Re: Servers dependent on Active Directory
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 24 Jun 2008 09:28:03 -0500
"IainM" <IainM@xxxxxxxxxxxxxxxxx> wrote in message
news:F0815B34-2DBB-4433-B041-E5A880B35A0E@xxxxxxxxxxxxxxxx
I had a Domain Controller (that also ran DNS) go down which caused problems
with systems I thought were independent of AD. This highlighted the fact
that
other teams within IT had installed a lot of servers that used AD services
like DNS, LDAP, etc which I wasn't told about. These dependencies on AD
based
Depending on DNS and LDAP does not mean they are dependent on AD. You could
be running a 100% Unix/Linux system and still use DNS or LDAP for something
but it would have nothing to do with AD. In the end that doesn't stop the
problem you are having, but it is important to look at things in an accurate
way.
services are very difficult to track down.
My question is, how can I find out what servers are accessing my DCs/DNS
servers, etc without going round all 200+ of them, looking at
applications,
and so on.
For example, is there an easy way to log LDAP lookups occuring on DCs?
Don't know about LDAP,...but literally everything on your LAN that needs
name resolution is going to depend on DNS. The standard method (and the
correct method) to handle DNS is to have everything on the LAN use the
AD/DNS Servers for the DNS Resolution,...and then on the DNS boxes have the
ISP's DNS listed in the Forwarders List while the Firewall allows the DNS
Boxes to make outbound DNS Queries to the ISP's DNS. This is the normal
expected way it should be setup and should not be changed just because it
may be inconvenient in one way or another.
The solution is not, "How can I keep things from needing my AD/DNS?" The
solution is, "What is the best disaster recovery steps I can take so I can
get my AD/DNS machine backup and running quickly when they go down?".
1. Always have a minmum of 2 DC running DNS. Include *both* machine's IP#
in the TCP/IP config of the machines on the LAN
2. Have good up-to-date backups that include System State
3. If one is down for a long period of time you can seize FSMO Roles from
the dead one to the remaining one and can add the IP# from the dead one to
the remaining one as a secondary IP#. Just remember to put things back the
way they belong before rebuilding the dead one and putting it back into the
system. However as long as there were two DCs it does not take that long to
rebuild a lost DC even if it is from scratch, if you have to use junk
hardware, even if there was no backup created,...so there is no real excuse
for it to be down a long time.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
.
- Follow-Ups:
- Re: Servers dependent on Active Directory
- From: IainM
- Re: Servers dependent on Active Directory
- References:
- Servers dependent on Active Directory
- From: IainM
- Servers dependent on Active Directory
- Prev by Date: Re: Script to interrogate number of users in AD
- Next by Date: Re: Servers dependent on Active Directory
- Previous by thread: Re: Servers dependent on Active Directory
- Next by thread: Re: Servers dependent on Active Directory
- Index(es):
Relevant Pages
|
Loading
