Active Directory replication and fault-tolerance

[Zucarita9000]

So here's the deal.

I manage a LAN of about 35 client PCs and four servers. The main server runs SBS 2003, and it's the AD controller. The other 3 servers are all running Windows Server 2003 R2. One of them runs Acronis Backup Server to manage snapshot backups from the other 3. The other two run LOB applications (Accounting, etc.).

For the past few months our company has grown quite considerably, and I fear that if the main server goes down, no one will be able to work properly. So, I was thinking about replicating the AD onto another server so if it ever goes down, I'm covered.

I don't know exactly how to proceed or what exactly will I be achieving. The most critical aspect I want to have covered is if the SBS 2003 server goes down, users can still log on to the domain and access resources on the rest of the servers.

One thing though, the DHCP server (a Linksys RV042) configures the main DNS server to point to the SBS 2003 server. I did this because it was the only way all client computers could see other machines on the network and access shared resources.

If the SBS server goes down, all I have to do is apply the new DNS server on the DHCP configuration, right?

 

[Rubycon]

I understand that SBS is more restrictive on features such as DFS address space but you should not need this. Your users will not be able to use MS Exchange if the DC goes down though.

For accessing shares on other domain member servers it should be fine as long as all users have logged on before. New new logons/profiles will be processed until the domain is available, however.

Also you should turn OFF the DHCP server in your router and set up DHCP on the SBS server and set your scope and server options there. You are required to use the IP of the DC as your primary DNS server for AD to function correctly. If the DC goes down, lookups will fail and clients lose the ability to surf. Adding a second DNS server using your ISP provided DNS or a popular public one such as 4.2.2.2 will suffice.

In this case clients will only lose the ability to use resources provided by the DC - shared folders, printers, and MS Exchange where applicable. If they are running Outlook 2003 or higher and Exchange Cached Mode is ON they can still view cached contents on their OST files as well as archived messages as long as the (PST files) are not stored on the DC share!

 

[Zucarita9000]

Originally posted by: Rubycon
I understand that SBS is more restrictive on features such as DFS address space but you should not need this. Your users will not be able to use MS Exchange if the DC goes down though.

For accessing shares on other domain member servers it should be fine as long as all users have logged on before. New new logons/profiles will be processed until the domain is available, however.

Also you should turn OFF the DHCP server in your router and set up DHCP on the SBS server and set your scope and server options there. You are required to use the IP of the DC as your primary DNS server for AD to function correctly. If the DC goes down, lookups will fail and clients lose the ability to surf. Adding a second DNS server using your ISP provided DNS or a popular public one such as 4.2.2.2 will suffice.

In this case clients will only lose the ability to use resources provided by the DC - shared folders, printers, and MS Exchange where applicable. If they are running Outlook 2003 or higher and Exchange Cached Mode is ON they can still view cached contents on their OST files as well as archived messages as long as the (PST files) are not stored on the DC share!

That's ok, we stopped using Exchange a while ago. I am planning on reinstalling it, but for the time being we're relying on our ISPs mail servers.

I'll look into what you suggested about the DHCP server. The Linksys router has been working flawlessly for the past year or so, so I wasn't planning on changing that.

 

[stash]

If the DC goes down, lookups will fail and clients lose the ability to surf. Adding a second DNS server using your ISP provided DNS or a popular public one such as 4.2.2.2 will suffice

It will suffice for browsing the web, but it will break the client's connectivity to AD, even after the domain controller comes back up.

Your priority should be adding a second domain controller, which SBS allows (any of the 2003 servers will work). Install DNS on it, and configure DHCP to use that address as the secondary DNS.

The only place where external DNS servers should be configured is in DNS forwarders. I don't see any need to stop using the router for DHCP, as long as it has the correct DNS entries. Again, it should not be giving out an external DNS server IP at all.

 

[Rubycon]

Originally posted by: stash

It will suffice for browsing the web, but it will break the client's connectivity to AD, even after the domain controller comes back up.

I've never seen this happen before.

 

[Genx87]

Install a second ad controller. Install DNS on it. Build a DHCP scope on your SBS and make the new DC the secondary DNS server. Do not use your ISP's dns in your scope. If your DNS is unable to respond locally your users will be hitting that DNS looking for AD information and will take forever to logon.

 

[stash]

Originally posted by: Rubycon

Originally posted by: stash

It will suffice for browsing the web, but it will break the client's connectivity to AD, <even after the domain controller comes back up.

I've never seen this happen before.

I've seen this happen hundreds of times. The way the DNS client in Windows works, if the primary DNS server fails to respond, it will switch to the secondary. The problem is, it will STAY with the secondary until either the secondary fails to respond or the client is rebooted.

AD clients should never have any DNS servers configured other than ones that are authoritative for AD.

 

[rasczak]

Originally posted by: stash

Originally posted by: Rubycon

Originally posted by: stash

It will suffice for browsing the web, but it will break the client's connectivity to AD, <<even after the domain controller comes back up.

I've never seen this happen before.

I've seen this happen hundreds of times. The way the DNS client in Windows works, if the primary DNS server fails to respond, it will switch to the secondary. The problem is, it will STAY with the secondary until either the secondary fails to respond or the client is rebooted.

AD clients should never have any DNS servers configured other than ones that are authoritative for AD.

couldn't the clients dns be refreshed with ipconfig /flushdns and reregistered with /registerdns? I would assume then that the primary dns would take hold once more.

 

[Crusty]

Originally posted by: rasczak

Originally posted by: stash

Originally posted by: Rubycon

Originally posted by: stash

It will suffice for browsing the web, but it will break the client's connectivity to AD, <<<even after the domain controller comes back up.

I've never seen this happen before.

I've seen this happen hundreds of times. The way the DNS client in Windows works, if the primary DNS server fails to respond, it will switch to the secondary. The problem is, it will STAY with the secondary until either the secondary fails to respond or the client is rebooted.

AD clients should never have any DNS servers configured other than ones that are authoritative for AD.

couldn't the clients dns be refreshed with ipconfig /flushdns and reregistered with /registerdns? I would assume then that the primary dns would take hold once more.

The only way I've been able to fix this problem is with a release/renew of DHCP. Simply flushing the DNS wouldn't fix it, although I never tried a /registerdns afterwards.

 

[stash]

No that doesn't work, and even if it did, how is that a practical solution? The solution is to always have at least two DCs, and configure your clients to point to only those servers. Then configure forwarders on both servers.

 

[AstroGuardian]

Best bet for you is the following. I will notrepeat what is said about the DNS and DHCP cause it's true as it is written. Since you have more than 35 users already, your SBS2003 supports up to 50 users. You need a backup domain controller (BDC). You can set it on Windows 2003 Standard (or other but not SBS2003). When you reach 50 users or the Primary domain controller (PDC) fails, you can continue working with the BDC and actually promote it to be a PDC.

I have done this maybe 10 times now and it works like a charm.
You can also migrate to SBS 2008 or even EBS2008 if the company continues to grow. Bear in mind that your servers but be x64 capable. With SBS and EBS2008 you can implement AD, SQL2008, Exchange2008, Forefront 2008. I am satisfied with Microsoft did and i do not regret recommending it to anyone.

 

[RebateMonger]

Originally posted by: AstroGuardian
Since you have more than 35 users already, your SBS2003 supports up to 50 users.

SBS 2003 supports 75 users/computers. It was increased from the limit of fifty with SBS 2000.

 

[stash]

There are no PDCs and BDCs in Active Directory.

 

[AstroGuardian]

Originally posted by: RebateMonger

Originally posted by: AstroGuardian
Since you have more than 35 users already, your SBS2003 supports up to 50 users.

SBS 2003 supports 75 users/computers. It was increased from the limit of fifty with SBS 2000.

Yes, you are right

 

[AstroGuardian]

Originally posted by: stash
There are no PDCs and BDCs in Active Directory.

How do you mean? When you install active directory you have the option to add new active directory controller in the existing domain.

 

[dphantom]

Originally posted by: AstroGuardian

Originally posted by: stash
There are no PDCs and BDCs in Active Directory.

How do you mean? When you install active directory you have the option to add new active directory controller in the existing domain.

With AD, the legacy PDC/BDC architecture of NT is gone. DCs now hold FSMO roles (5) one of which is PDC emulator to give your new AD forest backward compatibility among other things.

But there is no Primary Domain Controller or Backup Domain Controller any longer with Windows 2000 AD and above. The first DC in a new forest holds all FSMO roles by default.

 

[stash]

In NT, the PDC was the only domain controller with a writeable database. The BDCs were read-only. In AD, all domain controllers have a writeable copy of the database.

In 2008, there is a concept of a read-only DC, which is similar to a BDC, but not exactly.

 

[AstroGuardian]

Aha, i see now what you meant. I agree, that's what i was thinking about but used the wrong terminology.

 

[Zucarita9000]

Wow, so many suggestions and ideas. Thanks a lot guys, I'll be working on this next week.
Basically what you're saying is that I should forget about using the router as the DHCP server and use the SBS server to do so, right?

 

[Zucarita9000]

Originally posted by: stash

If the DC goes down, lookups will fail and clients lose the ability to surf. Adding a second DNS server using your ISP provided DNS or a popular public one such as 4.2.2.2 will suffice

It will suffice for browsing the web, but it will break the client's connectivity to AD, even after the domain controller comes back up.

Your priority should be adding a second domain controller, which SBS allows (any of the 2003 servers will work). Install DNS on it, and configure DHCP to use that address as the secondary DNS.

The only place where external DNS servers should be configured is in DNS forwarders. I don't see any need to stop using the router for DHCP, as long as it has the correct DNS entries. Again, it should not be giving out an external DNS server IP at all.

From what I understand, this is what I should do:

Right now, the router acts a the DHCP server. It is configured to serve every client with the following DNS servers:

Primary DNS Server: 192.168.1.240 (DC's IP)
Secondary DNS Server: 192.168.1.1 (Gateway)

This way, client computers looks inside the network first, if not found they go oustide (internet).

What I should be doing is:

Disable DHCP on the router.
Enable DHCP on the DC (192.168.1.240)
Enable a Secondary DC on another server (192.168.1.241)
Configure DHCP on the main server:

Primary DNS Server: 192.168.1.240
Seocndary DNS Server: 192.168.1.241

Is this correct?

 

[redbeard1]

Promoting another server to a domain controller is reasonably straight forward. I would pick the least utilized server to promote to the second domain controller. After it is promoted you need to add DNS on it, and there is some tweaking of the DNS settings, like allowing zone tranfers between the two servers.

The most important thing to do after the second DC is up and running, is to configure it to be a global catalog. If you don't and the SBS server goes offline, your users will probably not be able to logon.