DC and DHCP question(s)

Discussion in 'Server Networking' started by Dan, Jan 31, 2005.

  1. Dan

    Dan Guest

    I have a network w/ 5 win2k3 servers.

    server1 roles are DC, DNS, DHCP
    server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
    server3 roles Exchange server
    server4 roles Application Server, Terminal Services License Server
    server5 roles Terminal Services.

    The reason for DC on server1 and server2 of course was backup. I don't know
    if this works in Win2k3 or not but what the hey. My questions are:
    1. does this look like a valid setup?
    2. for backup on DHCP should I run DHCP on another server and split the
    scopes between the two?
    3. Should I only have one DC/DHCP/DNS server and hope to hell it never goes
    down?

    Dan
     
    Dan, Jan 31, 2005
    #1
    1. Advertisements

  2. It looks fine, but I usually run DNS, DHCP, and WINS on both DCs for
    complete failover rudundency. The DHCP's are configured identically other
    than the Exclusions. Each DHCP gives out half of my available addresses. A
    single DHCP can take over full duties by simply adjusting the Exclusions.
    The two WINS replicate to each other, but it would work even if they didn't
    because both WINS Services and both DNS Services are listed in the Client's
    network settings (included in the Scope for DHCP Clients) so if it can not
    connect to the first one it will drop down to the second one.
     
    Phillip Windell, Jan 31, 2005
    #2
    1. Advertisements

  3. Dan

    Dan Guest

    On the DHCP's: do you set them up as follows:

    server1 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.129 to
    192.168.1.254
    server2 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.1 to
    192.168.1.128
    (of course excluding other static ip's)

    or set the range to one half of the ips and exclude only statics ex.
    server1 range 192.168.1.1 to 192.168.1.128 and exclude static's
    server2 range 192.168.1.128 to 192.168.1.254 and exclude static's

    Dan
     
    Dan, Jan 31, 2005
    #3
  4. The only other thing I would probably do would be to make your server2 a
    Global Catalogue server as well.

    My understanding is, and I've seen in practice :(, if you don't have a
    second GC, then if your primary goes down you have lost all of that info and
    essentially have to rebuild your domain.

    Andrew
     
    Andrew Austen, Jan 31, 2005
    #4
  5. Dan

    Dan Guest

    Global Catalogue.......What's that....That's the first I've heard of it. :(

    I searched "Help and Support" and returned 0 results.

    Where is that set up in?

    Dan
     
    Dan, Jan 31, 2005
    #5
  6. Dan,

    Please do not misunderstand this: if you are running a network with five
    Servers and you do not know what a Global Catalog is ( and have never heard
    of it ) then I might suggest that you do some serious reading!

    In your post you are not clear on some very basic concepts. Again, please
    do not misunderstand me. It is not my intention to be critical of you ( or
    anyone else, for that matter ). It is just a bit surprising to me that
    someone as 'green' as you is in charge of an AD environment.

    So, let's clean away some of that green-ness! That would be good!

    In Windows 2000 and Windows 2003 there is not really the concept of Primary
    and Backup like there was in Windows NT Server 4.0. You can write to the
    database on any Domain Controller. The database is a file called ntds.dit
    and it is located in C:\windows\ntds in WIN2003 and c:\winnt\ntds in WIN2000
    ( just for your info! ). All of the domain controllers in the Forest ( you
    have domain trees that comprise the forest ) replicate two of the Naming
    Contexts, or Partitions. These two Partitions are the Schema NC and the
    Configuration NC. The Domain Controllers in the same domain will replicate
    the Domain NC. So, what does this replication mean? It means that if you
    create a user account object on DC01 within a few moments it will replicate
    to DC02. AD Replication is based on incoming connection objects. So, in
    the event of two Domain Controllers ( DC01 and DC02 ) you would have two
    incoming connection objects: one coming in from DC02 to DC01 and one coming
    in from DC01 to DC02! One of the cool things about the replication in
    Active Directory is that only the attribute that was changed is replicate.
    In WINNT 4.0 it was the entire 'object' that replicated.

    Furthermore, Active Directory has several FSMO Roles, or Flexible Single
    Master Operations Roles. There are five of them, to be exact. There are
    two Forest-wide roles and three Domain-wide roles. The two Forest-wide
    roles are the Schema Master and the Domain Naming Master. The three
    Forest-wide roles are the PDC Emulator, the RID Master and the
    Infrastructure Master. All of them have specific roles. The major one of
    interest for day-to-day work is the PDC Emulator ( and possibly the RID
    Master ).

    There is also something called a Global Catalog Server. This holds a
    partial replica of all the objects.Okay, so what is this term 'objects' that
    I am using. Well, an object is a user account or a computer account or the
    incoming connection object. Each object has a set of attributes. An
    example of the user account objects attributes ( and the corresponding
    values ) might look something like: cn, first name, last name, display name,
    company, street address, city, state, zip code and mail. The Global Catalog
    Server would hold a partial replica of this. Assuming that the list of
    attributes that I just listed was the exhaustive list for a user account
    object ( clearly not the case ) then the GC would have, for example, the
    first name, the last name, display name and mail only.

    DNS is the major thing in AD. If your DNS is not correctly set up and
    configured then you are going to have a world of fun times! AD needs the
    SRV records to located services ( such as the Global Catalog Server or a
    Domain Controller ). This must be absolutely correct.

    There is something called Group Policy that really facilitates the life of
    the Administrator. You can make a bunch of settings and deploy a bunch of
    applications through Group Policy. No more going from computer to computer
    to computer to do this. However, DNS must be top notch for this to work. A
    Group Policy object is comprised of two halves: the Group Policy Template
    ( GPT ) that resides in the shared SYSVOL folder and the Group Policy
    Container ( GPC ) that actually resides in Active Directory ( in the Domain
    Naming Context that I mentioned earlier ). Each replicates to the other
    Domain Controllers differently ( the GPT via FRS and the GPC via Active
    Directory Replication ). Additional, there are two sides to each policy:
    one side affects only computers and one side affects only users.

    This is probably enough for the moment.

    You might want to take a spin over to my web site ( I am still working on
    the activedirectory-win2000.com site and have not even started on the
    grouppolicy-win2000.com site yet....sorry ) for some information.

    If you have any questions please feel free to post them.....you know where
    to reach us.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com
     
    Cary Shultz [A.D. MVP], Feb 1, 2005
    #6
  7. There are multiple Exclusions. The first set of Exclusions are the
    "permanent" ones that represent machines with static addresses. Thos never
    change no matter what on either DHCP.

    The second set of Exclusions are the ones that divide up the "dynamic"
    address that are given out to clients. They are done so that there is a
    50/50 split of those addresses between the two DHCP servers.
     
    Phillip Windell, Feb 1, 2005
    #7
  8. It is not that drastic and you don't have to rebuild anything. You would
    just set the other one to a CG and that is all,...the data will rebuild.
    Although it is "recommended" to only have one GC and no multiples,...I do
    still have both my DCs set as GC Servers as you described.
     
    Phillip Windell, Feb 1, 2005
    #8
  9. :(

    Go into "Active Directory Sites and Services",.. then:

    Sites->[Site Name]->Servers->[each server name]->NTDS Settings

    Go to properties of the NTDS Settings and enable or disable the Globabl
    Catalog Option.
     
    Phillip Windell, Feb 1, 2005
    #9
  10. Dan

    Dan Guest

    Thanks Cary,

    And you guessed it, I am quite green. I had training on NT 3.5 way back when
    was primarily a Unix Admin. With NT training of course have carried the
    concepts forward. I have been out of the computing arena for many years and
    got back in after 9/11. Of course in my current job we have a unix server
    but also SBS2K which is one server all menu driven... too easy for my
    tastes. Growth has moved us to win2k3 and multiple servers. Trying to
    schedule classes now but newsgroups have been very helpfull.

    Tks for the write-up....This one goes in my files

    Dan
     
    Dan, Feb 1, 2005
    #10
  11. Phillip,

    I am not so sure that it is accurate when you stated that it is not
    recommended to have more than one Global Catalog. I think that most people
    in this News Group would suggest that you make all of your Domain
    Controllers also Global Catalog Servers. Well, in a single domain Forest,
    anyway. When you get into more complicated environments ( multiple domains,
    multiple Sites ) you need to really pay attention to this. But in such a
    simple set up it is recommended to make all of your Domain Controllers a GC.

    Just my $0.02....

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com
     
    Cary Shultz [A.D. MVP], Feb 4, 2005
    #11
  12. You might want to take a spin over to the Webcasts ( webotopia, as my wife
    calls it! ) for the 14-week webcasts on Group Policy. They really get into
    it. I would suggest this. There are also webcasts for Active Directory
    replication ( and just about everything else ).

    Here are a couple of links:

    http://www.microsoft.com/seminar/events/series/grouppolicy.mspx

    http://support.microsoft.com/Default.aspx?id=325542
    http://support.microsoft.com/?id=325531
    http://support.microsoft.com/?id=325534
    http://support.microsoft.com/?id=325513

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com
     
    Cary Shultz [A.D. MVP], Feb 4, 2005
    #12
  13. people > in this News Group would suggest that you make all of your Domain
    They might. But that isn't the way it was supposed to be. I have never seen
    it recommended. MS Product Support decsribs this to me while working on a
    situaation with them. There is supposed to be one GCSs per domain,...but if
    the Domain contains an Exchange Server, then they recommend two GCSs because
    Exchange depends on it heavily.

    Having many GCSs on a domain can leave you with a lot or warings in the
    event logs, although they never went into details on what that was and I
    never asked.

    I have Exchange and 2 DCs,...they are both GCSs.
     
    Phillip Windell, Feb 4, 2005
    #13
  14. Dan

    ptwilliams Guest

    Whoever told you that is misinformed to say the least!

    You need at least one GC per site. You should have a minimum of two in your
    enterprise (for small enterprises; more in large scale deployments).

    In single-domain environments, they're still used even though they're not
    really needed -thus, make all DCs GCs.

    In multi-domain environments they are essential. Too few and you'll know
    it...slow logons, searches, etc.

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    people > in this News Group would suggest that you make all of your Domain
    They might. But that isn't the way it was supposed to be. I have never seen
    it recommended. MS Product Support decsribs this to me while working on a
    situaation with them. There is supposed to be one GCSs per domain,...but if
    the Domain contains an Exchange Server, then they recommend two GCSs because
    Exchange depends on it heavily.

    Having many GCSs on a domain can leave you with a lot or warings in the
    event logs, although they never went into details on what that was and I
    never asked.

    I have Exchange and 2 DCs,...they are both GCSs.
     
    ptwilliams, Feb 4, 2005
    #14
  15. Dan

    Todd J Heron Guest

    And just to add - never make the Infrastructure Master a GC in a
    multi-domain (single forest) environment!
     
    Todd J Heron, Feb 4, 2005
    #15
  16. Cary Shultz [A.D. MVP], Feb 5, 2005
    #16
  17. No they weren't. Todd and Cary just described it in the next posts. This
    is what they were talking about,...I didn't remember any details of it until
    I saw Todd & Cary's response.
     
    Phillip Windell, Feb 7, 2005
    #17
  18. Dan

    ptwilliams Guest

    ptwilliams, Feb 7, 2005
    #18
  19. Dan

    ptwilliams Guest

    The IM/ GC conflict is a small one - it is only valid if you have a
    multi-domain forest and not all DCs are GCs. In this case, you have to make
    sure that the IM and GC are not on the same box.

    This doesn't mean that you should only have one GC. Far from it actually,
    you just have to ensure that the two roles don't reside on the same box. If
    the forest is a single domain, then this isn't an issue; as is the case if
    every DC is a GC.
    -- http://www.msresource.net/content/view/14/46/


    That needs updating to better explain the issue around the phantom objects,
    but it still illustrates the point.

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    No they weren't. Todd and Cary just described it in the next posts. This
    is what they were talking about,...I didn't remember any details of it until
    I saw Todd & Cary's response.
     
    ptwilliams, Feb 7, 2005
    #19
  20. That maybe, but all I am saying is that the issue does exist and theOP
    should be aware of it.
    I run two DCs,...both are GCs.
     
    Phillip Windell, Feb 7, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.