Re: Windows 2000 Server AD Question - Primary and Backup

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 03/04/04 

Date: Thu, 4 Mar 2004 15:35:25 -0500

Chan,

I would suggest that you install DNS on the second DC. I am hoping that
your DNS is Active Directory integrated? Additionally, I might suggest that
you make the second DC a Global Catalog Server as well. This is handled
through the Active Directory Sites and Services MMC. Please look at the
following link to see how to do this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313994&Product=win2000

I presume that you have a smaller, one Site environment where making both
DCs a Global Catalog Server will not result in excessive replication.

Chan, there is no longer any Primary or Secondary Domain Controller in
WIN2000 like there is in WINNT 4.0. In WIN2000 Active Directory, all Domain
Controllers are equal ( well.... ). There are, however, five FSMO roles
that, by default, are placed on the first DC in the Forest. These five FSMO
roles are Schema Master, Domain Naming Master ( both of there are
Forest-wide ), PDC Emulator, RID Master and Infrastructure Master ( these
last three are Domain-wide ).

It is better to have two Domain Controllers in your environment. If one
crashes then the other continues to handle the load. Additionally, if one
crashes then you still have your AD as there is a second DC ( redundancy )
You might need to either seize or transfer any FSMO roles from the crashed
DC to the remaining DC but this is very simple and straight forward.

Is the original DC - the one against which you are claiming that all users
are authenticating - by chance a WINNT 4.0 upgrade? This would explain why
all WIN2000 machines are using this Domain Controller. By the way - how
have you verified that all users are using DC01 for authentication? Have
you gone to each PC and entered 'set l' at a command prompt? Or possibly
used a logon script to give you this information?

If this DC is indeed an upgrade from WINNT 4.0 then please take a look at
the following MSKB Articles:

http://support.microsoft.com/default.aspx?scid=kb;en-us;284937
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298713

Make sure that this issue is addressed before you proceed.

So, now to your question: if you want to remove the first DC from being a
DC then I would suggest that you transfer all of the FSMO Roles that it
might hold to the newer DC ( install the Support Tools and run netdom query
fsmo at a command prompt to determine which DC holds which roles - and then
look at the two MSKB Articles below for instructions on how to do this ).
Then I would "un-make" ( new word! ) this DC a Global Catalog Server. Then
you can run dcpromo to remove it from being a Domain Controller.

http://support.microsoft.com/default.aspx?scid=kb;en-us;255504&Product=win2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690&Product=win2000

Make sure that everything happened as it is supposed to. If there are any
problems then take a look at using ntdsutil and adsiedit to correct this.
take a look at the following MSKB Article for this:

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b216498

I would add a second Domain Controller to your environment as quickly as
possible so that you have redundancy!

HTH,

Cary

"Chan Ho" <ho.chan@microdia.com> wrote in message
news:OxdNtPfAEHA.3352@TK2MSFTNGP09.phx.gbl...
> I have setup a additional domain contoller on my windows system. However,
> all computer loging process is still through the Primary (orginal) server.
I
> would like to ask how to change my new server as the Primary.
>
> If I domote the old server, will the new server promote to primary
> automatically. Please help as the old server is too old and we want to
> remove it form AD controller.
>
>

Relevant Pages

  • Re: DC Disaster recovery
    ... I would concentrate on cleaning up Active Directory first and foremost. ... I would make crystal clear what DC holds what FSMO Roles. ... Typically if you run dcpromo on a Domain Controller that holds any of the ... should not be a Global Catalog Server -UNLESS- all Domain ...
    (microsoft.public.win2000.active_directory)
  • Re: Active directory problem!!
    ... I did not seize the FSMO roles. ... But the problem is, when I disconnect the NAS DC from the network, ... I cannont connect to the active directory resources. ... One domain controller hosts network attached storage and the ...
    (microsoft.public.windows.server.active_directory)
  • Re: DC Disaster recovery
    ... cleanup, I still recommend that you get some assistance before you proceed ... > I would concentrate on cleaning up Active Directory first and foremost. ... > I would make crystal clear what DC holds what FSMO Roles. ... > Typically if you run dcpromo on a Domain Controller that holds any of the ...
    (microsoft.public.win2000.active_directory)
  • Re: DC Disaster recovery
    ... >> I would concentrate on cleaning up Active Directory first and foremost. ... >> I would make crystal clear what DC holds what FSMO Roles. ... >> a problem with the RID Master and the Infrastructure Master. ... >> Typically if you run dcpromo on a Domain Controller that holds any of the ...
    (microsoft.public.win2000.active_directory)
  • Re: Active directory problem!!
    ... You said, you transferred the 5 FSMO roles, did you really transferred them or did you seize them? ... If the server is not DNS server, bring up the other DC, install DNS and let them replicate via AD. ... One domain controller hosts network attached storage and the ... active directory cannot be found. ...
    (microsoft.public.windows.server.active_directory)