Setting Up A BDC

chugger93 · Post by **chugger93** » Tue May 23, 2006 12:19 pm

I wanted to setup a backup domain controller. I have a server ready for it, but I have never setup a child domain before. Is there anything I should know? Can I do this on production hours and not have the PDC go down or have issues? Is it relatively simple as when I setup my PDC for our company? Thanks

koldchillah · Post by **koldchillah** » Tue May 23, 2006 2:39 pm

old NT server eh? 2k & 2k3 make it easy b/c there really isn't such thing as a PDC/BDC, they are simplified into FSMO roles and the relationship is not the same as it was between a PDC and BDC in the NT days..

No need to create a new child domain unless you have a specific reason to do so. In 2k or 2k3, just promote a member server to DC and make the second DC a Global Catalog server if you want it to be able to provide authentication. By default the first DC in the domain holds all the FSMO roles including the PDC emulator role and that won't change unless you transfer the FSMO roles manually.

After promoting the second DC, just make sure that DNS was installed correctly and that the DNS zones replicated over. Check the event logs and run dcdiag.exe to make sure everything is good to go. dcdiag.exe is part of the Support tools which Microsoft has available for both 2k & 2k3 at their download center.

Just in case, here's a little help on explaining FSMO roles: http://www.petri.co.il/understanding_fs ... _in_ad.htm

chugger93 · Post by **chugger93** » Tue May 23, 2006 3:15 pm

NT? No Im talking about 2k3. Didnt know those terms (pdc, bdc) werent used anymore. So all I have to do is setup a another domain as a child? Then that will be like my BDC?

koldchillah · Post by **koldchillah** » Tue May 23, 2006 4:23 pm

koldchillah wrote:No need to create a new child domain unless you have a specific reason to do so. In 2k or 2k3, just promote a member server to DC and make the second DC a Global Catalog server if you want it to be able to provide authentication. By default the first DC in the domain holds all the FSMO roles including the PDC emulator role and that won't change unless you transfer the FSMO roles manually.

After promoting the second DC, just make sure that DNS was installed correctly and that the DNS zones replicated over. Check the event logs and run dcdiag.exe to make sure everything is good to go. dcdiag.exe is part of the Support tools which Microsoft has available for both 2k & 2k3 at their download center.

Just take the new server, join it to the current domain. Then promote it to domain controller to the existing domain, then follow along with the second paragraph of my post above to be sure everything is working. When you go to promote the second server to DC, it should automatically install DNS if you haven't already.. It won't create a new child domain, it will just be a second DC in the same domain.

koldchillah · Post by **koldchillah** » Tue May 23, 2006 4:26 pm

chugger93 wrote:NT? No Im talking about 2k3. Didnt know those terms (pdc, bdc) werent used anymore.

Most old school techies from the NT days still use the terms PDC & BDC, but technically Microsoft has done away with the terminology b/c the differences in the relationship between DC's from NT to 2k/2k3 has changed quite a bit. It's much easier to manage multiple DC's in the 2k/2k3 environment.

chugger93 · Post by **chugger93** » Tue May 23, 2006 5:04 pm

Ok thanks, so its that easy huh? No extra overhead? Everything will be replicated so if my primary goes down this secondary will take over? Oh & what do u mean promote, using dcpromo? Never used it before

koldchillah · Post by **koldchillah** » Tue May 23, 2006 6:30 pm

[quote="chugger93"]Ok thanks, so its that easy huh? No extra overhead? Everything will be replicated so if my primary goes down this secondary will take over? Oh & what do u mean promote, using dcpromo? Never used it before ]

yep.. dcpromo is basically the setup program for Active Directory. In order for people to be able to login using the second server, you should make it a global catalog server. Basically a global catalog server is a fully replicated copy of the entire Active Directory database.

To make the second DC a global catalog server use the Active Directory Sites and Services snap-in, in the Administrative Tools folder. Expand the Sites until you locate the server that you wish to become a Global Catalog. Right-click the NTDS Settings icon, under the server, and press Properties. On the General tab, check the Global Catalog box.

Another good link that talks about FSMO roles and the Global Catalog: http://www.comptechdoc.org/os/windows/w ... tions.html

Don't forget to install the support tools on the DC's and run dcdiag.exe before and after you promote the second DC. If there are errors, you want to knock those out before promoting the second DC.

Good luck dude.. Post back if you run into any problems.

Post by **YeOldeStonecat** » Tue May 23, 2006 6:33 pm

[quote="chugger93"]Oh & what do u mean promote, using dcpromo? Never used it before ]

Yup...promote..you run the old "dcpromo"...or do it via the wizard...in your "configure my server" wizards.

If you have an existing 2K domain..you'll also have to run "forest prep" ...included on your Server 2K3 CD. A little utility that "preps stuff" on the 2000 server before passing the steering wheel over to the 2K3 server..sort of speak. To be honest with you..been almost a year since I've done that..I forget if the 2000 server will require a bounce after running forest prep..so I'm not positive on the answer for "can be done during production hours".

I'd want to do it after production hours...so the current DC isn't under load..greater chance of success.

koldchillah · Post by **koldchillah** » Tue May 23, 2006 9:50 pm

YeOldeStonecat wrote:I forget if the 2000 server will require a bounce after running forest prep..so I'm not positive on the answer for "can be done during production hours".

I'd want to do it after production hours...so the current DC isn't under load..greater chance of success.

No reboot is required after running adprep, but you do have to allow time for the changes to replicate to any other additional DC's in the forest before promoting the 2k3 server.

Good point on the after hours.. definitely less risk of problems.

chugger93 · Post by **chugger93** » Wed Jul 26, 2006 8:36 am

I havnt even done this yet. Do you think its a good idea for fault tolerance? Have you ever seen a primary go down? We have only like 50 employees, but an outage would suck

koldchillah · Post by **koldchillah** » Wed Jul 26, 2006 9:34 am

chugger93 wrote:I havnt even done this yet. Do you think its a good idea for fault tolerance? Have you ever seen a primary go down? We have only like 50 employees, but an outage would suck

fault tolerance for AD = always a good thing.

primary server go down? = yes.. it happens.

chugger93 · Post by **chugger93** » Tue Aug 01, 2006 3:55 pm

koldchillah wrote:yep.. dcpromo is basically the setup program for Active Directory. In order for people to be able to login using the second server, you should make it a global catalog server. Basically a global catalog server is a fully replicated copy of the entire Active Directory database.

To make the second DC a global catalog server use the Active Directory Sites and Services snap-in, in the Administrative Tools folder. Expand the Sites until you locate the server that you wish to become a Global Catalog. Right-click the NTDS Settings icon, under the server, and press Properties. On the General tab, check the Global Catalog box.

Another good link that talks about FSMO roles and the Global Catalog: http://www.comptechdoc.org/os/windows/w ... tions.html

Don't forget to install the support tools on the DC's and run dcdiag.exe before and after you promote the second DC. If there are errors, you want to knock those out before promoting the second DC.

Good luck dude.. Post back if you run into any problems.

Now Do I make it a global catalog server on the Secondary DC only or both? Because on the primary DC, when I expand the sites and services, I see the secondary DC, but under the general tab, global catalog is unchecked. On the secondary though its checked.

koldchillah · Post by **koldchillah** » Tue Aug 01, 2006 4:35 pm

chugger93 wrote:Now Do I make it a global catalog server on the Secondary DC only or both? Because on the primary DC, when I expand the sites and services, I see the secondary DC, but under the general tab, global catalog is unchecked. On the secondary though its checked.

If this is a single site domain, then sure, you can make it a global catalog. You will then have two fully replicated copies of your Active Directory database. Overall, this produces more traffic between servers, but it shouldn't become a problem unless you have thousands of objects and you make changes all the time. A gigabit link between DC's makes this even less of a factor.

There are a lot of references from Microsoft that will say to never put the Infrastructure Master role (going back to FSMO roles) on a global catalog server but this is only because when you have multiple sites, site replication does not work properly if your Infrastructure Master role is on a global catalog server. If you're dealing with a single site domain, this is a non-issue from what I've noticed.

chugger93 · Post by **chugger93** » Tue Aug 01, 2006 4:56 pm

Ok Thanks. Now what happens with DNS? Normally lets say our clients primary DNS is 10.0.0.2 which is the Primary Domain Controller. If that goes down, then that DNS is basically void. Login will take forever because DNS server is down. Would I then have to change DNS settings on the DHCP server, or will DNS just still function normally and the secondary DC will somehow take over

Edit: hmmm, DNS was never installed on the secondary DC...only active directory, thats weird

koldchillah · Post by **koldchillah** » Tue Aug 01, 2006 5:37 pm

I'd install DNS on the second DC and make sure the zones are set as AD integrated zones.. the zone data should replicate over at the next replication cycle and you can tell DHCP to assign the IP of the second DC as the secondary DNS server. Wherever you have static IP's setup, just add DC #2 as a secondary DNS server.

You do have your main server setup with AD integrated zones right?

chugger93 · Post by **chugger93** » Wed Aug 02, 2006 7:58 am

ad integrated zones? You can tell Im just a beginner at this stuff.

Well then no, I guess I dont have integrated zones setup...not sure?

koldchillah · Post by **koldchillah** » Wed Aug 02, 2006 10:19 am

chugger93 wrote:ad integrated zones? You can tell Im just a beginner at this stuff.

Well then no, I guess I dont have integrated zones setup...not sure?

Go into your DNS snap-in.. right-click each of your forward and reverse lookup zones and choose properties. Then on the general tab it will tell you the "type" of zone it is. You can click "change" and set it to Active Directory Integrated. Also make sure under 'Dynamic Updates' that is says "secure only".

By changing the type to AD integrated, your DNS zones will be stored within' Active Directory (in whats called an 'Application Partition', but thats not whats important). AD integrated zones are replicated whenever the rest of AD is replicated rather than having primary zones stored by themselves in a zone file.

Standard primary lookup zones require zone transfers to update other DNS servers on your LAN. Changes & additions to DNS are made by the primary server and then "transfered" over to the secondary.

With AD-integrated zones DNS updates can happen from either server rather than just your primary server. This is a more flexible & secure method of providing DNS on your LAN.

Also, once you've set the zone types to AD-integrated, in the DNS snap-in, right-click your server and choose properties. Then on the advanced tab look for "Load zone data on startup:" and set that to "From Active Directory and registry".

Some links on DNS & AD zone integration:

http://www.comptechdoc.org/os/windows/w ... 2kdns.html

http://www.microsoft.com/technet/commun ... 2.mspx#E2D

Ignore the fact that these links talk about Windows 2000.. This information has not changed much in regards to DNS zone behavior in Server 2003.

Once the zones are AD-integrated, all you'll have to do is install DNS on the second server and wait for replication to put the zones there for you.

chugger93 · Post by **chugger93** » Wed Aug 02, 2006 10:51 am

looks like the primary DC is already AD integrated. Interesting. So I guess I can proceed with just installing DNS on the secondary DC.

B.T.W, since you seem to know a great deal about this stuff. I noticed the option "Enable automatic scavenging of records" or something in the advanced tab under properties. I'm wondering if that would help my problem. My problem is, sometimes I get multiple A records in my DNS. Like two different computer names will have the same IP assigned to them. I think its because machines will be shutdown, and in an attempt for the DHCP server to reach them, it'll see that their IP is unreachable and put it back in the POOL for someone else to use. Then another machine picks up that same IP, and when the 1st machien is turned on, theres a conflict.

Oh and also, should this be enabled on the #1 DC? Or is this only if you dont have AD integrated zones?

koldchillah · Post by **koldchillah** » Wed Aug 02, 2006 11:46 am

It's not a requirement, but I always let it scavenge records just to keep things clean in there.

You shouldn't allow zone transfers.. it won't be necessary for AD integrated zones.

Keep an eye on your log files through all this. Make sure you have the support tools installed on your servers and run dcdiag.exe & netdiag.exe after making significant changes.. Use http://www.eventid.net to help translate some of the strange warnings and errors that don't make sense to you. It will help you learn stuff that much quicker once you start understanding the cycles of events that occur in the event logs. You'll be more likely to notice changes and you'll always be one step ahead of most AD/domain related issues.