Need Serious Active Directory Help

[vetteguy]

I am new to Active Directory, so please bear with me. (I've been out of administration for a few years, but have been contracted to install Exchange into a site with AD). Here is what I'm trying to do:

I want to create a small test network with all the AD information to test Exchange with. I was planning to bring a 2000 server online, make it a DC, then pull it offline and onto a private network and use it as the only DC. Then I could bring up Exchange on another machine. Well, here's what happened. We have 1 server that is currently the DC/DNS server (there was another but it was pulled to be the Exchange server). Last night I did the steps above, and made the new server a DC. I then pulled it off the real network and onto a private one. For a few minutes, I could administer the AD, but then it would tell me that the DC couldn't be contacted and was unavailable. I figured that it must be because I hadn't configured DNS for the private network, but DNS was running on the test machine and had all the information from the live network. I even set up the other machines to point to the test server as the DNS server.

I went into AD sites and services, and looked under Operations Managers. It shows the main "live" server as the main DC, but won't let me force the test server into being the main DC (because it can't see the other one).

Does this make sense? I thought what I did was basically simulate the failure of a DC. How was what I did any different than having our main DC go offline? I really need this to work, can anyone help me? I am at a complete loss and need to get this working ASAP. Thanks in advance.

 

[Saltin]

When you brought up this test DC in the live network, did you make it a DC for an the exsisting domain? It sounds like you did.
If this is the case, I recommend you place that DC back into the live network and properly remove it from your live AD by DCPROMO'ing it back down to a member server.
You can really mess up your live AD by pulling a DC out of it like that.

How about building a test network and bringing up a new DC in that. Make sure its a new forest.

 

[vetteguy]

I was under the impression that if you DCPROMO it to a member server that it will remove all the AD schema. Won't I then lose all my AD information and not have it available for the test network?

To answer your question, yes I made it part of the existing domain. As far as harming the AD, how was this different than having a DC go offline? (Like through a failure?) Maybe I'm missing something.

My next step is to make a totally new AD in my test network like you said, the reason I wanted the existing information was so that I could test it with pseudo-live AD information.

 

[Saltin]

Vette,
If you look in your live AD sites and services you will see that the server object for the new DC you brought up is present and has an NTDS settings tree underneath it. This indicates that it is a DC for the live domain. You should be certain to remove the DC from the live domain properly (via DCPROMO) before blowing it away.

Generally, when you test systems, you should not involve the live network at all. That is why the distinction between live and test exsists. Bring up a new forest in your test area and create some users.

The specific problem you are facing now is that you have no Global Catalog in your test domain, and that there are none of the five FSMO roles present either. Your forest root DC would be holding these roles by default. The new DC you brought up and removed from the live domain needs access to the GC and these five roles in order to function properly.
Your set-up is fundamentally flawed. I would recommend placing the DC back into the live domain, removing the DC from it, and starting up again in your test domain fresh.

 

[Woodie]

As usual, Saltin is correct. Since what you really want is the data from the production DC, what you might try is this:

Write a program that uses ADSI calls to dump (extract) all the users/userinfo from the production AD.
Use the reverse of this program, using ADSI calls, to populate your Isolated forest with the users/userinfo.

Good luck. Exchange installation into an existing AD structure is a royal PITA.

 

[vetteguy]

Yikes. I have no idea how to do what you have just described, nor does anyone where I work. D'oh.

When you say that installing Exchange into an existing AD is bad, how exactly do you mean? My Exchange experience is from 5 and 5.5, will I be able to handle this? What are some of the major problems I may encounter? Thanks for your assistance.

 

[vetteguy]

Saltin-
I understand what you are saying about keeping the test separate from live, but here is my question:
What happens if my server that has the Global Catalog has a disk failure. From what you're describing, if that server is gone, the AD ceases to function. I thought the whole idea of multiple DCs was to have redundancy? But if there is a single point of failure (the Global Catalog) how is that redundant?

Man, I miss the NT 4 domains!!!

 

[Saltin]

It is possible to configure more than one GC per forest, if you are so inclined. You can make any DC a GC via a check box on the NTDS settings properties of the server in AD sites and Services.
Your problem, is that even if you check that box, the DC will not be able to contact the exsisting GC (in the live domain) to obtain a replica of the GC.

As for missing NT4 domains, you won't once you get handy with 2k. It is superior.

 

[Woodie]

We're a new Exchange shop...we had a working AD (~20,000 users) and we added Exchange 2000. Now, we're converting users over from the old email system to Outlook/Exchange.

Issues:
Need the latest W2K patches + (I think) Hotfixes
Need the latest Exchange 2K SP + Hotfixes
Exch2K forces AD-Schema changes (which are non-reversible in W2K forests)
Others: I know there a quite a few more, since it took us >12 months for the first pilot users, and >24 months for the first real users

For the DC questions:

In a functional Forest w/ multiple DCs, there are five FISMO roles, which exist/run on only one DC in the entire forest. In addition to the AD, at least one of the DCs is also a Global Catalog (GC) server. You can have more the one GC, it depends on your network configuration and how many sites you have.

Within the Forest, if a FISMO DC fails, then the FISMO roles will automagically taken over by another DC. Not sure how a GC server fails over if there's only one. I suspect it's very similar to the way a FISMO role fails over.

 

[vetteguy]

Originally posted by: Woodie
Others: I know there a quite a few more, since it took us >12 months for the first pilot users, and >24 months for the first real users

Guess what? I have exactly 1 month...yay for me.

Saltin - Someone went in this morning to the test server and forced it to be some of those roles (except the RID). This was before I told them about what you had said, so it's too late to put it back into the old domain and DCPROMO it. I hope everything is still ok with the live AD.

 

[Saltin]

You shouldnt try to plug that DC back into the live domain then.
However, you still have entries in your live AD that refer to the DC you moved to the test domain.
Normally, those entries would be removed via DCPROMO decommission. You will have to do it manually.
Here is the article describing the steps Article.

It's a tricky procedure, but I would recommend you look into it. It's very bad practise to allow orphan entries like this in Active Directory. You never know what sort of problems it may cause.