Re: Backup domain controller?
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Wed, 1 Jun 2005 15:08:49 +0100
Wow!!! There's a number of serious misconceptions in your post! I'll try
and clear as much as I can up. My answers are inline...
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
"Toby Groves" <toby.groves@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:cj8o911ir14om46feq31tsbq0f2kuf5tmn@xxxxxxxxxx
Hi, I hope someone can help me here as I'm getting a bit out of my
depth :)
> Up until recently, we've had two main servers. One hosts the AD domain,
> with DNS and DHCP installed, and is the primary file sharing box. The
> second machine is the mail and Internet gateway server, running Exchange
> 2003 and ISA 2004.
> Basically we've lost the main domain controller and it appears it's not
> recoverable, so it's going to have to be reinstalled from scratch.This
> isn't the end of the world and it can be brought back up in relatively
> short order, the big issue is the Exchange box.
It is a big issue if you don't have a backup, as the Exchange organisation
is tied into the existing domain. If you create a new domain Exchange will
be...
> The first idea we had was to promote the Exchange box to being the PDC (or
> whatever the teminology is now in AD-land), and then hook what was the PDC
> before up to this, effectively reversing the roles of each machine in the
> domain. Now I'm getting a bit lost here. I presumed that, since the
> Exchange machine had to be integrated with the domain, that it would have
> all the necessary domain info replicated on it, but of course there's no
> DNS service on that machine, which is what actually hosts the AD domain,
> so this can't be the case can it?
If the Exchange server were a DC you could switch the single master roles,
and cleanup the old server an be done. But Exchange is only a member server
so you can't do this.
Exchange is integrated with the domain in as much as it requires a GC to
query and the installation extended the directory schema. Unless the
exchange server is a DC the exchange server only uses the AD.
The DNS doesn't host AD. A DC hosts AD. DNS is used to locate domain
information such as domain controllers and global catalog servers, etc. The
AD namespace and the DNS namespace have to be the same unless you want to do
some extra configuration, and AD depends on DNS but in no way does DNS host
AD.
> If so, then I'm rather puzzled as to why this box is working at all.
> Everything seems to suggest that the AD domain has "gone", as there is now
> no DNS server anywhere on the network, yet clients can still access
> Exchange and the 'net (via ISA) without being prompted for login
> credentials, plus viewing AD Users and Computers does still bring up the
> full list of user accounts, after a brief delay.
This box is running with cached credentials. Things will start going
horribly wrong soon...
> So the question is, does the Exchange box actually have a "copy" of the AD
> domain data on it that can be recovered? We tried using DCPROMO on it but
> that wanted to remove AD before it did anything else. This seems to
> support the theory that AD is installed on this machine, yet how can this
> be if there's no DNS server present? I'm a bit confused here.
Ah, so this box is a DC. In which case, this isn't as bad as we'd thought.
However, you need to get DNS up and running for all to be well. Install DNS
on a server, and create a new forward-lookup zone with the same name as your
AD domain and enable the zone for dynamic updates. Point the exchange
server to this DNS server for DNS and restart NETLOGON. That'll populate
DNS. Now seize the FSMO roles and make this box a GC if it isn't already.
Then do a metadata cleanup. You now need to rebuild the original box (with
a new name) and join it to the domain. Then DCPROMO it to a new DC in the
existing domain. You will then need to transfer the roles and make this box
a GC. Also install DNS.
Take a look at this article for how to transfer the roles and whatnot.
However you need to seize the roles to the other DC once DNS is working. I
won't go into the fact that you don't really want to be running a DC on the
ISA server which is probably acting as an edge firewally. I might also
suggest that you ring MS PSS and get them to help you achieve all of this as
judging by your questions, some of my answer might be a little confusing -no
offence.
-- http://www.msresource.net/content/view/24/47/
Hope this helps a little...
.
- Follow-Ups:
- Re: Backup domain controller?
- From: Toby Groves
- Re: Backup domain controller?
- Prev by Date: Re: Needs Help on how change Passwords remotely
- Next by Date: Re: Active Directory Issues
- Previous by thread: Re: Needs Help on how change Passwords remotely
- Next by thread: Re: Backup domain controller?
- Index(es):
Relevant Pages
|
