Re: new domain setup

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 11/05/04 

Date: Fri, 5 Nov 2004 08:22:50 +0100

Hi,

In Windows 2000 and later domain environment there is no more PDC and BDC
(Primary Domain Controllers and Backup Domain Controllers).

In Windows NT you had PDC and only on PDC were you able to create new users.
New user created on PDC was later replicated to BDC.

In Windows 2000 or later Microsoft released so called multi-master domain
environment. It doesn't matter where you create new users

Still there are few domain roles that are unique to domain/forest and can
exist only on one DC at the time. Global Catalog (another role) can be
practically any DC in domain. These roles can be moved between the server at
any time.

HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
http://support.microsoft.com/kb/255690/EN-US/

How To View and Transfer FSMO Roles in Windows Server 2003
http://support.microsoft.com/default.aspx?kbid=324801&product=winsvr2003
Windows Server Deployment 2003 Resource Kit
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/default.asp
Don't run only one domain controller in any production domain environment.
It is pretty hard to restore a domain controller from e.g. a backup tape.

Mike

"Param R." <pr@nospam.com> wrote in message
news:Ob629FwwEHA.3024@TK2MSFTNGP14.phx.gbl...
> Mike, the IIS websites running on the DC will be for internal use only.
> Also lets say I add a second DC in about 2 weeks. Is there anyway I can
> make it the Primary DC and demote the current DC to Backup DC?
>
> TIA!
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:O30ZPoswEHA.1984@TK2MSFTNGP14.phx.gbl...
>> Hi,
>>
>> You can add as many domain controllers later as you need. You setup a new
>> computer running e.g. Windows 2003, you patch it up with all the latest
>> updates (before joining it to domain). Once all patched up, join it to
>> domain and run dcpromo on it. This will make it new DC. Also make all
>> your DCs DNS servers (configure them as Active Directory Integrated DCs).
>>
>> Again, before running DCpromo or before joining server to domain (or any
>> other PC), make sure that they are all patched up.
>>
>> Personally I am against IIS running on DC (there is no need for it) and
>> in case of e.g. IIS security bridge (this could also be due to bad IIS
>> configuration) someone could gain access to files on DC or create new
>> user account or ...
>>
>> The only services that I usually allow to run on my DCs are DNS and
>> DHCP...
>>
>> Feel free to post back with any additional questions that you might
>> have...
>>
>> Mike
>>
>> "Param R." <pr@nospam.com> wrote in message
>> news:OxrxcMowEHA.1564@TK2MSFTNGP09.phx.gbl...
>>> Hi all, over the next few weeks I have to work on setting up a new
>>> domain environment at our data center. All machines will be running
>>> 2003. Some web and some standard. The problem is when I am doing the
>>> setup I will have 3 servers with me. I will have to set these up and
>>> then later go get the 2 other servers which are in a different location.
>>> The problem is I eventually want my main Domain Controller to be one of
>>> the machines at the other location. It is a more powerful box than the 3
>>> readily available to me. So in theory I will use one of the currently
>>> available boxes as a Domain Controller for now until I can go get the
>>> other machines. Is it possible to install a box at a later point and
>>> make it the main DC? If yes, how would I go about doing so and what do I
>>> need to watch out for?
>>>
>>> Also, I have never installed a DC before. What steps do I need to
>>> follow? I will also be installing DNS on the DC boxes. DNS will only be
>>> used for internal use, so it is recommended to have DNS integrated with
>>> A/D rather than in flat files right? Here are the steps I am thinking:-
>>>
>>> 1. Boot from CD and do base install.
>>> 2. Run DCPROMO
>>> 3. Install DNS, IIS & Other Services.
>>>
>>> Any help here is much appreciated.
>>>
>>> thanks,
>>> Param
>>>
>>
>>
>
>

Relevant Pages

  • Re: Group Policy broke my DCs
    ... to be very careful with tweaking services on domain controllers. ... Group Policy - security policy at the OU level which makes it much easier to ... complied from the Windows 2003 Server Security guide for baseline core ... Server - automatic ...
    (microsoft.public.windows.group_policy)
  • Re: Group Policy broke my DCs
    ... > need to be very careful with tweaking services on domain controllers. ... > Group Policy - security policy at the OU level which makes it much easier ... > is complied from the Windows 2003 Server Security guide for baseline core ...
    (microsoft.public.windows.group_policy)
  • Re: Installing Windows 2003 DC in a Windows 2000 Evironment-- Need Hel
    ... How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 ... Initial synchronization requirements for Windows 2000 Server and Windows ... ensure that you have designed a DNS and Active ...
    (microsoft.public.windows.server.active_directory)
  • Re: Upgrading from NT 4.0 to 2000 server
    ... > your windows 2000 member server up as a backup domain controller, ... In NT 4.0 the NT 4.0 PDC is the only DC that carries a writeable copy of the ... SAM, You MUST upgrade the existing NT 4.0 PDC to AD first in order to carry ... How to Upgrade Windows NT Server Version 4.0 to Windows 2000 ...
    (microsoft.public.win2000.general)
  • Re: Server 2003 and Mac OS X
    ... The issue is that a Domain Controllers running windows 2003 server has ... > It is hard make sense of all the security settings - I set all the basic ...
    (microsoft.public.windows.server.setup)