Announcement

Collapse
No announcement yet.

AD DC redundancy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD DC redundancy

    Hello

    I've inherited an AD from a colleague who got promoted. It's DC's were 2 Win2003R2 machines (ADDC01 and ADDC02). I've DCPrepped the forest and domain and added a 2008R2 DC (ADDC03).

    For testing purposes, I've disconnected one 2003 DC (ADDC02) from the network and blocked all ip/tcp traffic between my workstation and ADDC01 using our ASA firewall. I was still able to log on, GPO's were still in effect as if nothing had happened.

    Then, I upgraded the remaining 2003 DC (ADDC01) to 2008. However, during the downtime, no one was able to log into their workstation or into their exchange. once the upgrade was completed and ADDC01 came back online, everything worked again. It looks like ADDC03 does partake in load balancing, but doesn't offer any redundancy whatsoever. ADDC01 is a huge single point of failure.


    My questions are:
    • why is there no redundancy now?
    • how can we achieve redundancy? Will this happen automatically once we upgrade the forest and domain to 2008?
    • once ADDC02 is demoted, can we safely upgrade our forest and domain? What risks are involved here?

    Thanks in advance for sharing your wisdom.

  • #2
    Re: AD DC redundancy

    Exchange is sensitive to the availability of the domain's Infrastructure Master role holder (I believe), so if that's not available, Exchange is unhappy. If Exchange was already running and the Infrastructure Master was taken off-line, you may want to reboot Exchange so it talks to the remaining DC from startup. As for the users in general, it may be that not all DCs are Global Catalog servers.

    You don't talk about DNS or DHCP settings in your description, either. If DNS is missing because it wasn't on the active ADDS03, and you had removed ADDS01 and 02 for work, that could have something to do with it.

    Redundancy should never be an issue with a domain system with multiple DCs in it, when properly designed. If it isn't already, make sure all DCs are DNS servers and Global Catalog servers. Then verify that all DHCP scopes identify all DCs as DNS servers under the Options for each scope. Try eliminating DCs again to leave just ADDS03 on-line, reboot the clients and see if the users have the same problem.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: AD DC redundancy

      you need to check which server is your global catalog, and what your dns configurations are.

      if one DC is down, the other should pick up, if eveyrthing is configured properly.

      so, let's start with checking that DNS is enabled on both servers, and that your clients are configured via dhcp to look to the two servesr for dns.

      also check which one is your GC (although with multimaster, it should survive for a short period without a gc
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: AD DC redundancy

        Thanks for your reply, RicklesP and tehcamel.


        While ADDC01 was down, we rebooted our exchange server, but it still couldn't connect to the domain.
        All DC are GC's (or, at least, they're labelled as GC's in ADUC on the 2008-machines).

        All ADDC's are DNS-servers, and the service is up and running. None are DHCP servers, that is handled by a Cisco ASA 5550 for all DHCP-enabled subnets. The Cisco is set to hand out ADDC01's IP as the primary DNS and ADDC03's IP as the secondary DNS to its DHCP-clients. Static IP's were manually configured in the same way. Alas I did the upgrade of ADDC01 remotely, and during a time only few clients were online. Therefore, I didn't test if DNS worked on the clients while ADDC01 was down. However, ADDC03 did work as a DNS server when I blocked all traffic between my workstation and ADDC01.

        After hours, when there are but few clients to disturb, I'll unplug ADDC01 from the network and examine the clients to check if DNS works.

        Thanks again!

        Comment


        • #5
          Re: AD DC redundancy

          What about the 5 FSMO roles? Are they moved to the active DCs?
          Roles: PDC, Infrastructure master, rid master, schema master, Domain naming master!
          For DNS working, you should have it installed on all the DCs and make sure that all of them are added as DNS servers in DHCP scope options so PCs pick them up.

          Comment


          • #6
            Re: AD DC redundancy

            Thanks for your reply, pjhutch.

            DNS is set up and working, I configured our DHCP-server to include both ADDC01 and ADDC03 as DNS-servers.

            The FSMO-roles are indeed all mastered by ADDC01, which may explain a lot here. Tomorrow I have a nice opportunity to test a few things without disturbing too many users. I'll set ADDC03 as master for each of them, disconnect ADDC01 from the network and see what happens.

            However, I am still unclear about one thing here. It looks like only one server can be PDC, Infrastructure master, rid master, schema master or Domain naming master. Am I to understand that if this server goes down, domain-related tasks won't work properly untill another server is manually set as a master? That would be a shame, as I'm looking for a solution which keeps running untill the last AD DC standing dies...

            Comment


            • #7
              Re: AD DC redundancy

              Each role can only be applied to one machine, yes, but they don't all have to be the same machine. You should look up FSMO roles best practices to see what works best for your network makeup.

              As far as keeping them operational until they die, I'm going to go ahead and say that is not a best practice. One of the major parts of maintaining a network is ensuring it's availability. If one of your DCs is on a questionable server, get a new server and repurpose that one to assume a function that isn't so essential. If the DC does go down due to a myriad of other factors, those roles can be assumed by another DC. If I remember correctly (no longer a sys admin), the source DC doesn't have to be online in order to transfer its roles. However, you do have to at least have one other DC on the network to do this. As far as whether or not this can be automated, I don't know.
              Last edited by Bertmax; 10th December 2013, 20:25.

              Comment


              • #8
                Re: AD DC redundancy

                The 5 roles are divided into 2 levels: forest(enterprise)-level and domain-level. The Schema and Naming masters are Forest-level and the remaining 3 are Domain level. The normal practice is to assign the 2 Forest-level roles to the first DC in the domain (or forest, if you're going that far), and the other 3 (RID, Infrastructure and PDC) to any other DCs at the domain level. So if you have a multi-tree forest, you'll have RID, PDC and Infr master role holder DCs in the forest root, and in each child domain in the forest. If your domain is simply a single-tree-forest with 2 DCs, 2 roles on one and 3 roles on the other.

                And yes, at least one DC must be on-line for any role transfer. If the current role-holder isn't on-line, its roles can be 'seized' by one that is. Search for 'seizing FSMO roles' and have a read.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment


                • #9
                  Re: AD DC redundancy

                  The FSMO role holder being offline has no bearing on the client's ability to authenticate to and log on to the domain.

                  All DC's in your scenario should be GC's and DNS servers for the domain. Domain clients should be configured to use all DC/DNS servers for DNS.

                  The first step in logging onto the domain is querying DNS to find a DC. If the clients aren't configured to use all of the DNS servers for DNS and one or more DC/DNS servers is offline then clients may be unable to query DNS for the location of a DC.

                  Comment


                  • #10
                    Re: AD DC redundancy

                    Thanks once again for your replies.


                    I tried moving all FSMO's to ADDC03 and unplugged ADDC01, and people were still able to log on. Exchange also kept working. I then plugged ADDC01 in again and transferred the domain roles to ADDC01, in accordance to a best practice guide I found (which matches what RicklesP advised). I then demoted ADDC02 and succesfully upgraded our domain to 2008, without any hickups whatsoever. Everything still works and dcdiag shows no issues on either DC.

                    Even though intervention is required if a DC goes down, it is minimal and can be done remotely, so it'll do.


                    I'm considering my problem solved. Thank you all for your assistance. I owe you all a beer.

                    Comment


                    • #11
                      Re: AD DC redundancy

                      Manual intervention isn't required if a DC goes down. If you have two DC's, one of which holds the FSMO roles, and the FSMO role holder goes down you should not need to transfer/seize the FSMO roles to the other DC unless the original FSMO role holder will never be brought back online. In fact, seizing the FSMO roles and then bringing the original FSMO role holder online will break AD.

                      The point I'm trying to make is that domain functionality should operate correctly if a DC goes down for a short period of time. If it doesn't then my suggestion would be to make sure that your AD DNS zones are correct (NS, DC and SRV records for all DC's) and to make sure that all domain clients are configured to use all of the AD DNS servers for DNS.

                      Comment


                      • #12
                        Re: AD DC redundancy

                        Thanks, joeqwerty, I'll be sure to check my AD DNS zones configuration.

                        I'm very glad to read that the domain should remain functional without manual intervention if one DC goes down. Thanks, also, for the warning about migrating FSMO's and then reviving the broken original FSMO-holder. Won't be doing that.

                        The upgraded domain is working nicely btw: the boss is happy and the end-users are oblivious

                        Thanks again to everyone who helped me out here, really appreciate it.

                        Comment


                        • #13
                          Re: AD DC redundancy

                          Originally posted by frank.eyckmans View Post
                          Thanks, joeqwerty, I'll be sure to check my AD DNS zones configuration.

                          I'm very glad to read that the domain should remain functional without manual intervention if one DC goes down. Thanks, also, for the warning about migrating FSMO's and then reviving the broken original FSMO-holder. Won't be doing that.

                          The upgraded domain is working nicely btw: the boss is happy and the end-users are oblivious

                          Thanks again to everyone who helped me out here, really appreciate it.
                          So do you have redundancy is a DC goes offline?

                          Comment


                          • #14
                            Re: AD DC redundancy

                            I'll have to wait and see, wullieb1. I don't want to risk users not being able to log in as it is quite busy nowadays. In a few months, some quiteness should be coming up. I'll do a few tests then and I'll post the results.

                            Comment

                            Working...
                            X