Active Directory Replication - HELP!

Discussion in 'Software' started by Fluid, Apr 29, 2009.

  1. Fluid

    Fluid Byte Poster

    180
    0
    14
    Hi guys,

    I need some help regarding active directory replication. What we have is two cores. CORE A and CORE B. CORE A is the primary core and CORE B is the secoundary core. We have installed a DC in CORE A, but what we want is for CORE B to take over if the DC in CORE A FAILES. Here is what I had in mind. Install DC in CORE A as a Domain Controller in a new forest and the DC in CORE B install it as "Additional Domain in Existing Forest" and then turn the DC in CORE B into a "GLOBAL CATALOGUE".

    Now my question is how will the replication / cut over be automatic if the FSMO roles can only be on one domain? And how can i make the replication / cut over automatic?

    There are only 2-3 users in the AD but we are using the two users to log into multiple server simultaniously, this is a must as we are installing specialist software on the servers.

    So if the DC in CORE A failes CORE B would kick in. Any advice is appreciated.

    Thanks
     
  2. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Mate you should know the answer to this it states you have passed the 70-294 in your profile.

    DC1 will have the 5 x FSMO roles which are:

    Forest Wide Roles

    Domain Naming Master
    Schema Master

    Pretty much both of these you will not care about unless you want to create a new domain or update the schema.

    Domain Wide Roles

    Infrastructure Master which is responsible for updating things such as Groups and Group Memberships.
    RID Master used for giving each new AD object a unique identifier. If this goes down then you wont be able to create new objects.
    PDC Emulator allows users to login from NT4 environments.

    In your scenario, make each DC a Global Catalog which is not offically an FSMO role. The Global Catalog performs two functions:

    - Allow users to login and authenticate
    - Find the most commonly searched for objects in AD.

    Therefore, when you login if DC1 is down then the client will go to DC2 for authentication. Naturally you might need to sieze the other FSMO roles using NTDSUtil.exe.

    The replication between both DC will happen automatically as the KCC will map a connections between the DCs, I believe object changes are replicated within 15 secs give or take a couple of secs unless you place each DC into a different site and subnet and then you can change the replication schedule.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. Fluid

    Fluid Byte Poster

    180
    0
    14
    Hi mate,

    I will need to dig it up, but unfortunatley i do not work in server support anymore, havent worked in server support for over a year and havent touched servers for along time. I changed my job and went into Networks / Voice but there isnt anyone else here that can setup a system like this so i have drawn the first straw :(

    Although i have done my MCSE and MCITP: EA feels abit useless as i cant remmber much of it, sicne i havent touched the systems!
     
  4. Fluid

    Fluid Byte Poster

    180
    0
    14
    Thanks mate, im going through the book again!
     
  5. Fluid

    Fluid Byte Poster

    180
    0
    14
    quick question, the book does not state, if you can have replication with two DC's under one site. Therefore you dont actually need to create a site link? Correct?
     
  6. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    You don't need to create a site link the KCC does this for you in the same site.

    Edit: To check everything is working OK, run dcdiag on each DC. Also go into AD Sites and Services, expand the Servers until you see NTDS Settings, right click in the right hand sidef pane and choose replicate now. If this repsonds OK, everything should be fine.

    You can also use replmon to monitor replication and lastly check your Event Logs with any issues.

    Hope that helps.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  7. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    He He:) right click your DC, expand and right click on ntds_ etc and Replicate Now. Cheerio:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  8. Fluid

    Fluid Byte Poster

    180
    0
    14
    thanks guys, well its looking good so far, will run your replication tests and get back. But i still dont understand why i need to make both controllers a global catalog server. I have made the 2nd DC a global cat and removed the first DC from the global cat. Can someone explain why i need two global cats in this DC?

    Thanks
     
  9. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    EDIT:

    Microsoft Technet

     
    Certifications: CCENT, CCNA
    WIP: CCNP
  10. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    -sums up-

    If you are running a single domain Active Directory forest, then all domain controllers in the entire domain should be global catalog systems. That is official best practice from Microsoft and experienced professionals alike. The question is not, "Why do I need two?" It should be, "Why is two better than one?"

    In a single domain forest having two global catalog systems provides better performance for your clients and more scaliability without sacrificing anything as far as security is concerned. All that logon traffic gets split between the two, if you're running exchange that means you have to systems to support the Global Address List.

    As far as the FSMO roles are concerned, there are lots of little rules about FSMO role placment. But in a single domain forest, it's generally nitpicking. And keep in mind, as long as you have a DC online and that DC is a global catalog system, you'll be all set. The FSMO roles being gone are not going to have an immediate impact on your systems, you'll have time, probably days to get them back online.

    So, with that being said, I'll go back to my original statment cause it's simple and right:

    If you are running a single domain Active Directory forest, then all domain controllers in the entire domain should be global catalog systems.

    Hope that helps,

    J.
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  11. Fluid

    Fluid Byte Poster

    180
    0
    14
    Hi Lads,

    Thanks so far everything is working, dcdiag.exe has passed everything and replmonitor has passed everything. Just one thing though, the MS Press book hasnt been that helpfull, google all the way :P and couple of the lads on here.

    Now another question, how can i check the replication intervals?

    Thanks
     
  12. Fluid

    Fluid Byte Poster

    180
    0
    14
    Hi Guys,

    Also noticed another thing in REPLMONITOR.

    DC1
    ----
    1. DC=VREU,DCZIG
    2. CN=CONFIGURATION, DC=VREU,DCZIG
    3. CN=SCHEMA, CN=CONFIGRATION, DC=VREU,DCZIG
    4. DC=DomainDNSZones, DC=VREU,DCZIG
    5. DC=ForestDNSZones, DC=VREU,DCZIG

    DC2
    ----
    1. DC=VREU,DCZIG
    2. CN=CONFIGURATION, DC=VREU,DCZIG
    3. CN=SCHEMA, CN=CONFIGRATION, DC=VREU,DCZIG

    I'm just wandering why the DomainDNSZones are missing and the ForestDNSZones?
     
  13. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Replication intervals are the default and are triggered by the following events:

    - Creating an object
    - Moving an object
    - Modifying an object
    - Deleting an object

    If nothing changes, nothing needs to be replicated. To find out more, you can check out this linky.

    My advice would be to leave it as the default and let the KCC sort it out. Normal replication occours within 15 secs between each DC as I have previously mentioned if one of the above triggers happens.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  14. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Is DC2 a DNS Server using AD Intergrated Zones?

    If not add this anyway for fault tolerance and I believe they will then both appear.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  15. Fluid

    Fluid Byte Poster

    180
    0
    14
    Perfect its working now.

    Here's what Iv done:

    - Went into the secound DC and realised that DNS was not installed, done couple of tests and noticed that it was using cache to login to the OS.
    - Went into the 2nd DC installed the DNS. In the forward zone, created a new zone, set the zone type to primary checked the box "Integrate new zone with active directory" and for the replication section i selected replicate to all domain controllers.

    When to replmon and everything is actually replicating now. I have added some screenshot abit concerned about the name which i created for the DNS which was secdnszone.vreu.***** i have attached some screenshots would be gratefull if someone had a quick look over them and see if it makes any sense. Tomorrow i will be doing some vigirous testing to make sure they are functioning properly.

    Has anyone got any recommendations for the configuration which they would think is worthwhile, would be gratefull again!

    Thanks
     
  16. Fluid

    Fluid Byte Poster

    180
    0
    14
    forgot the attachments! See attached please:
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      56.4 KB
      Views:
      14
    • 2.jpg
      2.jpg
      File size:
      63.4 KB
      Views:
      10
    • 3.jpg
      3.jpg
      File size:
      61.8 KB
      Views:
      11
  17. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Make sure all the clients are configured to use both DCs for DNS.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  18. Fluid

    Fluid Byte Poster

    180
    0
    14
    Hi mate,

    Yep thats done. What I have done is on all the servers which have joined the domain have set prefered dns as DC1 and seocundary DNS as DC2. On the DC's themselves, i have set for DC1 prefered DNS 127.0.0.1 and secoundary DNS as DC2. Now on DC2 I have set prefered DNS as DC1 and secoundary DNS as 127.0.0.1 that sound correct?

    Did you have a quick chance to see the screenshots? Also is there an option so i can go into the Windows DNS and see how replications configured on both of them if i wish to view or modify it later on?

    Thanks
     
  19. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    After you have verified that Active Directory replication is working properly, which it sounds like you have; the slighly more optimized and recommended practice would be to have DC1 point to itself as primary dns server and DC 2 as seconday DNS server. On DC2 have it also point to itself for DNS resolution and DC1 as secondary.

    DC1
    Primary DNS: DC1
    Second DNS: DC2

    DC2
    Primary DNS: DC2
    Second DNS: DC1

    Basically, by doing that you are cutting down on a little traffic and letting Active Directory replication handle keeping your zones updated while also providing a bit of high avaliability.

    J.

    http://support.microsoft.com/kb/291382/
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  20. Fluid

    Fluid Byte Poster

    180
    0
    14
    Thanks very much fella!!

    Im jsut abit confused regarding the forward DNS Zone, in the application itself it states do not use the DOMAIN NAME for the name of the DNS and then i have read some articles where it states to use the domain name, so im a tad bit confused, can someone clarify this for me please?

    Thanks again!
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.