Planning for Disaster Recovery/

[FrauW]

I am setting up disaster recovery and am trying to figure out how to set up my system so that when the main domain controller is unavailable, i.e the root of the domain/operations master, the end-users can still log in and access the network resources. Replication works just fine and I can work on group policy however when I shut down the main dc (i.e. the operations master) all other computers behave as if the domain does not even exist. End-users get the error &quot;Cannot log you into domain <domain> because it is either not available or does not exist&quot;. On the other dcs for the domain, I can't open anything having to do with Active Directory e.g. Users&Computers, Sites&Services etc...etc... I get messages &quot;Failed to open... you do not have enough rights to access this object&quot;. This also means that when users are logging on, they are only authenticating against the main d.c. This is not good as of course when users simultaneously want to log in, the login time will be slowed.What am I not doing?
Please let me know asap. We are supposed to go live this weekend!

 

[ReddLefty]

If your replication is working (do a DCDIAG /s:<server name>) and no other errors occur, then then only thing I can think of is that your backup DC does not contain the global catalog. (GC).

In your MMC, Active Directory Sites and Service, Sites, Default-First-Site-Name, Server, you will see the list of your current AD servers.

Open the one that is your backup server and right-click on NTDS settings, then go to Properties.

In the General tab, you will have a checkmard that says &quot;Global Catalog&quot;, make sure it's on (ticked).

Give the servers time to replicate and then do your tests again.



&quot;In space, nobody can hear you click...&quot;

 

[FrauW]

Thanks. However I did have another server (in another site however up to now I haven't implemented any schedule limitation) designated as a Global Catalog Server. I thought that there was need for only Global Catalog per domain (?). Even this server was not available for users to logon. Is there an additional role I should be assigning to the domain controllers? I saw a Replicator Built-In Group in AD however I am not sure what I should use it for when there is already Dfs and normal automatic replication. In the meantime I will try this.

 

[FrauW]

Oh ReddLefty,
I did get these errors upon dcdiag:
1.

Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... <DOMAIN CONTROLLER NAME> passed test frssysvol

(But this is because I needed to share the SYS_VOL to a non-hidden network share name so that dfs could read it to replicate user profiles (which are under the SYS_VOL partition) )

2.
Running enterprise tests on : <domain.name>
Starting test: Intersite
......................... <domain.name> passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135

A Good Time Server could not be located.
......................... <domain.name> failed test FsmoCheck

(But I ignore error 2. because the time works fine. I never figured out why W32Time always gave me 'NTP Server not found' error.. but that is another thread )

 

[ReddLefty]

Actually, the time server issues can prevent your users from logging on to the other server if they are not synchronized... It sounds like the source of your problem, I suggest you fix it. Look up article 216734 in the MS Knowledge base to fix your Time Server. It should correct your time problems and the FSMO problem.

The File Replication Server depends greatly on the synchro of the time. If your second DC is off by too much time, then the synchro will stop. This means that your old DC is outdated and will stop acting as a DC until it is synchronzied once more... hence, not process logons when the Primary DC is down... it won't replicate the GC either.



&quot;In space, nobody can hear you click...&quot;

 

[FrauW]

Thanks ReddLefty. I followed your directions and now all servers are using the same time. I ran dcdiag again and the time error is gone. However, now I receive this error (only on the root server, the other three dc's were OK).
________________________________
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... ROOT passed test frssysvol
Starting test: kccevent
......................... ROOT passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x800009CF
Time Generated: 07/24/2003 17:30:03
Event String: The server service was unable to recreate the
......................... ROOT failed test systemlog
________________________________
Just to give you background, the person who set up the SYSVOL partition had created a shared sysvol folder. All the policies and a script folder are under this folder. However, the system had also set up its own SYSVOL folder which isn't shared and has the exact copies of the other one. Unfortunately I cannot delete either one because it prohibits my ability to open Active Directory related snap-ins such as Domain Policy, even on the root server.

i.e.
D:\SYSVOL
|_ SYSVOL
|_domain.xx
|_Policies
|_PolicyA
|_PolicyB

|_sysvol(shared)
|_domain.xx
|_Policies
|_PolicyA
|_PolicyB


:-(

 

[ReddLefty]

Hehe.. that one always scared me too.. Congatulations, you fixed your problem.

That error just means that there is an event in your system event log that you haven't read yet.

Check your System Event log and you should see a warning or error of somesort that matches the time and date in the DCDIAG systemlog error.

See what it is .. could be something dumb like &quot;C drive is running out of disk space&quot;.

you should be ok.



&quot;In space, nobody can hear you click...&quot;

 

[FrauW]

thanks. the system is working better now.