Announcement

Collapse
No announcement yet.

Active Directory Replication - what will happen??

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Replication - what will happen??

    I have a question about replication within a Windows Server 2003 Active Directory environment.

    Currently we have our dc setup and it is the only dc in our domain. It is running AD, DNS, DHCP, and WINS. Rather than having a second dc up and running for replication and in case our dc were to crash, our network admin converted our dc to a vmware machine, and renamed it / gave it a different ip - and powered it off.

    When I asked what the point of this VM was - I was told that from time to time, this vm gets powered up and replicates with our non-vm dc.

    My question is - is this true? Will this happen?? I don't know when the vm was last powered on, and I know recently, there have been some AD changes (some policies were modified, some OU's were modified as well.

    I have a decent understanding of AD replication, considering that the DNS is AD integrated and both DC's are up and functioning all the time... but... I am having difficulty understanding what will happen when this vm dc is powered on.

    Thanks in advance..

    sb

  • #2
    Re: Active Directory Replication - what will happen??

    if ALL he did was a vmware coldclone convert, not only will it not replicate with the original physical dc, it'll cause problems - it still thinkgs it's the DC, even if he changed it's ip.
    '
    unless he's made the vmware guest a modified dc, with new ip address, new hostname, and stuff.. and removed and rejoined it as a new dc, it won't.. otherwise it's going to be trying to replicate itself with itself.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Active Directory Replication - what will happen??

      Personally i'd have created a new VM from scratch and allowed it to replicate naturally.

      What FSMO roles were on the original server???

      How many servers do you have on the domian???

      Comment


      • #4
        Re: Active Directory Replication - what will happen??

        I agree with Wullieb1. Making VM of your DC is a good idea as a backup for disaster recovery - but there are a lot of problems that can go along with it.

        The only supported way to have a second computer created from an original computer (that I know of) is to sysprep the original computer. And that's pointless with a DC.

        It would be much better to create a totally new computer as a VM. It could be setup, syncronized, and turned off, and only turned on again from time to time to keep it up to date.

        You should be sure to turn it on often enough that the AD tombstone timeouts don't take effect (or esle when you need it it won't work). The old timeout values were 30 days, but I believe MS changed them to 120 a service pack or two ago.

        Also, be sure to NOT take VM snapshots of this VM! This is very important because if you ever RESTORED to a snapshot AD would/could become inconsistent. (It's the restore that's much more dangerous than the snapshot). Of course, in a disaster recovery scenario where there are no other domain controllers in existence it may not be an issue.

        Comment


        • #5
          Re: Active Directory Replication - what will happen??

          Hi,

          Your network admin is using a concept called "Lag DC" if i am not wrong. It's a method in which you do a controlled one way replication to a specific DC which can be used in DR situation.

          What you and your network admin need to do it to do a test and check if this actually works. Because when u change IP and DC's name then your DNS will not be able to find the services advertise by DC coz it will have old information unless the records are verified and updated. So clients may not be able to logon either + after 60 days machine password changes automatically so that gonna be another issue. So i would suggest do a DR drill. SHutdown the main dc gracefully and then kick up one of your vm's and check what happens
          Thanks & Regards
          v-2nas

          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
          Sr. Wintel Eng. (Investment Bank)
          Independent IT Consultant and Architect
          Blog: http://www.exchadtech.blogspot.com

          Show your appreciation for my help by giving reputation points

          Comment


          • #6
            Re: Active Directory Replication - what will happen??

            Originally posted by wullieb1 View Post
            Personally i'd have created a new VM from scratch and allowed it to replicate naturally.

            What FSMO roles were on the original server???

            How many servers do you have on the domian???
            Currently we have only 1 dc in the domain - the server in question. So I would assume that this dc has all of the FSMO roles....

            Comment


            • #7
              Re: Active Directory Replication - what will happen??

              Do not let this admin boot that machine then as it will cause you issues.

              Have a look around the main site and you'll find an explanation of the FSMO roles and how many each domain will have.

              Comment


              • #8
                Re: Active Directory Replication - what will happen??

                Originally posted by wullieb1 View Post
                Do not let this admin boot that machine then as it will cause you issues.

                Have a look around the main site and you'll find an explanation of the FSMO roles and how many each domain will have.
                Well. There is the global catalog, schema master, domain naming master, infrastructure master, and the pdc emulator.

                The way this dc was "created" was by siezing all of the roles of an NT domain using NTDSutil, then the old NT dc was powered off. (not sure if the old dc was dcpromo'd down or if it was removed using NTDSutil)

                So - all of the roles are housed on our dc. Essentially - they would have to be, right?? If that other dc (the virtual one) is always powered off - some of the roles would not be present...

                Comment


                • #9
                  Re: Active Directory Replication - what will happen??

                  My point was that there can only ever be 1 schema and 1 RID Master per forest, 1 infrastructure master, 1 RID master and 1 PDC emulator in any domain.

                  You have only one forest and 1 DC that i can gather from your posts hence the 1 DC you have will have all those roles.

                  Imaging that DC and introducing it will cause problems with the FSMO roles on the network.

                  V-2nas

                  What is a "lag DC"?? I've never heard of that before so any info on it would be appreciated.

                  Comment


                  • #10
                    Re: Active Directory Replication - what will happen??

                    When i saw this post, my first idea was "Oh My God!".
                    First of all:
                    He toke an existing domain controller holding the FSMO roles and running services like DNS/DHCP, and cloned it to a virtual machine?!
                    You may still change the IP address and host name, that will not change anything.

                    Your domain configuration has only one domain controller! Even if you clone your domain controller 10 times, your NTDS database will still only contain one domain controller!

                    And as Wullieb1 noted, what about the FSMO roles?! Only one server can be the owner of a certain role. you cannot have two servers within the domain which are both (for example) RID masters for the same domain.
                    FSMO= FLEXIBLE SINGLE MASTER OPERATORS

                    Not to speak about DHCP and DNS....

                    This set-up is all wrong, and i would advice you to remove the cloned server as soon as possible. The only good way to go, is to install a new virtual server, promote it to domain controller and leave it on. You feel the need to have some slag in your replication, it is better to create 2 sites and configure replication between these domain controllers at custom intervals.
                    [Powershell]
                    Start-DayDream
                    Set-Location Malibu Beach
                    Get-Drink
                    Lay-Back
                    Start-Sleep
                    ....
                    Wake-Up!
                    Resume-Service
                    Write-Warning
                    [/Powershell]

                    BLOG: Therealshrimp.blogspot.com

                    Comment


                    • #11
                      Re: Active Directory Replication - what will happen??

                      Originally posted by wullieb1 View Post
                      What is a "lag DC"?? I've never heard of that before so any info on it would be appreciated.
                      Nor has google!

                      Just finished delivering a round of AD training and nor has Microsoft
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Active Directory Replication - what will happen??

                        Originally posted by Ossian View Post
                        Nor has google!

                        Just finished delivering a round of AD training and nor has Microsoft
                        Yep my Google pages said nope WOW is the only thing it knows lol.

                        I thought i was missing out on something there lol.

                        Comment


                        • #13
                          Re: Active Directory Replication - what will happen??

                          Yeah, I was curious about the lag DC too and google didn't help me...

                          I'm with KillerBe. That was kinda my first thought too, but I know there's some things that can be done to duplicate a domain controller, specifically for DR. I looked up a MS article about how to rename a DC. But something still bothered me, rather seriously - and it's NTDS database. Even if you renamed the DC, it would still think there was only one DC in the domain. And, because of the tombstone period for AD objects, you can't just make a copy of the DC and let it sit offline forever. Aside from the fact that it would get more and more out of date, after the tombstone period it would just not work. I guess you could recreate the VM of the DC every so often so that if the main DC died you could start the VM up ... possible, but ... shoddy, sloppy, ... scary. Better than nothing I guess.

                          But, that's a very poor way to do it. As has been recommended, the best thing to do is create a second DC on a VM. Creating it as a separate site is one of MS's recommendations for DR (I was just reading that article a couple days ago but can't find it now...). The best thing to do would be to keep this VM DC online continously; you can put it in a separate site for extra protection if you would like (this slows down replication so that if there's a problem/corruption/accidental mass deletion the replication won't happen as fast and it gives you a chance to disconnect either of the DCs so that the 'good' DC will not get corrupt).

                          However I suspect that in this environment that's not feasable, or that would have been the solution all along. So, I would recommend building a new DC on a VM, and boot it up for a couple hours every week or so so it can replicate. You can use repladmin to force replication (or use the gui). You still need top replicate the sysvol though. In 2003 I forget how to force relicating FRS though (for GPO objects and such) which is why I suggest leaving it on for several hours.

                          MS example for using repadmin (old example):
                          repadmin /replicate server2.microsoft.com server1.microsoft.com dc=microsoft,dc=com

                          Ok, I looked it up. You can force FRS replication with ntfrsutl.exe, a support tool from MS (get the Service Pack 2 version):
                          ntfrsutl forcerepl contosodc1 /r "domain system volume (sysvol share)" /p ContosoDC2.Contoso.com
                          Last edited by trevort; 19th March 2010, 02:39. Reason: typos

                          Comment


                          • #14
                            Re: Active Directory Replication - what will happen??

                            Thank you all for the wonderful replies. It gave me just the information I was looking for. It also made me feel like I stirred up a good conversation for a first post.

                            I am sure there will be more posts to follow

                            thanks again

                            sb

                            Comment

                            Working...
                            X