Bringing a second domain controller up

[James]

In a few days, we'll be receiving an additional server and we need to make it our second domain controller on the network in an attempt to have a backup in the event one goes down. We currently have a single domain & single domain controller. Our intent is to bring this second server up and use it as our primary domain controller and have the other one be our backup. This is a Windows 2000 Server environment. After checking around, these are the steps I believe we should follow. I'm just looking for comments and suggestions from the other news group folks. Thanks

James

Once the new server is booted up, before doing anything else to it, make sure all critical updates are done. After doing the updates, install the support tools, then reboot the server.

Go into the Network Properties (TCP/IP) of it's local area connection and point it to the original domain controller for DNS.

Run dcpromo (Start, Run, dcpromo) and promote the server as an additional domain controller in an existing domain/forest.

When dcpromo finishes, reboot the server.

Once it's back up, let it settle in for about 1 ½ hours and then go into Active Directory Sites and Services, expand the site, expand Servers, expand this new server, right click on the NTDS Settings object and click on Properties. Check the box next to Global Catalog. Wait about 15 minutes and reboot the server.

Once this is done you can transfer the FSMO roles to the new server. To do this, go to a command prompt and type ntdsutil and press enter. Follow the instructions in the following article to seize ALL of the roles to the new server.

Use Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller.

Once all the roles have been seized, exit the ntdsutil. At the command prompt, type the command below to verify that the roles have been transferred.

netdom query fsmo (and press enter)

This will display all of the fsmo roles and the name of the server that holds them.

 

[Herb Martin]

Once the new server is booted up, before doing anything else to it, make sure all critical updates are done.

After doing the updates, install the support tools, then reboot the server.

Support tools are nice but optional here.

Go into the Network Properties (TCP/IP) of it's local area connection and point it to the original domain controller for DNS.

Well sort of, but really point it ONLY to the INTERNAL DNS server (set) whether that is the
original DC or not.

Run dcpromo (Start, Run, dcpromo) and promote the server as an additional domain controller in an existing domain/forest.
When dcpromo finishes, reboot the server.
YES

Once it's back up, let it settle in for about 1 ½ hours and then go into Active Directory Sites and Services, expand the site, expand Servers, expand this new server, right click on the NTDS Settings object and click on Properties. Check the box next to Global Catalog. Wait about 15 minutes and reboot the server.

The waits are probably not that critical and certainly not that long if
everything is working right.

Running DCDiag or one of the repl admin programs would be more accurate.

Once this is done you can transfer the FSMO roles to the new server. To do this, go to a command prompt and type ntdsutil and press enter. Follow the instructions in the following article to seize ALL of the roles to the new server.

NEVER SEIZE a role with NTDSutil unless you are FORCED to do
so by a permanently lost roll holder DC.

Always use TRANSFER under normal circumstances.

This transfer does not seem mandatory here unless you are
doing maintenance on the first DC and want to make sure
not to lose the roles if it (first DC) fails to reboot.

Only seize in the case of neglecting to do this and DISPOSING
of the damaged role holder -- the original role holder must NOT
be brought back online if you seize it's roles (other than briefly
to DCPromo-non-DC it.)

Use Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller.

Once all the roles have been seized, exit the ntdsutil. At the command prompt, type the command below to verify that the roles have been transferred.

netdom query fsmo (and press enter)
This will display all of the fsmo roles and the name of the server that holds them.

Ok but you don't need to be messing with roles for what you describe.

 

[James]

Good Advice Herb, thanks. Another question about the roles. Should I have the Global Catalog on both DC's and the Infrastructure Role on only one DC or simply place the Global Catalog on one DC and the Infrastructure Role on the other?

James

Once the new server is booted up, before doing anything else to it, make sure all critical updates are done.

After doing the updates, install the support tools, then reboot the server.

Support tools are nice but optional here.

Go into the Network Properties (TCP/IP) of it's local area connection and point it to the original domain controller for DNS.

Well sort of, but really point it ONLY to the INTERNAL DNS server (set) whether that is the
original DC or not.

Run dcpromo (Start, Run, dcpromo) and promote the server as an additional domain controller in an existing domain/forest.
When dcpromo finishes, reboot the server.
YES

Once it's back up, let it settle in for about 1 ½ hours and then go into Active Directory Sites and Services, expand the site, expand Servers, expand this new server, right click on the NTDS Settings object and click on Properties. Check the box next to Global Catalog. Wait about 15 minutes and reboot the server.

The waits are probably not that critical and certainly not that long if
everything is working right.

Running DCDiag or one of the repl admin programs would be more accurate.

Once this is done you can transfer the FSMO roles to the new server. To do this, go to a command prompt and type ntdsutil and press enter. Follow the instructions in the following article to seize ALL of the roles to the new server.

NEVER SEIZE a role with NTDSutil unless you are FORCED to do
so by a permanently lost roll holder DC.

Always use TRANSFER under normal circumstances.

This transfer does not seem mandatory here unless you are
doing maintenance on the first DC and want to make sure
not to lose the roles if it (first DC) fails to reboot.

Only seize in the case of neglecting to do this and DISPOSING
of the damaged role holder -- the original role holder must NOT
be brought back online if you seize it's roles (other than briefly
to DCPromo-non-DC it.)

Use Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller.

Once all the roles have been seized, exit the ntdsutil. At the command prompt, type the command below to verify that the roles have been transferred.

netdom query fsmo (and press enter)
This will display all of the fsmo roles and the name of the server that holds them.

Ok but you don't need to be messing with roles for what you describe.

 

[Deji Akomolafe]

For an environment as small as yours, make them both GCs. You don't need the
GC/IM role consideration. Don't read too much into that.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


Good Advice Herb, thanks. Another question about the roles. Should I have
the Global Catalog on both DC's and the Infrastructure Role on only one DC
or simply place the Global Catalog on one DC and the Infrastructure Role on
the other?

James

Once the new server is booted up, before doing anything else to it, make

sure all critical updates are done.

After doing the updates, install the support tools, then reboot the

server.

Support tools are nice but optional here.

Go into the Network Properties (TCP/IP) of it's local area connection

and point it to the original domain controller for DNS.

Well sort of, but really point it ONLY to the INTERNAL DNS server (set)
whether that is the
original DC or not.

Run dcpromo (Start, Run, dcpromo) and promote the server as an

additional domain controller in an existing domain/forest.

When dcpromo finishes, reboot the server.
YES

Once it's back up, let it settle in for about 1 ½ hours and then go into

Active Directory Sites and Services, expand the site, expand Servers, expand
this new server, right click on the NTDS Settings object and click on
Properties. Check the box next to Global Catalog. Wait about 15 minutes
and reboot the server.

The waits are probably not that critical and certainly not that long if
everything is working right.

Running DCDiag or one of the repl admin programs would be more accurate.

Once this is done you can transfer the FSMO roles to the new server. To

do this, go to a command prompt and type ntdsutil and press enter. Follow
the instructions in the following article to seize ALL of the roles to the
new server.

NEVER SEIZE a role with NTDSutil unless you are FORCED to do
so by a permanently lost roll holder DC.

Always use TRANSFER under normal circumstances.

This transfer does not seem mandatory here unless you are
doing maintenance on the first DC and want to make sure
not to lose the roles if it (first DC) fails to reboot.

Only seize in the case of neglecting to do this and DISPOSING
of the damaged role holder -- the original role holder must NOT
be brought back online if you seize it's roles (other than briefly
to DCPromo-non-DC it.)

Use Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller.

Once all the roles have been seized, exit the ntdsutil. At the command

prompt, type the command below to verify that the roles have been
transferred.

netdom query fsmo (and press enter)
This will display all of the fsmo roles and the name of the server that

holds them.
Ok but you don't need to be messing with roles for what you describe.

 

[Leon E. Webster, MCSE]

I am under the impression there is no reason to transfer FSMO roles to the
new DC and if you do there was a kb article on howto and implications when
it involves the forest root. There is another on how to distribute the FSMO
roles - sorry I don't have those on hand for you. Will both DC's also run
DNS?

Lee
In a few days, we'll be receiving an additional server and we need to make
it our second domain controller on the network in an attempt to have a
backup in the event one goes down. We currently have a single domain &
single domain controller. Our intent is to bring this second server up and
use it as our primary domain controller and have the other one be our
backup. This is a Windows 2000 Server environment. After checking around,
these are the steps I believe we should follow. I'm just looking for
comments and suggestions from the other news group folks. Thanks

James

Once the new server is booted up, before doing anything else to it, make
sure all critical updates are done. After doing the updates, install the
support tools, then reboot the server.
Go into the Network Properties (TCP/IP) of it's local area connection and
point it to the original domain controller for DNS.
Run dcpromo (Start, Run, dcpromo) and promote the server as an additional
domain controller in an existing domain/forest.
When dcpromo finishes, reboot the server.
Once it's back up, let it settle in for about 1 ½ hours and then go into
Active Directory Sites and Services, expand the site, expand Servers, expand
this new server, right click on the NTDS Settings object and click on
Properties. Check the box next to Global Catalog. Wait about 15 minutes
and reboot the server.
Once this is done you can transfer the FSMO roles to the new server. To do
this, go to a command prompt and type ntdsutil and press enter. Follow the
instructions in the following article to seize ALL of the roles to the new
server.
Use Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller.
Once all the roles have been seized, exit the ntdsutil. At the command
prompt, type the command below to verify that the roles have been
transferred.
netdom query fsmo (and press enter)
This will display all of the fsmo roles and the name of the server that
holds them.

 

[Ace Fekay [MVP]]

In

For an environment as small as yours, make them both GCs. You don't
need the GC/IM role consideration. Don't read too much into that.

Hi Deji,
Just to add and point out to James, if this is only one domain, the IM/GC
role placements won't matter. If mutliple domains in the organization, then
we need to separate the IM from the GC.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[James]

Yes, we're a single domain only shop. Thanks for the input.

James

"Ace Fekay [MVP]"

 

[James]

Yes. Our intention is to have, in essance, a primary DC and a backup DC.
DNS, as I understand it, will have to be on both machines as it controlls
our access to the domain.

James

 

[Ace Fekay [MVP]]

In

Yes. Our intention is to have, in essance, a primary DC and a backup
DC. DNS, as I understand it, will have to be on both machines as it
controlls our access to the domain.

James

Honestly if you only have one domain, and just want to add another DC to the
domain, there really isn't any reason to transfer any of the roles, unless
one of the machines is considerably slower than the other or if you are
planning on removing the first server. You can however, enable the new
machine to be a GC also (keep in mind the GC is not a 'role', but rather a
service). As for DNS, just ensure that both servers have DNS installed and
the zone is AD Integrated, so it will be available on both machines.

Ace