• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Adding a secondary domain controller

X

Xan

[H]ard|Gawd
Joined
Mar 15, 2001
Messages
1,156
I have a Native Windows 2000 Server network. My Domain Controller has been having quite a few issues lately and I want to be prepaired in the event of the machine going offline - perminetly!

I have another machine that I've just finished installing Windows 2000 Server on to. Now my question is what exactly do I need to do? Could someone please list the steps to add this computer as an additional domain controller.

Do I need to add this computer to the domain?
I want to replicate AD to this DC as well...?

In the event of the primary DC crapping out how do I ensure than the seconday DC takes control? I think it has something to do w/ the master schema? I've been reading up on doing it, but I'd like some easier instructions!

any help would be greatly app it.

thanks :)
 
In theory, what you will need to do is run dcpromo on the new server, then specify that it will be a dc in the existing domain. Then Windows should take care of setting up the replication partnerships. Make sure they are both in the same site (AD Sites and Services). The next step is for clients to understand that this is a valid dc...make sure that on your dhcp scope you add this server as a dc. Then each client should have both dc's as options so if they can't reach one they should hit the other. Once you give the new dc time to finish replicating the AD database, they should be fully redundent.

You'll notice alot of "should's" and "in theory's" in the above comments. I haven't added a new DC and then dropped the original myself, so I can only tell you what should happen according to the book.
 
You do not need to add the second machine as a valid DC. When the netlogon service starts on a DC it registers a series of SRV records with DNS. When clients need a DC, they query DNS and DNS will return with the IP of any DC there on a site specific basis. If no sites are defined and you are still using the default-first-site-name site then the dns will return answers in a round robin fashion. The clients never need to be made directly aware of the DC's.

The problem you are going to run into if you have your original DC go offline permanently is the master rolls. The original DC in the first domain holds the roll of schema master, infrastructure master, domain naming master, RID master and PDC emulator. If the first machine were to go offline these rolls need to be siezed and/or transfered to the other DC. It doesnt have to be done immediately or anything. But it should be done within a couple days or so.
 
Good points, Trench. But I have to ask then, with the SVR records in DNS, when would a client use the DNS entries it gets from DHCP?
 
Originally posted by TrueBuckeye
Good points, Trench. But I have to ask then, with the SVR records in DNS, when would a client use the DNS entries it gets from DHCP?
Click to expand...
I assume you mean the IP of the DNS servers provided in the DHCP scope options? If so, then it needs those options to find the DNS servers. Once it has found DNS the it can use the SRVs in DNS to find the domain controllers.
 
If the first machine were to go offline these rolls need to be siezed and/or transfered to the other DC. It doesnt have to be done immediately or anything. But it should be done within a couple days or so.
Click to expand...

thats exactly the info I was looking for. Could you briefly describe how to accomplish the above?

also

The server needs to be "static" (IP) and then do I need to "add the computer to the domain" or just go into "Configure Your Server" (Administrative Tools) and select add this computer as a secondart domain controller - or something to that effect?
 
To add a secondary dc do just like TrueBuckeye said: run dcpromo from the run line then make this an "additional domain controller for an already existing domain". or whatever the option says during the wizard :D

If the original were to go down you are going to have to sieze the master rolls vs. transfer. Transferring is done when the original is online to agree to the transfer. If you sieze the rolls then the original can never come online again. You will have to reinstall the OS completely. Edit: I should mention that if you are expecting the original to go down you should go ahead and peacably transfer the rolls now. That way you can repair the original and bring it back online without having to reinstall.

To sieze the rolls for RID master, PDC emulator and infrastructure master use the active directory users and computers tool, right click the domain object then click operations masters. Then you will click the change button for all 3 rolls. The original will not be able to be contacted so you will then sieze the roll. For the domain naming master you will use the active directory domains and trusts tool and you have to right click the top container object then just go through the same process. To sieze the schema master you will have to use the schema snap in for your mmc.
 
If you a worried that the original DC will soon die you should assign your new DC as a Global Catalog (use "Sites and Services"), and TRANSFER the domain master roles while you can, rather then SEIZE them later.

You can use the proceedure above to transfer the domain master roles, but you won't be able to seize them all that way. Remember that you have to be connected to the domain controller you want to transfer the roles to, not the one you are transferring from. You can use "ntdsutil" to transfer or seize any domain master role.

Oh yeah, by the way, before you can use the schema mmc plug in you need to register it's dll: "regsvr32 schmmgmt.dll"
 
Another thing to remember, if your current DC is your DNS server, you will want to set up DNS on the Second DC also. By default I think that 2000 set's up the DNS zone for it's domain as Active Directory integrated, so it is pretty easy to add a second one.

Edit:
Also remember about the DHCP server, if it is on the first DC, you should move it.
 
I do think the DC has a faulty HD and I want to get another system up ASAP to replace it.

So would "transfering" the roles be the better thing to do vs "seizing"?
I do NOT need to add this server to the domain - right? Just Configure Your Server and add it as an additional DC?

awesome help here. thanks a lot :D
 
If you a worried that the original DC will soon die you should assign your new DC as a Global Catalog (use "Sites and Services"), and TRANSFER the domain master roles while you can, rather then SEIZE them later.
Click to expand...

To do this all you need to do is Uncheck the current Global catalog and recheck the new DC?? I have wanted to do this for a while because our new DC is a bad-ass.
 
quote:
--------------------------------------------------------------------------------
If you a worried that the original DC will soon die you should assign your new DC as a Global Catalog (use "Sites and Services"), and TRANSFER the domain master roles while you can, rather then SEIZE them later.
--------------------------------------------------------------------------------
To do this all you need to do is Uncheck the current Global catalog and recheck the new DC?? I have wanted to do this for a while because our new DC is a bad-ass.


To be safe, i would check the GC first... and then uncheck the current GC.

Otherwise Yup, that is all to it. We have 4 GC running now... (super redundancy redundancy etc)
 
4 GCs in one site? Sounds like an awfull waste of CPU and network bandwidth.

You don't need to change your GC assignments before transfering domain master roles.
 
I have used the following 2x, installing new DC's at sites, tto replace old ones. This has worked great for me both times. The 2nd time, I built the server here in my shop, and shipped it to Boston and finished the install w/pcAnywhere- never set foot in the place! Anyway, credit where credit's due to the poster at TekTips (great Tech site btw)

Original post

Upgrading a DC to new hardware
faq96-3016

FAQ : Upgrading a DC to new hardware
This document details how to upgrade one of your domain controllers to new hardware.

1] Backup

2] Test your current DNS setup
http://www.microsoft.com/windows200...ws2000/en/server/help/sag_DNSchecklist_ds.htm

3] Install new server run DCPROMO make sure you install a AD DNS server

4] Wait for replication. (20-30 minutes)

5] Check the DNS on the new server.
- Have the details replication?
- Are the forwarders setup correctly?
(See : http://www.tek-tips.com/faqs.cfm?spid=96&sfid=3017)
- Is the event log clear of errors?

6] Transfer the FMSO roles over

Changing owner of FSMO roles:

There are five FSMO roles: Domain naming Master, Schema Master, RID Master, PDC Emulator and Infrastructure Master. There must be a domain controller that owns each one of those roles.

To change the owner of RID, PDC and Infrastructure Masters, open Active Directory Users and Computers on domain controller you want to move the roles to, right-click domain name, choose Operations Masters and click Change in appropriate windows.

To change the owner of Domain naming Master, open Active Directory Domains and Trusts on domain controller you want to move the role to, right-click Active Directory Domains and Trusts, choose Operations Masters and click Change.

To change the owner of Schema Master, open Active Directory Schema on domain controller you want to move the role to, right-click Active Directory Schema, choose Operations Master and click Change.

For more information see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255690

7] Transfer the Global Catalogue role

Changing owner of Global Catalog:

Open Active Directory Sites and Services console, go to Sites\Site Name\Servers\, expand the server you want to demote, right-click NTDS Settings and choose Properties, in the window that appears un-check Global Catalog and click OK. After doing so go to same place in server you want to hold the Global Catalog and check Global Catalog at NTDS Settings\Properties. After making these changes wait about fifteen minutes till the Global Catalog replicate between domain controllers, after it you can continue with further configurations.

8] Transfer files/permissions over.

9] Run a DCDIAG on the new server - fix any issues

10] Run DCPROMO on the OLD and demote to a standalone server.

11] Remove OLD server from the network or remove from the domain.

12] Make sure all references to the old server name are updated (ie. mapped network drives).

13] Test with a client that you can logon, check the event log for any errors, run a DCDIAG.
 
You must log in or register to reply here.
Back
Top