December 15, 2008 at 9:22 am
Greetings,
I know this is not directly related to SQL Server, but I always got an answer here to the any predicament I was in.
Here is the situation:
All server are Windows 2003 latest SP
We have 3 SQL Server 2005 latest SP
We have about 10 other servers
We have about 400 XP and vista desktops
I am pretty good as a DBA, building servers, maintaining the active directory. But I am not a system engineer.
We had one Domain controller. I created another one on a virtual server with the dcpromo tool. The second domain controller works perfectly. I see the changes replicated, all the files are in the right folders, etc.
Last week, I had to reboot the "primary" domain controller. I thought the second one would take over and everything would be transparent. It was not. All the network was like frozen: no one could access the network drives, Outlook connectivity to Exchange was lost, no one could login. What surprised me a lot, was that even our applications that use ODBC, DSN or connection strings could not connect to the SQL Server. Even the SQL Server log backups on local drives failed!
Can anyone please tell me or points me to a ressource where it will show me what to do to have a true secondary domain controller on Windows 2003 that take over when I reboot the primary one?
Thank you
MBA
MCSE, MCDBA, MCSD, MCITP, IBM DB2 Expert, I-Net+, CIW
Proud member of the NRA
-Anti-gun laws prevent law abiding citizens to buy guns and defend themselves against bad guys who do not care about the law and get their gun illegally.
- Democracy is 2 wolves and one sheep talking about their next dinner. Freedom is 2 wolves and one armed sheep with a .357 magnum talking about their next dinner.
December 15, 2008 at 9:30 am
I've pinged a few people on this.
If you lost your DC, anything requiring AD would not work. I might also post here: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=581&SiteID=17
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
December 15, 2008 at 9:35 am
The second one also needs to be a global catalog server. By running dcpromo, you made the second system a domain controller, but making it a global catalog server is a manual process. The first DC in a domain is automatically a global catalog server, but every one after that you'll have to do yourself.
Configuring a Global Catalog Server
As to the why:
Troubleshooting Logon Problems
K. Brian Kelley
@kbriankelley
December 15, 2008 at 9:38 am
Steve,
Thank you for your help.
I read and asked around and it is why I am asking here in the last resort (I know this is not 100% SQL Server related). I thought when you had another domain controller on the network, if the first one was going down, the second one was taking over the requests...
Thank you
MBA
MCSE, MCDBA, MCSD, MCITP, IBM DB2 Expert, I-Net+, CIW
Proud member of the NRA
-Anti-gun laws prevent law abiding citizens to buy guns and defend themselves against bad guys who do not care about the law and get their gun illegally.
- Democracy is 2 wolves and one sheep talking about their next dinner. Freedom is 2 wolves and one armed sheep with a .357 magnum talking about their next dinner.
December 15, 2008 at 10:04 am
Brian,
Thank you very much!!! Those links helped a lot. I just have one question:
In the active directory sites and services, under servers, I have DC1, Exchange1 and DC2.
Under NTDS Settings of DC1, the Global catalogue check box is checked but not under the DC2 NTDS Settings. Is it as easy as checking the box under the DC2 and then both servers will be global catalog?
Thank you
MBA
MCSE, MCDBA, MCSD, MCITP, IBM DB2 Expert, I-Net+, CIW
Proud member of the NRA
-Anti-gun laws prevent law abiding citizens to buy guns and defend themselves against bad guys who do not care about the law and get their gun illegally.
- Democracy is 2 wolves and one sheep talking about their next dinner. Freedom is 2 wolves and one armed sheep with a .357 magnum talking about their next dinner.
December 15, 2008 at 10:19 am
You also want to ensure that the second DC has DNS installed and ensure all of your member machines have the IP for the second DC set as the secondard DNS server in the TCP/IP properties. For the workstation this can be configured via DHCP, for statically assigned clients (member servers) you will need to manually configure this. Active Directory integrated DNS zones is recommended as well.
And to answer your question about the check mark for GC promotion, YES just check the box in Sites and Services. You can then verify the successful promotion of the DC to GC in the event logs for Directory Service.
Ensure the second DC has DNS installed and is a GC should allow for continued functionality in the event DC 1 is taken down.
December 15, 2008 at 11:30 am
ensure the virtual DC's clock is constantly in sync otherwise it could become orphaned from the domain
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
December 15, 2008 at 11:44 am
sean.mcneill (12/15/2008)
You also want to ensure that the second DC has DNS installed and ensure all of your member machines have the IP for the second DC set as the secondard DNS server in the TCP/IP properties. For the workstation this can be configured via DHCP, for statically assigned clients (member servers) you will need to manually configure this. Active Directory integrated DNS zones is recommended as well.And to answer your question about the check mark for GC promotion, YES just check the box in Sites and Services. You can then verify the successful promotion of the DC to GC in the event logs for Directory Service.
Ensure the second DC has DNS installed and is a GC should allow for continued functionality in the event DC 1 is taken down.
DNS depends. If you're doing Active Directory integrated DNS (I assume that's the case with the OP), what you've said is correct. It's recommended by MS, but is not the right choice in all situations. 🙂
K. Brian Kelley
@kbriankelley
December 15, 2008 at 11:46 am
Perry Whittle (12/15/2008)
ensure the virtual DC's clock is constantly in sync otherwise it could become orphaned from the domain
This should be taken care of automatically thanks to the Windows Time service. The first DC (assuming it's holding the role of PDC emulator) should be set up to sync time from an authoritative source using the net time /setsntp command from the command prompt. Other DCs, unless there is an issue, should have their time source as blank, meaning they will sync with the PDC emulator. Your time window, by default, is 5 minutes, because that's the default setting for Kerberos timestamp.
K. Brian Kelley
@kbriankelley
December 15, 2008 at 12:57 pm
Greetings,
Guys, thank you very much again for your help! It brought me on the right way very fast.
I have another thread of questions:
I figured out there is a DNS server on the DC1 and on the Exchange server (The DNS server service is running on both and there is a DNS entry in the administrative tools.
I know the DNS on the DC1 is the primary because it is showing with ipconfig /all. How do I enable or verify the DNS on the Exchange server is the secondary DNS? I checked in the DHCP tool and I don't see anything except under properties/DNS and there is a checkbox checked for Enable DNS dynamic updates according to the settings bellow and a checkbox on discard and PTR records when lease is deleted.
Thank you again guys for your help! I am learning a lot and you make it a lot easier.
MBA
MCSE, MCDBA, MCSD, MCITP, IBM DB2 Expert, I-Net+, CIW
Proud member of the NRA
-Anti-gun laws prevent law abiding citizens to buy guns and defend themselves against bad guys who do not care about the law and get their gun illegally.
- Democracy is 2 wolves and one sheep talking about their next dinner. Freedom is 2 wolves and one armed sheep with a .357 magnum talking about their next dinner.
December 15, 2008 at 1:01 pm
When you look at the DNS server on the DC, what are the name servers (NS records) listed for the domain? If one is your Exchange Server, it's a secondary DNS server. You'll need to verify it's actually got the domain on its side after you check that.
K. Brian Kelley
@kbriankelley
December 15, 2008 at 1:15 pm
Greetings,
There are 3 NS records:
DC1
One that no longer exists on the network
and our terminal server server (doh!!!!) but there is no DNS server service on it, just the DNS client
Exchange is listed as MX
I am in this company only since 7 weeks by the way.
Thank you
MBA
MCSE, MCDBA, MCSD, MCITP, IBM DB2 Expert, I-Net+, CIW
Proud member of the NRA
-Anti-gun laws prevent law abiding citizens to buy guns and defend themselves against bad guys who do not care about the law and get their gun illegally.
- Democracy is 2 wolves and one sheep talking about their next dinner. Freedom is 2 wolves and one armed sheep with a .357 magnum talking about their next dinner.
December 15, 2008 at 3:30 pm
K. Brian Kelley (12/15/2008)
This should be taken care of automatically thanks to the Windows Time service. The first DC (assuming it's holding the role of PDC emulator) should be set up to sync time from an authoritative source using the net time /setsntp command from the command prompt. Other DCs, unless there is an issue, should have their time source as blank, meaning they will sync with the PDC emulator. Your time window, by default, is 5 minutes, because that's the default setting for Kerberos timestamp.
in an ideal world yes, but DC2 is a virtual server and if that picks its time up from the host you're in trouble
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
December 15, 2008 at 9:01 pm
Perry Whittle (12/15/2008)
K. Brian Kelley (12/15/2008)
This should be taken care of automatically thanks to the Windows Time service. The first DC (assuming it's holding the role of PDC emulator) should be set up to sync time from an authoritative source using the net time /setsntp command from the command prompt. Other DCs, unless there is an issue, should have their time source as blank, meaning they will sync with the PDC emulator. Your time window, by default, is 5 minutes, because that's the default setting for Kerberos timestamp.in an ideal world yes, but DC2 is a virtual server and if that picks its time up from the host you're in trouble
True. On start-up it likely will, but after that it should keep its own time. We've had that problem.
K. Brian Kelley
@kbriankelley
December 15, 2008 at 9:15 pm
SOunds like you only have one active DNS server in your environment. I repeat my recommendation to install DNS on DC2.
For the DHCP settings, check the scope options, you will see that you can configure DNS servers and add the IP address for DC2 as the second DNS server so the clients will use DC2 when DC1 is unavailable.
Viewing 15 posts - 1 through 15 (of 45 total)
You must be logged in to reply to this topic. Login to reply