Setting up Secondary Domain Controller 1

[DrB0b]

Hi all,
Im currently in the process of setting up a SDC in case my Primary has to be taken offline. Ive read the directions on how to set it up via a couple of microsoft tech net articles. So what I believe needs to be installed are the AD and DNS services. My main question is this, can the file/AD replication be done during normal business hours or will this significantly bog down the network? Also, we have numerous folders that are shared out that reside on the C: directory, how do you allow each to be replicated or can you with that setup?


"Silence is golden, duct tape is silver...

 

[DrB0b]

On the PDC I have these roles installed:
AD DS
DHCP Server
DNS Server
File Services
Network Policy and Access Services
Print and Document Services

Do I want to install the exact same on the SDC?

"Silence is golden, duct tape is silver...

 

[kmcferrin]

It all depends on what is being replicated.

For AD, replication happens at regular intervals. There will be an increase in traffic when the inital AD replication occurs, but since your operation is so small that it has so far gotten by with a single DC I doubt that your directory replication will be noticeable.

For the rest of it, it seems that you have made the all-to-common mistake of putting all of your key infrastructure roles on the same server. If you want redundancy for those non-DC servers (anything other than AD and DNS) then you will have to look into setting up a failover cluster to provide that functionality. And that will require at least two more servers since you can't make a DC a cluster node.

If that bothers you, then you can try setting up redundant services for DHCP and ADFS on both DCs, but it's really not best practice to use DCs in this way.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[DrB0b]

All Im looking to do is have my secondary DC pick up the slack if the primary dies. From the forums Ive been reading it seems like this should be able to be accomplished. Basically all it has to do is handle the AD and DNS side. AD replicates over just fine with a couple of warning events as does DNS. I feel if I can get these warnings fixed I would be ready for that situation.
The other situation was to replicate my 2 or 3 shared folders to this server as well which I think the File Services role will take care of.
P.S. I dont want this server to run DNS or DHCP unless the Primary is down

"Silence is golden, duct tape is silver...

 

[DrB0b]

Also in case you've come across these warning events:
AD event warnings:
Event ID: 2886 Source: ActiveDirectory_DomainSercives
Task Category: LDAP Interface
OpCode: Info

Event ID: 1463 Source: ActiveDirectory_DomainServices

Event ID: 614 Source: NTDS ISAM
Task Category: Table/Column/Index Definition

DNS event warnings:
Event ID: 4013 Source: DNS-Service

"Silence is golden, duct tape is silver...

 

[pagy]

So do you have 2 DCs now?

On which server do you get those events and when? By when I mean when the server is booting or do those events appear all the time even after the DC has booted up?
The 2886 is not much to worry about but the 4013 means that DNS cannot open AD (this can be caused by a timing issue when the DC boots, as AD needs DNS and DNS needs AD) which is why I asked when you get those errors.

The 1463 is potentially some corrupted indexes, which the DC should be able to rebuild but if this message appears a lot it will be time to get that sorted.


If you add a second DC and run DNS on it then it will be a DNS server and DNS has to run on it for AD replication to work. If you don't want your clients to use it as a DNS server then don't point your clients to it, but if you do that your clients won't have DNS resolution available to them and so won't be able to authenticate to the domain in the event of a failure of your original DC.

Just installing the file services role does not mean that your shared folders will be magically replicated, for that you can use the distributed file system (DFS)

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[DrB0b]

All errors were on the secondary domain controller, the primary is working fine and shows no errors. I haven't received any errors since 4 PM yesterday. I was told that the SDC would have the 2886 error being the secondary AD controller and to enable signing for LDAP and its clients which made the error disappear.
Im aware installing the file services role will not magically replicate my files but a feature inside of it can assist with that such as DFS.
So my question is, if my Primary DC was the AD, DNS, and DHCP server, can I install these roles on the Secondary and allow it to pick up slack if the PDC is offline? Already have AD/DNS installed and after no errors in the event log over night, I assume they are functioning.

"Silence is golden, duct tape is silver...

 

[DrB0b]

After a restart this morning it appears the 4013 is the only error left

"Silence is golden, duct tape is silver...

 

[kmcferrin]

Already have AD/DNS installed and after no errors in the event log over night, I assume they are functioning.

Rather than assume, run a NETDIAG and DCDIAG to ensure that it's all working. Also be sure to run the Best Practices Analyzer for each role that is installed.

So my question is, if my Primary DC was the AD, DNS, and DHCP server, can I install these roles on the Secondary and allow it to pick up slack if the PDC is offline?

AD and DNS are related, and both have HA features built in. Your client PCs will query AD to find out which servers are DCs, then it will try to connect to them. If you need one server to pick up the slack when the other goes down then BOTH servers need AD and DNS installed, and BOTH servers need to be listed as DNS servers on your clients. If those two requirements are met then your AD and DNS infrastructure can function without issue when one of the DCs is offline (for a limited time, as FSMO roles aren't highly available).

DHCP is not part of AD or DNS, and it is not highly available out of the box. If you do want highly available DHCP then you have basically three options:

1. Split your scopes between two active DHCP servers
2. Build a clustered DHCP server (requires two non-DC servers and shared storage)
3. Configure a second DHCP server as a backup but do not activate it unless the first server goes down (this requires manual intervention).

The details are outlined here:

http://technet.microsoft.com/en-us/library/dd296672(WS.10).aspx

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[58sniper]

First, no such thing as "PDC" or "SDC" as you refer to them. A domain controller is a domain controller. They will both function pretty much the same (FSMO roles aside).

Also, we have numerous folders that are shared out that reside on the C: directory, how do you allow each to be replicated or can you with that setup?

That's potential for server suicide. One bad workstation and your OS drive could fill up in seconds. That'll take down the server. The only thing that should be on an OS drive (RAID, of course) are the OS files and the paging file. Data should always go elsewhere.

Pat Richard MVP

http://www.exchangeblogs.com/

 

[DrB0b]

Info I should have included first...
We are running maybe 20 Users in the whole plant. The entire size of our shared folders is maybe 30GB total, and yes I agree having separate logical drives for OS and data but this is how it was set up when I got here a month and a half ago and they wont spend money to allow me to buy a couple drives and a new Raid controller to initialize this, hence why I wanted a backup AD/DNS and DHCP server. Yes I know AD/DNS will be queried from both but I read an article on setting up DHCP and disabling it on the 2nd DC to only use in emergencies. I do not need a split scope for load balancing since we only have 20 users of which 4 are Static. As far are the file replication goes, it only replicates once a week so if the 1st server gets bombarded, the second will be unaffected unless it happens right before a replication and I dont catch it.
Basically Im just wanting a CYA server in case I need to shutdown the 1st DC or it gets napalmed by an angry employee....

"Silence is golden, duct tape is silver...

 

[58sniper]

As far are the file replication goes, it only replicates once a week...

You should look at using DFS, which would keep folders on both server in sync, and users would hit either one as part of a load balancing scenario. That way, each has a full copy of the files that are up to date, and if one server goes down, users won't notice.

Just an FYI that RAID 1 for the OS volume is considered entry level best practice for any server - especially a DC. You should have that at the very least. Not only does it provide fault tolerance, but it also provides increased performance.

Pat Richard MVP

http://www.exchangeblogs.com/

 

[DrB0b]

It is on Raid 1 and am using DFS for the replication, sorry for not mentioning that.

"Silence is golden, duct tape is silver...

 

[DrB0b]

Thank you all for the valuable help, I do have AD/DNS functioning properly, DFS file replication to a few folders, and am getting ready to install DHCP on the 2nd server.
I had found out that the main server already in place only had a scope of x.x.x.100 - x.x.x.254 so on the second I'm going to setup a DHCP scope with the beginning addresses in the octet since only 3 static IPs reside in that space. Now if I'm reading the posts and forums correctly, this is basically load balancing across the IP range and will supply fault tolerance if the other DHCP service stops.

If it appears Im missing something please post back otherwise Ill let you know if something goes haywire.

"Silence is golden, duct tape is silver...