| Author |
Message |
Bryan Linton
Guest
|
 Posted:
Sat Jan 15, 2005 4:25 am Post subject:
Adding new 2003 DCs to SBS domain |
|
|
I'm running a network with one SBS 2003 DC and two Windows 2000 member
servers. We just purchased two new servers and a copy of Server 2003 for
the one existing server we plan to keep. One of the new servers will be
running IIS, and I'd like to also DCPromo it as a second DC in my domain. I
have a few questions about this:
-- Since the SBS 2003 won't give up any FSMO roles, will I have any
difficulties getting proper replication of AD to occur? I seem to recall
something about one of the FSMO roles needing to be transferred off the
forest root DC for replication to work properly.
-- We're using the Standard edition of Exchange that came on the SBS 2003;
if I purchase an additional copy of exchange to also run on the IIS Server /
DC running Windows 2003 Std (for redundancy), will I have any trouble
integrating that into my existing infrastructure?
I don't want to DCpromo this new server until I can be sure it won't screw
up my existing SBS 2003 configuration.
Thanks in advance,
Bryan |
|
| Back to top |
|
 |
SuperGumby [SBS MVP]
Guest
|
| Posted:
Sat Jan 15, 2005 4:32 am Post subject:
Re: Adding new 2003 DCs to SBS domain |
|
|
inline
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:e10Glfo%23EHA.1300@TK2MSFTNGP14.phx.gbl...
| Quote: | I'm running a network with one SBS 2003 DC and two Windows 2000 member
servers. We just purchased two new servers and a copy of Server 2003 for
the one existing server we plan to keep. One of the new servers will be
running IIS, and I'd like to also DCPromo it as a second DC in my domain.
I have a few questions about this:
|
If you intend running a public wesite on this box you would be better served
NOT making it a DC, or better yet, not having it in your domain at all.
| Quote: | -- Since the SBS 2003 won't give up any FSMO roles, will I have any
difficulties getting proper replication of AD to occur? I seem to recall
something about one of the FSMO roles needing to be transferred off the
forest root DC for replication to work properly.
|
Additional DC's in an AD DO NOT need to hold any FSMO roles for replication
to happen normally.
| Quote: | -- We're using the Standard edition of Exchange that came on the SBS 2003;
if I purchase an additional copy of exchange to also run on the IIS Server
/ DC running Windows 2003 Std (for redundancy), will I have any trouble
integrating that into my existing infrastructure?
I don't want to DCpromo this new server until I can be sure it won't screw
up my existing SBS 2003 configuration.
Thanks in advance,
Bryan
|
|
|
| Back to top |
|
|
Gordon Ryan
Guest
|
| Posted:
Sat Jan 15, 2005 4:40 am Post subject:
Re: Adding new 2003 DCs to SBS domain |
|
|
Please see comments in line
--
Gordon Ryan
Longneck Consulting Pty. Ltd
http://www.longneckconsulting.com
Central Coast, NSW, Australia
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:e10Glfo%23EHA.1300@TK2MSFTNGP14.phx.gbl...
| Quote: | I'm running a network with one SBS 2003 DC and two Windows 2000 member
servers. We just purchased two new servers and a copy of Server 2003 for
the one existing server we plan to keep. One of the new servers will be
running IIS, and I'd like to also DCPromo it as a second DC in my domain.
I have a few questions about this:
If the IIS box will be publishing pages to the web, it would be preferable |
not to make it a DC from a security perspective.
| Quote: | -- Since the SBS 2003 won't give up any FSMO roles, will I have any
difficulties getting proper replication of AD to occur? I seem to recall
something about one of the FSMO roles needing to be transferred off the
forest root DC for replication to work properly.
Nope, replication will still be fine. The closest you come to issues with |
replication and FSMO roles is the infrastructure master not being entirely
happy if it resides on a Global Catalog server. But as SBS is limited to a
single domain, this is a non issue
| Quote: | -- We're using the Standard edition of Exchange that came on the SBS 2003;
if I purchase an additional copy of exchange to also run on the IIS Server
/ DC running Windows 2003 Std (for redundancy), will I have any trouble
integrating that into my existing infrastructure?
Nope, you just have to think about what type of redundancy you are getting. |
You will be able to have public folders on both servers, but a users mailbox
can only reside on one server. So from a user mailbox perspective the best
you can get is to have half your users on one server and the other half on
the other server. That way if a server fails, only half your users can't
access their mailbox. (Outlook 2000 cached mode will provide the users with
their mailboxes while the server is not available but you will not be
getting any new mail)
| Quote: | I don't want to DCpromo this new server until I can be sure it won't screw
up my existing SBS 2003 configuration.
Assuming you don't do anything crazy, the addition of a new DC to your |
existing domain should not cause you issue. Before you start though, make
sure that there are no errors relating to AD or DNS in the event viewer on
your existing server.
| Quote: | Thanks in advance,
Bryan
hth |
Gordo |
|
| Back to top |
|
|
Bryan Linton
Guest
|
| Posted:
Sat Jan 15, 2005 5:26 am Post subject:
Re: Adding new 2003 DCs to SBS domain |
|
|
Thanks for the responses. See follow-ups inline:
"Gordon Ryan" <gryan@r.e.m.o.v.e.this.longneckconsulting.com> wrote in
message news:uSae2no%23EHA.2568@TK2MSFTNGP11.phx.gbl...
| Quote: | Please see comments in line
--
Gordon Ryan
Longneck Consulting Pty. Ltd
http://www.longneckconsulting.com
Central Coast, NSW, Australia
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:e10Glfo%23EHA.1300@TK2MSFTNGP14.phx.gbl...
I'm running a network with one SBS 2003 DC and two Windows 2000 member
servers. We just purchased two new servers and a copy of Server 2003 for
the one existing server we plan to keep. One of the new servers will be
running IIS, and I'd like to also DCPromo it as a second DC in my domain.
I have a few questions about this:
If the IIS box will be publishing pages to the web, it would be preferable
not to make it a DC from a security perspective.
|
It will not be running a public website, per se; our new managment system is
..NET-based, so IIS is the go-between between our clients and SQL server (if
I understand it correctly). We do want to give employees remote access to
the system, however; we have one user in a remote office, as well as some
employees who'll want to use the system from home or on the road. Is there
a way I can secure the system adequately for such a scenario that the risk
of making it a DC is minimal? I don't want to make my SQL server a DC, and
I don't have any other machines (other than an older file/print server) that
could serve this purpose. I want a server that can take over the role of
DC/Exchange Server if my SBS 2003 should fail.
| Quote: | -- Since the SBS 2003 won't give up any FSMO roles, will I have any
difficulties getting proper replication of AD to occur? I seem to recall
something about one of the FSMO roles needing to be transferred off the
forest root DC for replication to work properly.
Nope, replication will still be fine. The closest you come to issues with
replication and FSMO roles is the infrastructure master not being entirely
happy if it resides on a Global Catalog server. But as SBS is limited to
a single domain, this is a non issue
|
Whichever machine becomes my second DC, there's no problem with it also
being assigned as a GC server, is there?
| Quote: |
-- We're using the Standard edition of Exchange that came on the SBS
2003; if I purchase an additional copy of exchange to also run on the IIS
Server / DC running Windows 2003 Std (for redundancy), will I have any
trouble integrating that into my existing infrastructure?
Nope, you just have to think about what type of redundancy you are
getting. You will be able to have public folders on both servers, but a
users mailbox can only reside on one server.
|
I didn't know this: I was sure I'd seen discussions of configuring a second
exchange server as a backup. (Later): Ok, I found what I was referring to,
which is to configure clustering for Exchange. Am I correct in thinking SBS
2003 does not support clustering?
Thanks,
Bryan
So from a user mailbox perspective the best
| Quote: | you can get is to have half your users on one server and the other half on
the other server. That way if a server fails, only half your users can't
access their mailbox. (Outlook 2000 cached mode will provide the users
with their mailboxes while the server is not available but you will not be
getting any new mail)
I don't want to DCpromo this new server until I can be sure it won't
screw up my existing SBS 2003 configuration.
Assuming you don't do anything crazy, the addition of a new DC to your
existing domain should not cause you issue. Before you start though, make
sure that there are no errors relating to AD or DNS in the event viewer
on your existing server.
Thanks in advance,
Bryan
hth
Gordo
|
|
|
| Back to top |
|
|
Gordon Ryan
Guest
|
| Posted:
Tue Jan 18, 2005 2:21 am Post subject:
Re: Adding new 2003 DCs to SBS domain |
|
|
Just so that we can make this really unreadable, see comments in line ;)
--
Gordon Ryan
Longneck Consulting Pty. Ltd
http://www.longneckconsulting.com
Central Coast, NSW, Australia
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:%234q5wBp%23EHA.3372@TK2MSFTNGP10.phx.gbl...
| Quote: | Thanks for the responses. See follow-ups inline:
"Gordon Ryan" <gryan@r.e.m.o.v.e.this.longneckconsulting.com> wrote in
message news:uSae2no%23EHA.2568@TK2MSFTNGP11.phx.gbl...
Please see comments in line
--
Gordon Ryan
Longneck Consulting Pty. Ltd
http://www.longneckconsulting.com
Central Coast, NSW, Australia
"Bryan Linton" <blinton@nospam.connellinsurance.com> wrote in message
news:e10Glfo%23EHA.1300@TK2MSFTNGP14.phx.gbl...
I'm running a network with one SBS 2003 DC and two Windows 2000 member
servers. We just purchased two new servers and a copy of Server 2003
for the one existing server we plan to keep. One of the new servers
will be running IIS, and I'd like to also DCPromo it as a second DC in
my domain. I have a few questions about this:
If the IIS box will be publishing pages to the web, it would be
preferable not to make it a DC from a security perspective.
It will not be running a public website, per se; our new managment system
is .NET-based, so IIS is the go-between between our clients and SQL server
(if I understand it correctly). We do want to give employees remote
access to the system, however; we have one user in a remote office, as
well as some employees who'll want to use the system from home or on the
road. Is there a way I can secure the system adequately for such a
scenario that the risk of making it a DC is minimal? I don't want to make
my SQL server a DC, and I don't have any other machines (other than an
older file/print server) that could serve this purpose. I want a server
that can take over the role of DC/Exchange Server if my SBS 2003 should
fail.
If you only need to support a small number of external users, establish VPN |
connections for them and continue as planned, i.e. don't publish the IIS box
to the internet, have users establish a VPN first and then connect to the
IIS box across the VPN. From a recovery stand point, you could have a look
at the Software Assurance cold server option, but that is not going to
assist with your IIS need.
| Quote: | -- Since the SBS 2003 won't give up any FSMO roles, will I have any
difficulties getting proper replication of AD to occur? I seem to
recall something about one of the FSMO roles needing to be transferred
off the forest root DC for replication to work properly.
Nope, replication will still be fine. The closest you come to issues
with replication and FSMO roles is the infrastructure master not being
entirely happy if it resides on a Global Catalog server. But as SBS is
limited to a single domain, this is a non issue
Whichever machine becomes my second DC, there's no problem with it also
being assigned as a GC server, is there?
|
Again because it is a single domain, this is not a problem, and is desirable
in some ways.
| Quote: |
-- We're using the Standard edition of Exchange that came on the SBS
2003; if I purchase an additional copy of exchange to also run on the
IIS Server / DC running Windows 2003 Std (for redundancy), will I have
any trouble integrating that into my existing infrastructure?
Nope, you just have to think about what type of redundancy you are
getting. You will be able to have public folders on both servers, but a
users mailbox can only reside on one server.
I didn't know this: I was sure I'd seen discussions of configuring a
second exchange server as a backup. (Later): Ok, I found what I was
referring to, which is to configure clustering for Exchange. Am I correct
in thinking SBS 2003 does not support clustering?
Yep, you are correct. Exchange clustering is an Enterprise option, which |
also relies on the underlying OS supporting clustering as well, and as you
might have guessed, SBS doesn't support clustering at an OS level. The
closest it comes is NLB (Network Load Balancing) which is a technology that
is really aimed at webservers
| Quote: | Thanks,
Bryan
So from a user mailbox perspective the best
you can get is to have half your users on one server and the other half
on the other server. That way if a server fails, only half your users
can't access their mailbox. (Outlook 2000 cached mode will provide the
users with their mailboxes while the server is not available but you will
not be getting any new mail)
I don't want to DCpromo this new server until I can be sure it won't
screw up my existing SBS 2003 configuration.
Assuming you don't do anything crazy, the addition of a new DC to your
existing domain should not cause you issue. Before you start though,
make sure that there are no errors relating to AD or DNS in the event
viewer on your existing server.
Thanks in advance,
Bryan
hth
Gordo
|
|
|
| Back to top |
|
|
Bryan Linton
Guest
|
| Posted:
Tue Jan 18, 2005 4:38 am Post subject:
Re: Adding new 2003 DCs to SBS domain |
|
|
Ok, I'm cleaning house on this post.
Still, see comments inline. :-D
| Quote: | If you only need to support a small number of external users, establish
VPN connections for them and continue as planned, i.e. don't publish the
IIS box to the internet, have users establish a VPN first and then connect
to the IIS box across the VPN. From a recovery stand point, you could
have a look at the Software Assurance cold server option, but that is not
going to assist with your IIS need.
|
I'm actually trying to get away from needing to use the VPN. My users are
already running Office 2003 at home, so they have easy, foolproof access to
their email via RPC over HTTP - no VPN needed there. The last reason we
have to use a VPN is our management system, and since that requirement is
going away with the new system, I was really hoping to eliminate the use of
VPNs altogether. For our remote office, I've set up our firewalls to use an
encrypted tunnel for all traffic between the two sites. Can you tell me
more about the specific security concerns that arise from having the DC
exposed to the internet? My SBS is presently exposed to the internet, to
the extent that my firewall is forwarding traffic on certain ports to the
SBS to enable RWW & OWA.
| Quote: | Whichever machine becomes my second DC, there's no problem with it also
being assigned as a GC server, is there?
Again because it is a single domain, this is not a problem, and is
desirable in some ways.
|
Just for clarification; if I understand correctly you're saying that it IS
desirable to have multiple GC servers, and that I won't have a problem doing
it. (IIRC, I could actually make *every* DC in a domain a GC server,
although it would cause a replication storm any time the GC changed. Is
that right?)
| Quote: | Yep, you are correct. Exchange clustering is an Enterprise option, which
also relies on the underlying OS supporting clustering as well, and as you
might have guessed, SBS doesn't support clustering at an OS level. The
closest it comes is NLB (Network Load Balancing) which is a technology
that is really aimed at webservers
|
That's a shame. For which product is it an Enterprise option: Windows
Server 2003, or Exchange 2003? Or perhaps both?
I guess that means that an organization of our size (roughly 30 employees)
usually has to do without the luxury of redundancy for Exchange? If so, I
guess I'll just have to get really good at doing a quick restore of the OS,
then restoring from tape in Directory Services Restore Mode and replaying
the transaction logs (assuming those haven't also been lost). I should
place those on a separate volume, but I don't have one available at the
moment. Is it a big performance issue if I place the transaction logs on a
different server linked by a gigabit ethernet connection? As I said, I'm
supporting a maximum of 30 simultaneous users in Exchange, and realistically
it's probably more like 20.
Thanks for the great advice. Let me know if I start to wear out my welcome
on this thread. :-p
Bryan |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in