Workings of AD

[C.S.Mager]

I have a couple of questions regarding the workings of AD.

I have two servers. They are both running 2003 server. As far as I am
aware, AD doesn't allow for 'Primary' domain controllers, and all are equal.
Does this mean I can turn one of the servers off and the domain should
function as normal?

If I were to take this server to another location and use it with other
clients, it would function perfectly. But what would happen if I returned
it to it's original place? Would it 'syncronise' the differences between
the two?

Thanks for any insight!

C.S.Mager

 

[Samir Patel]

Different DCs have various roles in a domain - there are a bunch of
'operation masters' in AD. The domain & forest must have these masters for
it to work properly all the time. Turning off a DC will mean that the
operation master roles which were on that DC will then be removed from the
domain. For example, if you have 2 DCs, and you turn off the DC which is the
Global Catalogue operation master, the domain will lose the GC.

Basically, turning DCs on and off isn't advised, which is why we all strive
for 100% uptime, even on a system which provides a certain amount of
redundancy.

About moving DCs around, I think it'd be best to create a new site for the
second location, and upgrade a member server there to DC and give it a GC
operations master role (you can have more than 1 Global Catalogue operations
master). You can then set up inter-site replication to keep things synched.
This will obviously mean having some sort of network connection between the
two sites - anything will work, even a 56k modem connection, but the faster
the better (cost permitting). Inter-site replication is not best done all
the time, maybe just in the evenings, since it's slow and expensive.

 

[Cary Shultz [MVP]]

-----Original Message-----
I have a couple of questions regarding the workings of AD.

I have two servers. They are both running 2003 server. As far as I am
aware, AD doesn't allow for 'Primary' domain

controllers, and all are equal.

Does this mean I can turn one of the servers off and the domain should
function as normal?

If I were to take this server to another location and use it with other
clients, it would function perfectly. But what would happen if I returned
it to it's original place? Would it 'syncronise' the differences between
the two?

Thanks for any insight!

C.S.Mager


.

CS!

Hey, you stole my initials! ;-)

Not super familiar with WIN2003 but in WIN2000 you are
correct. PDC and BDC are specifically WINNT terms that
no longer apply. In WIN2000 all DCs are on equal footing.

Now, please keep in mind that there are the five FSMO
roles ( two forest-wide and three domain-wide for each
domain in the forest ). So, if you shut off the DC that
holds any of these roles you might experience problems.
In a single domain forest if you shut of the DC that
holds ONLY the Domain Naming Master and Infrastructure
Mster then your problems might be limited ( in that these
two roles really do not do anything in this specific
environment ). However, if you tried to add a child
domain, for example, you would have problems ( namely, it
would not be possible ).

Do not forget about the Global Catalog Server! This is
particularly important if you use Universal
Security/Distribution Groups ( only available if you are
operating in WIN2000 Native Mode - remember, I am talking
about WIN2000 here, not WIN2003 like you asked ), if you
use Exchange 2000 and/or if you use UPNs for logon! So,
if you shut down the DC that is also a GC ( however, only
if it is the only GC in your domain ) you could have
problems if any of the above three points apply to your
environment.

And, dare we forget about DNS?!?! If this DC is also
running DNS ( Active Directory Integrated? ) then your
clients might have problems with just about everything (
getting to the Internet, GPOs, finding services, etc.
etc. etc. ).

What is it that you are trying to do? Are you trying to
have as much redundancy as possible? If that is the case
then the *best* thing that you can do is to have two DCs
in each Site, make both DCs a Global Catalog Server and
run DDNS on both DCs. This way, if one goes down then
the only thing you need to worry about ( knock on wood! )
is transfering/seizing any of the FSMO Roles that
the "dead" DC held. This you can do with a nice utility
called NTDSUtil.

Since I am here, have you set up Active Directory Sites
and Services ( from the MMC ). Have you created all of
the existing Subnets and associated them with the
appropriate Site? Have you created an ADI Reverse Lookup
Zone in your DNS? I would also like to suggest to you
that you install the Support Tools on every WIN2000
Server ( do not know if there is a Support Tools for
WIN2003 - would guess that there is ). The Support Tools
are located on the WIN2000 Server CD in the Support |
Tools folder as well as on the WIN2000 Service Pack CD (
in the same folder ). The Service Pack CD would be the
better option, if available.

Please keep in mind that my suggestions are very
general. I do not intimately know your environment so
please use my suggestions as a guideline.

HTH,

Cary

 

[C.S.Mager]

What is it that you are trying to do? Are you trying to
have as much redundancy as possible? If that is the case
then the *best* thing that you can do is to have two DCs
in each Site, make both DCs a Global Catalog Server and
run DDNS on both DCs. This way, if one goes down then
the only thing you need to worry about ( knock on wood! )
is transfering/seizing any of the FSMO Roles that
the "dead" DC held. This you can do with a nice utility
called NTDSUtil.

Thanks for your reply! How do I make both servers Global Catalog servers?
Is it simple? And (sorry, I should do a quick search on the internet for
this one!) what is NTDSUtil, and where can I get it?

C.S.Mager

 

[C.S.Mager]

About moving DCs around, I think it'd be best to create a new site for the
second location, and upgrade a member server there to DC and give it a GC
operations master role (you can have more than 1 Global Catalogue operations
master). You can then set up inter-site replication to keep things synched.
This will obviously mean having some sort of network connection between the
two sites - anything will work, even a 56k modem connection, but the faster
the better (cost permitting). Inter-site replication is not best done all
the time, maybe just in the evenings, since it's slow and expensive.

Thanks for your reply! Where can I find info on setting up a new site and
replication? The real situation is as follows:

I have two servers. One is at home, and the other travels with me. I take
it away, and use it where I am for 6-12 weeks at a time, then I go home
again. Home needs to carry on as normal, given the rest of my family &
people in the office use the network.

I need the second server with me, as it has all my files on it, etc.

Could this be done with Inter-site replication only happening when I bring
the two servers together at home?

 

[Cary Shultz]

-----Original Message-----



Thanks for your reply! How do I make both servers Global Catalog servers?
Is it simple? And (sorry, I should do a quick search on the internet for
this one!) what is NTDSUtil, and where can I get it?

C.S.Mager



.

CS!

First off, you are welcome! Do not worry about asking
questions before doing the research. Sometimes I just do
not have the time or desire to do the research and hope
that someone has already done whatever it is that I am
trying to do and will share. However, I find that when I
am researching something that I tend to make a lot of
other discoveries along the way!

So, you can make a DC a Global Catalog from within the
Active Directory Sites and Services MMC ( aka ADSS
MMC ). Take a look at the following MS KB Article for
the How To:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;313994&Product=win2000

Also, take a look at this MS KB Article for some
additional information on DCs and GCs:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;306602

Here is a How To: on the awesome Utility NTDSUtil:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;255504&Product=win2000

Please note that when you install WIN2000 Server this
utility is installed. All you do is go to a command
prompt, enter ntdsutil and then follow the article.

HTH,

Cary

 

[C.S.Mager]

First off, you are welcome! Do not worry about asking
questions before doing the research. Sometimes I just do
not have the time or desire to do the research and hope
that someone has already done whatever it is that I am
trying to do and will share. However, I find that when I
am researching something that I tend to make a lot of
other discoveries along the way!

Thanks for all this help. I'll take a look at those links later. My actual
situation is as follows, and I was wondering whether you had any
suggestions:

I have two servers. One is at home, and the other travels with me. I take
it away, and use it where I am for 6-12 weeks at a time, then I go home
again. Home needs to carry on as normal, given the rest of my family &
people in the office use the network.

I need the second server with me, as it has all my files on it, etc.

Could this be done with Inter-site replication only happening when I bring
the two servers together at home? Would they need to be on different
subnets? Any sites with info would be appreciated!

Thanks again.

 

[Katherine Coombs]

to be honest, I'm not sure why you would take your server with you if it's
just for file access? Wouldn't it be easier to have the one server (at
home) and then have a workstation (or laptop if you're going to be
travelling a lot) and take that laptop with you? Can you have "offline
folders and files" in Windows 2K, which allows you to work on them offline
from your laptop and then synchronise them up again when you're back online.

 

[Cary Shultz [MVP]]

-----Original Message-----
to be honest, I'm not sure why you would take your server with you if it's
just for file access? Wouldn't it be easier to have the one server (at
home) and then have a workstation (or laptop if you're going to be
travelling a lot) and take that laptop with you? Can you have "offline
folders and files" in Windows 2K, which allows you to work on them offline
from your laptop and then synchronise them up again when you're back online.

links later. My
actual travels with me. I
take


.

Katherine,

Good point. I might also suggest that he look into
Terminal Services. Sounds like some sort of TS or VPN
situation might do it.

Cary

 

[Jason Robarts [MSFT]]

In Part 1 of the Windows 2000 Active Directory Operations Guide under the
Managing Domain Controllers section
http://www.microsoft.com/technet/tr.../ad/windows2000/maintain/opsguide/default.asp
there is information on the things you need to consider when disconnecting
domain controller. I've only done a quick scan of the operational
procedures listed. It does discuss concepts you need to understand for
Windows Server 2003 (ex. tombstone lifetime, SYSVOL replication).

 

[C.S.Mager]

to be honest, I'm not sure why you would take your server with you if
it's just for file access? Wouldn't it be easier to have the one
server (at home) and then have a workstation (or laptop if you're
going to be travelling a lot) and take that laptop with you? Can you
have "offline folders and files" in Windows 2K, which allows you to
work on them offline from your laptop and then synchronise them up
again when you're back online.

When I move the server for 6 weeks, it is used by me for my home
directory/profile and public area (over 120Gb). It is also used by another
group of people at this location.

The other server contains my families home directorys/profiles.

At the moment, I've worked out I can disconnect my server, and the other one
can carry on ok. I've worked out I can reboot my server at the new
location, and I can make it work there. I can see major problems when I
bring my server back 6 weeks later though!

As nothing on the AD at home will change (my family wouldn't know how - and
they don't know my passwords!), I could just uninstall AD when I get home
and reinstall it

PS I can't get an internet connection between the two sites.