it take for one server to update AD on another server?

Status
Not open for further replies.
Raziel014

Raziel014

Technical User
Nov 1, 2005
51
NO
Hi all!

I have this weird problem. We have two 2003 Servers where one of them is the domain controller and contains AD.

When I create a new user, I can't logon with the second server and only get incorrect password, as if it doesn't excist. Although I can logon after a while. It is connected to the domain controller go AD. Is this supposed to be updated immediatly? Cause I can logon directly on the domain controller, but on the second server it takes a while to get it updated.

Is there a command or something that forces the update or something?
 
Sort by date Sort by votes
Sounds like your second server is a DC also, is that correct?

Replication between DCs usually happens within 15 minutes.

If the second server is not a DC then I would say you need to look into your DNS settings.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Well, the two servers are used to connect thinclients to it by terminal services.

If they are both Domain Controllers I'm not sure of..
I guess so since they are both terminal servers.

A 2003 Server needs to be a domain controller to also be a terminal server right?

So if the DNS settings are incorrect, on which server is the DNS incorrect? The second server has only the first ones IP-adress set in the TCP/IP settings.

And on the first server, the DNS works fine and it shows the second one too. I do get errors and stuff though, but everything does work fine. Is it normal to get errors? Or should there be none at all?
 
Upvote 0 Downvote
No, preferably Terminal servers are not domain controllers due to security isuues..though many TS are setup on DCs.

Run DcDiag.exe /v
" NetDiag.exe /v

I would recommend Mark Minasi's Mastering Windows Server 2003 by Sybex, great section on DNS setup.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
technome is correct. Microsoft best practice states that Terminal Servers should be member servers, and not DC's
 
Upvote 0 Downvote
And to add a comment regarding DC and TS, it is not recommended to have a DC setup with TS in Application Sharing Mode. Running a DC setup for Remote Admin Mode is a totally different issue. You would only have trusted administrators accessing the DC remotely.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Well, this is a school where the students are from 16 to 19-20 and they all have users who connect remotely to both servers. We haven't had any security issues as of yet.

And I see now that yes, both servers are domain controllers but are on the same domain.?

So the second domain controller isn't really needed at all? It will still be connected to AD right? So in other words, the second domain controller isn't used at all? Like having both Winzip and Winrar when you only use one of them? (stupid comparison) :)
 
Upvote 0 Downvote
You would want to have two DCs for redundancy and load balancing.

I think your best course of action is to get yourself a book on Windows 2003 and AD or perhaps sign up for some training. You need to bring your skill set up a little higher before you start troubleshooting and making changes to domain controllers or you could do more harm than good.

Security should be paramount to everything you do. We've had several admins for school systems post here and unless my memory is playing tricks on me, every one of them has commented on how the kids figure out how to do things that constitute security problems be it downloading and installing spyware laden software or downloading pornography.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Just a note...

Raziel014, if this involves an intra-site, the other DCs should have the password changes almost instantly. Sound like you have communications problems between the DCs

Discussion on how passwords are replicated to other DCs.

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Well, we are thinking about buying another Dell PowerEdge to install 2003 Server on. The thing is that we need to have terminal services on them and can't have a main domain controller cause of money issues.

Besides, this setup does seem to work. We haven't had any problems with spyware or anything like that. The students aren't allowed to install anything either. Becase of the strict Group Policy. And the even tricker local policy on the terminal servers.

So say that we redesign the server environment on the school and perhaps try to separate the server roles onto more servers, how should it be done? Designwise i'm thinking.

You say we only need one domain controller right? And the others only need to be members in the domain and have terminal services installed. So basicly, the domain controller doesn't have to be mean monster machine to run well? Cause an idea could be to install the domain controller on an older computer and upgrade what we can on it. And then just have the good servers (dell poweredge) to run terminal services?

Keep in mind that we still use Novell here as file servers and main NDS for users and computers all around school. These 2003 Server were only purchased to run terminal services.
 
Upvote 0 Downvote
If I were you on a limited budged, I would run on one DC, but I would have a very good backup strategy for that DC. Take a weekend and run a practice drill, how long does it really take to restore the DC to a blank, test hard drive? Other than managing user accounts, and a few services, you shouldn't be using it for much else. I would use the DC to host your DHCP, DNS (active directory integrated of course), WINS (if you have more than one subnet). Optional services you may wish to include is your intranet web, Root certificate server, licensing services. Keep this DC physically locked up away from users and keep it on a secure section of your network (behind the firewall to the internet and not on the DMZ). Only administrators should be able to log on locally. Continue to serve your files from novell.

Use the high powered PC as a member server running your terminal services. Allowing log on locally rights to users for the member server is ok. This server doesn't require the physical security needs that your domain controller does.

A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
So basically, the domain controller doesn't have to be mean monster machine to run well?"
Most of my smaller clients have two DCs, but the second will be fairly basic..mirrored drives vs a full scale raid, lower cpu speed than the FSMO, less memory, less robust server case etc. Yes, you could utilize an older computer.

"Use the high powered PC as a member server running your terminal services."... Agreed

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
To Seaspray0:

Just so you understand, we do use the domain controller as a terminal server. The users do connect to the main domain controller via thinclients.

I can understand how that is a risk, but how should we do it otherwise?

That would mean basicly to backup the domain controller and install the backup on a fresh computer and put it in a secure physical section of the network.
And then use what is now the domain controller only as a member server running terminal services?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
493
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
636
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
842
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
512
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
605
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top