Announcement

Collapse
No announcement yet.

Redundant Domain Controllers in 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redundant Domain Controllers in 2008

    Is there a way to implement redundant domain controllers in 2008?

    That is, if I have a DC that is the reliable time source, and/or holds other unique AD roles, that I can automatically protect against the failure of said server.

  • #2
    Re: Redundant Domain Controllers in 2008

    Hi,
    Just add an additional DC.

    http://www.howtonetworking.com/server/w2008ad1.htm

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Redundant Domain Controllers in 2008

      Could you expand on what you mean by "unique AD roles" ? Are you referring to FSMO roles?

      It's not a good idea to have FSMO roles be automatically seized should a server stop responding - whenever they are seized, the former host must not be connected back to the network until the operating system has been reinstalled.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Redundant Domain Controllers in 2008

        I may be showing my ignorance here, but concerning the FSMO roles in 2003, if the server holding the PDC failed, all sorts of problems occured with authentication, replication and the like until you seized the role with another DC.

        But mainly, it was if the DC that a server/client identified in the LOGONSERVER setting in the environment failed, it would cause delays when accessing domain resources, and we would have to run a batch file to force it to use a different DC, or wait for it to timeout and create a new secure channel to a different DC.

        And yes, I know very well the precautions that have to be taken when seizing, but I had hoped that manual intervention was unnecessary in 2008. Basically, that you don't have to seize roles if a DC fails.

        Considering that domain controllers form the backbone of active directory, and a necessary part of a fully integrated windows network, I'm just surprised there are not better ways to ensure their availability.

        Comment


        • #5
          Re: Redundant Domain Controllers in 2008

          Basically, redundancy is the reason for placing an additional DC, it will be able to handle logon requests, that's what it's made for.

          As for FSMO, only one FSMO role holder per forest/domain (depending on FSMO role type), but what you can do is to make sure that the best candidate for the FSMO role replacement DC will be a direct replication partner with the current FSMO role holder. I.e. do not place a FSMO role replacement candidate DC in a remote site where it will need to pass-trhough replication with the current FSMO role holder.

          In any case, for ~90% of regular AD operations, the loss of a FSMO role holder will not have immediate consequences. You will have time to either fix the issue or sieze the role to the FSMO role replacement candidate DC.
          Cheers,

          Daniel Petri
          Microsoft Most Valuable Professional - Active Directory Directory Services
          MCSA/E, MCTS, MCITP, MCT

          Comment


          • #6
            Re: Redundant Domain Controllers in 2008

            While having a second DC as a global catalog within the same site mitigates some of the effects, it still doesn't achieve what I'm looking for, which is an unattended failover of a DC holding whatever role it happens to have.

            It seems that if you want redundant email, sure, they can do that. You want a redundant file server, they can do that too, and the same for a whole slew of server roles, but if you want high availability for your domain controller, well, you're just plum out of luck.

            That's how it is in 2003, and I had hoped things would be different in 2008.

            Or am I barking up the wrong tree?

            Personally, for a SaaS application environment that is vital to customer business operations and is used 24/7, 90% is just not good enough. Not when you're looking at achieving 99.999% uptime.
            Last edited by TokyoBrit; 4th February 2009, 00:59.

            Comment


            • #7
              Re: Redundant Domain Controllers in 2008

              Yes, it seems that you are barking at the wrong tree... that's the way AD works since Win2000, and that hasn't changed since (although there have been some major improvements in regard of replication and functionality).

              In any case, remember - the difference between any DC and the DC holding the FSMO roles is negligible in a day to day usage. Any loss of FSMO role can be dealt with, either by taking your time to repair the lost FSMO role holder, or by seizing the role in case something goes terribly wrong. So yes, having 2 DCs that are also GSs and that are also DNS servers and having the clients "know" about this will be as good as you'll get.
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment


              • #8
                Re: Redundant Domain Controllers in 2008

                Thanks for the comments Daniel. They are appreciated.

                If I'm stuck with the same AD environment in 2008 that I have in 2003, that's fine. I've already got measures in place to deal with such rare events as a PDC failure.

                I had just hoped, maybe fruitlessly, that 2008 would address those shortcomings. Maybe Windows 7 will be better.

                Comment


                • #9
                  Re: Redundant Domain Controllers in 2008

                  Originally posted by TokyoBrit View Post
                  I had just hoped, maybe fruitlessly, that 2008 would address those shortcomings. Maybe Windows 7 will be better.
                  I don't think this is a technology limitation. As in real life, most AD disasters are preventible to an extent but not predictable. I suppose it all depends on the type of the disaster but in general the machine has no way of knowing that a disaster is about to strike and then taking the necessary precautions, i.e. starting a seize FSMO process to another healthy DC. So, I wouldn't hold my breath for such a solution in the near future.

                  Cheers
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Redundant Domain Controllers in 2008

                    Keep in mind that if you're able to transfer a FSMO role, then its holder hasn't failed.

                    Also keep in mind that if you seize a role, you have to flatten the former holder before it is connected back to the network.

                    In my mind, that makes automatic seizing of roles highly undesirable. Suppose a server drops off the network for some reason for a few minutes - maybe the WAN link between two sites goes down (for example). The role would be automatically seized. When the network comes back up again, the former role holder will start talking to the network again and potentially cause problems.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment

                    Working...
                    X