Networking - Domain Failover
Any administrator that had the privileged of a unrecoverable and utterly crashed Domain Controller knows how it feels when the hornets nest of users comes buzzing ... "ring ring ring banna phone". I'm going to talk about setting up a secondary Windows Server to prevent or at least reduce the amount of downtime.
Disclaimer: This is for reference purposes only do not use on a production system. The following tutorial assumes knowledge of networking, and systems administration.
Acronyms/Terms
PDC - Primary Domain Controller
BDC - Backup Domain Controller
AD - Active Directory
GC - Global Catalog (Ability to Authenticate Users)
IP, GW, DNS, DHCP Are general networking terms
Domain Failover Overview (fig. 1)
Note: Before configuring AD, and DNS on the BDC it would be a good idea to clean house and remove old/obsolete users and DNS settings from the PDC.
The first step is to configure and add the BDC to your Domain as a workstation once you have done this login and run dcpromo and add as an additional domain controller (BDC) (ref fig. 2).
Configuring Active Directory (fig. 2)
Note: If you need to demote the BDC and it will
not demote via dcpromo then make sure that your DNS settings are
correct (use ping to check) as a last resort run dcpromo /forceremoval
After the server (BDC) has rebooted login and open up the Active Directory Sites and Services mmc and find your BDC in the list right click on NTDS Settings (Properties) and check Global Catalog this will allow the BDC to authenticate users (ref fig. 3).
Configuring Global Catalog (fig. 3)
The next step is to configure DNS on the BDC create forward and reverse zones, allow only secure updates, allow replication from PDC (ref fig. 4)
Note: You do not need to add DNS forwarders for example your ISP DNS, the server will still resolve internet names using the root name servers.
Configuring DNS (fig. 4)
After you have setup AD, and DNS you should now change your TCP/IP DNS Settings on the BDC (point to yourself) do a quick check and see if you can resolve PDC, BDC, and a random internet address.
Backup Domain Controller TCP/IP Settings (Example)
IP: 10.22.55.52 - 53
GW 10.22.55.1
DNS1: 10.22.55.52
DNS2: 10.22.55.53
The next step is to configure DHCP you will need a IP range that will fit your network example (40 workstations) a DHCP range of 50 addresses will work here. The scopes that I will use in this example are
Scope A (PDC) 10.22.55.100 - 149
Scope B (BDC) 10.22.55.150 - 199
When you setup the secondary DHCP server make sure you set conflict detection attempts to 3 this will cause a delay with which the PDC should hand out the DHCP settings first if not then the failover BDC will handout the DHCP settings. (ref fig. 5)
Another option is to create an identical DHCP scope and settings that mirrors the PDC and set conflict detection on both the PDC and BDC servers.
Configuring DHCP (fig. 5)
The BDC DHCP server should also handout the GW, and DNS IPs to the BDC only. Example Client Setting (ref fig.1)
Note: You can still set reservations on the secondary DHCP
So thats about it the only thing left is to setup file synronization PDC -> BDC and reconfigure your logon script to mount the network shares on the BDC example:
net use X: \\BDC\share1
net use Y: \\BDC\share2
Scenario
Lets say the primary domain controller (PDC) went down from a hardware failure at 3AM the following morning the users can still login because they are using the DNS from both the PDC and BDC, they can access the internet, email, internal applications, etc. however when they try and access a network share on the PDC they get an error- naturally. The only thing that the user needs to do is reboot and login the BDC login script will take care of the rest.
Creating IT Harmony
Disclaimer: This is for reference purposes only do not use on a production system. The following tutorial assumes knowledge of networking, and systems administration.
Acronyms/Terms
PDC - Primary Domain Controller
BDC - Backup Domain Controller
AD - Active Directory
GC - Global Catalog (Ability to Authenticate Users)
IP, GW, DNS, DHCP Are general networking terms
Domain Failover Overview (fig. 1)
Note: Before configuring AD, and DNS on the BDC it would be a good idea to clean house and remove old/obsolete users and DNS settings from the PDC.The first step is to configure and add the BDC to your Domain as a workstation once you have done this login and run dcpromo and add as an additional domain controller (BDC) (ref fig. 2).
Configuring Active Directory (fig. 2)
Note: If you need to demote the BDC and it will
not demote via dcpromo then make sure that your DNS settings are
correct (use ping to check) as a last resort run dcpromo /forceremovalAfter the server (BDC) has rebooted login and open up the Active Directory Sites and Services mmc and find your BDC in the list right click on NTDS Settings (Properties) and check Global Catalog this will allow the BDC to authenticate users (ref fig. 3).
Configuring Global Catalog (fig. 3)
The next step is to configure DNS on the BDC create forward and reverse zones, allow only secure updates, allow replication from PDC (ref fig. 4)Note: You do not need to add DNS forwarders for example your ISP DNS, the server will still resolve internet names using the root name servers.
Configuring DNS (fig. 4)
After you have setup AD, and DNS you should now change your TCP/IP DNS Settings on the BDC (point to yourself) do a quick check and see if you can resolve PDC, BDC, and a random internet address.Backup Domain Controller TCP/IP Settings (Example)
IP: 10.22.55.52 - 53
GW 10.22.55.1
DNS1: 10.22.55.52
DNS2: 10.22.55.53
The next step is to configure DHCP you will need a IP range that will fit your network example (40 workstations) a DHCP range of 50 addresses will work here. The scopes that I will use in this example are
Scope A (PDC) 10.22.55.100 - 149
Scope B (BDC) 10.22.55.150 - 199
When you setup the secondary DHCP server make sure you set conflict detection attempts to 3 this will cause a delay with which the PDC should hand out the DHCP settings first if not then the failover BDC will handout the DHCP settings. (ref fig. 5)
Another option is to create an identical DHCP scope and settings that mirrors the PDC and set conflict detection on both the PDC and BDC servers.
Configuring DHCP (fig. 5)
The BDC DHCP server should also handout the GW, and DNS IPs to the BDC only. Example Client Setting (ref fig.1)Note: You can still set reservations on the secondary DHCP
So thats about it the only thing left is to setup file synronization PDC -> BDC and reconfigure your logon script to mount the network shares on the BDC example:
net use X: \\BDC\share1
net use Y: \\BDC\share2
Scenario
Lets say the primary domain controller (PDC) went down from a hardware failure at 3AM the following morning the users can still login because they are using the DNS from both the PDC and BDC, they can access the internet, email, internal applications, etc. however when they try and access a network share on the PDC they get an error- naturally. The only thing that the user needs to do is reboot and login the BDC login script will take care of the rest.
Creating IT Harmony
