IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Domain Controllers and Active Directory Domains Part 2

with 12 comments

After the “How to create the first domain controller in Active Directory Part1”, it’s time to consider an additional domain controller to your domain.

Why should you to consider that?

Redundancy: If you have more than one DC for a given domain you can provide better redundancy for users, computers and apps. Apart to active directory redundancy, you may also have additional roles in those DCs that you want to keep available in case of a DC failure or DC overload. Roles commonly used in DCs are DNS server role and the Global Catalog.

Workload distribution: With multiple DCs you can “load balance” requests from users, apps, computers, etc… This is particularly important when those services/servers are across sites over WAN links, when that happens you can place a DC or more on those sites and take advantage of local authentication/requests without having them across the WAN link.

Domain hierarchy: The first domain that is created is the Root Domain of the forest. If you lose that domain you lose the entire forest. In a scenario where you have multiple domains within a forest, if you have only one DC for that top Root Domain and you lose that DC forever, you may say goodbye to your entire forest. Hum… that’s not good is it?!! As you already guessed domain hierarchy is very important in Active Directory.

Recovery/Availability: Consider the following scenario. Your DC suffers a hardware failure, and to recover from that hardware failure you’ll have to wait some time. If you have only one DC, you may have a problem, the domain apps may need that DC and may stop working until that DC is back online again, the users that use those apps will also stop working and your company will lose money because of that down time. Anyway, you recover that DC from hardware failure, but then you discover that the DC cannot start (BSoD-More down time), no problem (you think), you start the Backup Recovery process, but you discover that the backup isn’t enough to recover that DC. Now you’ve a big problem, no one is working and the company isn’t making money because that. Everyone will have to wait until you replace the domain controller with a new one. With a second DC, you can reduce that problem, and the dead DC could be replaced easily without affecting users or apps that depend on it.

And if I lose both DCs?
It’s true, you can lose both DCs and you’ll be “dead” anyway, but that is another story with a different planning to a different blog post. The point that I’m trying to make clear is with 2 DCs per domain “at the minimum” you will get a good chance to recover from down times (with good percentage of success) plus better redundancy and distributed workload. I could give you a lot more reasons to have additional DCs, but keep those in mind and hopefully they should be enough to make you think twice before consider only one DC for your Domain.

Ok, back to the beginning, How to create the second domain controller in Active Directory. Actually is a very simple process, we just need to have healthy domain (run dcdiag tools to check if everything is ok), and if everything is working correctly you are ready to add the 2nd DC to your domain.

Before start:
Plan carefully your FQDN of the domain controller, make sure that follow the rules of your internal company documentation. Although it’s possible to rename DCs that are running Windows 2003 and latter, I would rather do it correctly at first time preventing latter changes. Check the Naming conventions at Microsoft KB909264.

Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB272294 and 191611 for more information.

Make sure that the Administrator account has a strong password. If possible, avoid using the Administrator account and use a dedicated account to perform your everyday work in AD. Think in Administrator account as the SOS account, and try to use it only for emergency situations.

You must have at least one drive formatted with NTFS.

Install the latest updates from Microsoft website.

Check your event log for errors and correct them before proceed.

Plan and test the Backup strategy for your Active directory Forest. After that take a full backup of the existing DC in case that you need to rollback.

At last check the date and time settings, make sure that are correct, and make sure that the existing DC is in sync with a trusted and valid authoritative time server. By Default the DC that holds the PDCe will be (by default) the authoritative time server for your forest and additional DCs will sync their time with this DC.

Don’t miss Part 3 – “How to add a Domain Controller in a Remote Site using the new Windows 2008 R2

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

🙂

Advertisements

Written by IT Core

January 20, 2010 at 10:08 PM

Posted in Deployment, How to..., Videos

Tagged with

12 Responses

Subscribe to comments with RSS.

  1. […] the next article : How to create the second domain controller in Active Directory Possibly related posts: (automatically generated)Domain Controllers and Active Directory Domains […]

  2. […] a comment » If you want to review part 1 and part 2 of these series click in the […]

  3. […] a comment » If you want to review part 1, part 2 or part 3 of these series click the […]

  4. […] a comment » If you want to review part 1, part 2, part 3 or part 4 of these series click the hyperlinks. Possibly related posts: (automatically […]

  5. […] a comment » If you want to review part 1, part 2, part 3 or part 4 of these series click the […]

  6. […] one comment If you want to review part 1, part 2, part 3 or part 4 of these series click the […]

  7. […] to introduce the First Domain Controller in Active Directory Domain How to create the second domain controller in Active Directory How to add a Domain Controller in a Remote Site using the new Windows 2008 R2 How to create a child […]

  8. […] a comment » If you want to review part 1, part 2, part 3, part 4 or Part5 of these series click the […]

  9. […] one comment If you want to review part 1, part 2, part 3, part 4 or Part5 of these series click the […]

  10. […] a comment » Click if you want to review part 1, part 2, part 3, part 4, Part5 or part 6 of Domain Controllers and Active Directory […]

  11. Excellent article. I used it to setup a test secondary domain controller on our network.

    Andrew Sutton

    October 22, 2010 at 12:27 PM

  12. Great Article – answered a bunch of questions I had deploying a 2nd DC.

    Vanya Bojanovic

    November 29, 2010 at 1:09 AM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: