Creating a failover environment on a Windows 2003 domain

Scenario:

I have the domain contoso.com with only one DC (with DNS) and I wish to add another one in case something goes wrong.

– The first thing that you must have is, of course, the new server where you are going to install your second DC. It’s highly recommended that both servers are working with the latest updates, Windows Server 2003 R2 SP2. And the domain is raised into “Windows 2003” functional level (on this level there are some improvements in many things, including the replications between 2003 servers).

– Run the Administration Tool “Manage Your Server” in the new Windows 2003 and add the role “Active Directory” for this server.


Domain controller promotion wizard

– Configure the server as a DC for an existing domain and follow the instructions in the wizard. You’ll be asked for the credentials of privileged account to add a new server. The account must be a member of the “Domain Admins” group.

– After the promotion of the new DC is completed, visit again “Manage your Server” and add the role “DNS Server”, but don’t set any new zone on this server. When you configure it as a DNS server the primary server will replicate the zones with this new server.

Each DC must be pointing to themselves as the first preferred DNS server and the secondary DNS must be the remaining DC.

First DC TCP/IP configuration


Second DC TCP/IP configuration

– At this time the DNS records must be replicated and in both servers you should have the same zones and records. Check the DNS snap-in for the new DC and check that the zones are identical in both DCs.

IMPORTANT: Any special configuration of the first DNS server, i.e. “Forwarders” configurations or in “Zone Transfers”, are NOT replicated between servers, for obvious reasons. So if you are trying to make this new DC to act as a replacement when the first DC is down (that’s a failover environment), you have to set the same configurations manually.

Global Catalog: You also have to add the role “Global Catalog” in the new server, to do this visit “Active Directory Sites and Services”, expand the site where the DC is located, since we are using all the DC in the same subnet, all of them must be in the same site (the DC is automatically located in this site when you assign him the IP address). Expand “Servers” and expand in the new server name, right click on “NTDS Settings” and click “Properties”, select the option “Global Catalog”.


Global Catalog option on NTDS Settings

Remember that in the forest must be at least one GC up and working at all moment.

Control and Tests

To check that the functionality for the new server and the replication is working properly you can do these tests:

· On the new DC, run cmd and type “ipconfig /registerdns” to ensure the creation of a record for name resolution.

· Install Windows Support Tools and run the DCDIAG tool as it follows: “dcdiag /test:registerindns /dnsdomain:contoso.com /v”. Basically what you are doing here is letting know that this is a valid DC for the domain.

· Open the “Active Directory and Computers” snap-in, on the “Domain Controllers” built-in ensure that both of the existing DCs are located there.


Domain Controllers in CORPNET.AD

· Open “Sites and Services” snap-in and check that all the servers within the forest are listed. Expand every each of them and in “NTDS Settings” (this section indicates with which servers will replicate each DC) the list in the right in every DC should be listing the remaining DCs. If anyone is missing you have to add it manually selecting “New Active Directory Connection”.


Replication

In this snap-in you can check the manual replication between servers. Right click in the listed servers in NTDS Settings and select the option “Replicate Now” you should get the message “Active Directory has replicated the connections”.

· Run “dcdiag” in command prompt and check that the entire test is passed successfully.

· Check the Event Viewer in all DCs and watch for any error description. If something out of the ordinary appears, you can check http://www.eventid.net and insert the Event ID number from the error that you found. The site will display you pretty much the same information that you have in the event description, but you also will find user comments about this error and how they solved it.

– After these tests are completely successfully, change the DHCP server (if you have it) configuration to start using both DNS servers. In the DHCP snap-in, expand the Scope and Scope Options. In the right you will find the entire configuration that is distributed with a common lease. Double-click in “DNS Servers” and add the IP of the new DC.


DHCP Configuration

You are all set now…

Cheers!!

5 Comments »

  1. Hi, great work, it was very helpful.

    I have a few questions:

    What happen if mi primary DC isn’t online, so i have the other server with de AD service working, but if I create a new user, and the other server return online, what happen with this new user? It is replicated, or I have to create it on my primary DC?, the same question for example.. a policy, or if I made changes on the established policies, what happens when de primary DC becomes online?

    Hope you can answer me, and sorry for my english, I didn’t speak very well.

    Thanks.

    • Hello there,
      Yes, in both cases the user and the policy is replicated when the new server is back online. Every change in the AD database has a time stamp to maintain consistency among all domain controllers.
      Remember that DC cannot be offline for too long, otherwise they become useless.
      Best regards,
      Augusto

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s