| Author |
Message |
Arkane
Guest
|
 Posted:
Sat Nov 12, 2005 5:50 pm Post subject:
DC Query |
|
|
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to provide
a backup for the AD. However we've found that some clients are logged in by
the first DC and some by the second. We thought all clients would be logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks. |
|
| Back to top |
|
 |
Paul Bergson
Guest
|
| Posted:
Sat Nov 12, 2005 5:50 pm Post subject:
Re: DC Query |
|
|
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event of an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
| Quote: | Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks. |
|
|
| Back to top |
|
|
Arkane
Guest
|
| Posted:
Sat Nov 12, 2005 5:50 pm Post subject:
Re: DC Query |
|
|
The problem is that, while our main DC is operational, the backup one
responds to logon requests. Shouldn't this only be the case if the main DC is
down or am I missing something?
I thought other DCs only responded to logon requests if the main DC (the one
holding the PDC role) was down or under heavy load, as our main DC isn't
down, nor is it under heavy load, I don't understand why the backup DC is
logging people on.
The reason we don't want the second DC logging people in is the fact that it
only holds a backup of the AD, DNS and mission-critical shares, it doesn't
hold user data or any other shares.
Rather than turn the secondary DC off (as management are thinking we can
do), would it not be a better idea to install DFS on both DCs and replicate
our mission-critical data, so that IF the secondary DC logs them in, it's not
a problem as data is kept secure and up-to-date?
If the above can be done (and would be a good idea), if we use quotas on a
volume on both servers (which hold home shares), would DFS be able to cope
with quotas like this? (I thought I read somewhere that DFS didn't handle
quotas)
"Paul Bergson" wrote:
| Quote: | AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event of an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
kj
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 pm Post subject:
Re: DC Query |
|
|
With all due respect Arkane, your management is really painting themselves
(and you) into a corner seemingly needlessly.
It's important to understand their thinking and the 'why' part of their
requirements before designing a robust solution instead of just creating a
Band-Aid patchwork kludge.
--
/kj
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:E520C3A3-1FC9-4201-86A5-6C6E81BD9EF1@microsoft.com...
| Quote: | KJ: Thanks for that link, it looks like a good arguement I can use to keep
the second DC online, as long as clients don't logon to it then it should
do
what we originally wanted it to do.
Paul: A bit of background might help - the first DC was put in place some
2
years ago as a single DC for the entire site. It was never envisaged or
thought that the number of computers and users would grow as it has done.
This DC went belly-up about 2 weeks ago, no-one could logon or do
anything,
as a result management got scared of what could happen. They ordered a new
server and wanted it put in so people could logon if the first DC ever
went
down again. This was fine up until the clients started to use the
secondary
DC last week, sometimes they would use the first DC, sometimes the second.
I
couldn't track down a pattern to why it was doing this, the first DC
wasn't
under heavy load or anything that I could see. Management ordered the
secondary DC to be shut down or to be crippled so it couldn't log users on
except with manual intervention, in the event that the first DC goes down.
I didn't like this idea entirely, but you know how it goes - so I left the
secondary DC online and changed the login scripts to point everything at
the
first DC. Not the way I like to do things. I was told I couldn't have
another
server just for the data, it had to stay on the first DC. They didn't want
the data on the second DC (not sure why).
I thought if I could convince them to let me use DFS, I could replicate
the
data across both servers, so if the first DC did go down, the secondary
could
do it's job and still have copies of important data sets. I didn't want to
approach them with this idea until I knew DFS could cope with disk quotas
or
whether I'd have to either remove disk quotas or go for a 3rd party
solution.
The link KJ provided lets me do what management want, but it's not a very
robust solution in terms of keeping the data accessible and secure.
So, all I need to know is if I have disk quotas on the first DC and use
the
same quotas on the second DC and then install DFS, am I going to have
problems with quotas not being supported by DFS or am I getting somewhat
confused?
Another thought - if I were to replicate the shares and data manually (to
avoid massive amounts of replication when DFS is first setup), would that
cause any problems or should I just let DFS and FRS handle it?
"kj" wrote:
OK, well I believe this is what I was thinking. Suggest OP research and
test
and consider other opinions as I haven't tested it myself (yet, but I
have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second
source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC
register
SRV records with a different (lower) priority. It would keep the second
DC
online and replication current, yet not be primary target of logons and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then
you
would have to intervene instead of the system doing it automatically
for
you. If you were to shut this dc off and only turn it on in the event
of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged
in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to
the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
Arkane
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 pm Post subject:
Re: DC Query |
|
|
KJ: Thanks for that link, it looks like a good arguement I can use to keep
the second DC online, as long as clients don't logon to it then it should do
what we originally wanted it to do.
Paul: A bit of background might help - the first DC was put in place some 2
years ago as a single DC for the entire site. It was never envisaged or
thought that the number of computers and users would grow as it has done.
This DC went belly-up about 2 weeks ago, no-one could logon or do anything,
as a result management got scared of what could happen. They ordered a new
server and wanted it put in so people could logon if the first DC ever went
down again. This was fine up until the clients started to use the secondary
DC last week, sometimes they would use the first DC, sometimes the second. I
couldn't track down a pattern to why it was doing this, the first DC wasn't
under heavy load or anything that I could see. Management ordered the
secondary DC to be shut down or to be crippled so it couldn't log users on
except with manual intervention, in the event that the first DC goes down.
I didn't like this idea entirely, but you know how it goes - so I left the
secondary DC online and changed the login scripts to point everything at the
first DC. Not the way I like to do things. I was told I couldn't have another
server just for the data, it had to stay on the first DC. They didn't want
the data on the second DC (not sure why).
I thought if I could convince them to let me use DFS, I could replicate the
data across both servers, so if the first DC did go down, the secondary could
do it's job and still have copies of important data sets. I didn't want to
approach them with this idea until I knew DFS could cope with disk quotas or
whether I'd have to either remove disk quotas or go for a 3rd party solution.
The link KJ provided lets me do what management want, but it's not a very
robust solution in terms of keeping the data accessible and secure.
So, all I need to know is if I have disk quotas on the first DC and use the
same quotas on the second DC and then install DFS, am I going to have
problems with quotas not being supported by DFS or am I getting somewhat
confused?
Another thought - if I were to replicate the shares and data manually (to
avoid massive amounts of replication when DFS is first setup), would that
cause any problems or should I just let DFS and FRS handle it?
"kj" wrote:
| Quote: | OK, well I believe this is what I was thinking. Suggest OP research and test
and consider other opinions as I haven't tested it myself (yet, but I have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC register
SRV records with a different (lower) priority. It would keep the second DC
online and replication current, yet not be primary target of logons and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
kj
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 pm Post subject:
Re: DC Query |
|
|
OK, well I believe this is what I was thinking. Suggest OP research and test
and consider other opinions as I haven't tested it myself (yet, but I have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
| Quote: | If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC register
SRV records with a different (lower) priority. It would keep the second DC
online and replication current, yet not be primary target of logons and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
Paul Bergson
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 pm Post subject:
Re: DC Query |
|
|
inline
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:0472C45D-6C45-4E04-B2EF-1518625AA0D4@microsoft.com...
| Quote: | The problem is that, while our main DC is operational, the backup one
responds to logon requests. Shouldn't this only be the case if the main DC
is
down or am I missing something?
|
No they both should be responding to logon requests
| Quote: |
I thought other DCs only responded to logon requests if the main DC (the
one
holding the PDC role) was down or under heavy load, as our main DC isn't
down, nor is it under heavy load, I don't understand why the backup DC is
logging people on.
|
It is a AD replica providing full logon services.
| Quote: |
The reason we don't want the second DC logging people in is the fact that
it
only holds a backup of the AD, DNS and mission-critical shares, it
doesn't
hold user data or any other shares.
|
The only thing this second dc doesn't hold would be any user specific data
you may have placed there and (Probably) the fsmo roles. You need two up
and running at all times.
| Quote: |
Rather than turn the secondary DC off (as management are thinking we can
do), would it not be a better idea to install DFS on both DCs and
replicate
our mission-critical data, so that IF the secondary DC logs them in, it's
not
a problem as data is kept secure and up-to-date?
If the above can be done (and would be a good idea), if we use quotas on a
volume on both servers (which hold home shares), would DFS be able to cope
with quotas like this? (I thought I read somewhere that DFS didn't handle
quotas)
|
Dom't turn off the second dc. Bad, bad business critical bad.
I'm unsure on the quotas question relative to dfs. Do you have data that
only resides on one of the dc's? It would be better served if you only
allowed the dc's to provide dc services.
| Quote: | "Paul Bergson" wrote:
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then
you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event
of an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged
in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to
the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
kj
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 pm Post subject:
Re: DC Query |
|
|
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second source for
AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC register
SRV records with a different (lower) priority. It would keep the second DC
online and replication current, yet not be primary target of logons and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
| Quote: | AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then you
would have to intervene instead of the system doing it automatically for
you. If you were to shut this dc off and only turn it on in the event of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
Paul Bergson
Guest
|
| Posted:
Sun Nov 13, 2005 1:50 am Post subject:
Re: DC Query |
|
|
There wouldn't have been a problem had you always had two dc's up and
running the problem happen since you only had ONE up and running. Forget
all other arguments, you lose one dc and even if the other is on the side
(Unless you have replication going, I haven't look at the article kj came up
with but that sounds like it might work) you are just like you were before.
They should make management decisions and you should make IT decisions.
Keep both online all the time. If they can't follow your guidance I think
it is time you started looking for another job. If there is a disaster you
will be held respondsible.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:E520C3A3-1FC9-4201-86A5-6C6E81BD9EF1@microsoft.com...
| Quote: | KJ: Thanks for that link, it looks like a good arguement I can use to keep
the second DC online, as long as clients don't logon to it then it should
do
what we originally wanted it to do.
Paul: A bit of background might help - the first DC was put in place some
2
years ago as a single DC for the entire site. It was never envisaged or
thought that the number of computers and users would grow as it has done.
This DC went belly-up about 2 weeks ago, no-one could logon or do
anything,
as a result management got scared of what could happen. They ordered a new
server and wanted it put in so people could logon if the first DC ever
went
down again. This was fine up until the clients started to use the
secondary
DC last week, sometimes they would use the first DC, sometimes the second.
I
couldn't track down a pattern to why it was doing this, the first DC
wasn't
under heavy load or anything that I could see. Management ordered the
secondary DC to be shut down or to be crippled so it couldn't log users on
except with manual intervention, in the event that the first DC goes down.
I didn't like this idea entirely, but you know how it goes - so I left the
secondary DC online and changed the login scripts to point everything at
the
first DC. Not the way I like to do things. I was told I couldn't have
another
server just for the data, it had to stay on the first DC. They didn't want
the data on the second DC (not sure why).
I thought if I could convince them to let me use DFS, I could replicate
the
data across both servers, so if the first DC did go down, the secondary
could
do it's job and still have copies of important data sets. I didn't want to
approach them with this idea until I knew DFS could cope with disk quotas
or
whether I'd have to either remove disk quotas or go for a 3rd party
solution.
The link KJ provided lets me do what management want, but it's not a very
robust solution in terms of keeping the data accessible and secure.
So, all I need to know is if I have disk quotas on the first DC and use
the
same quotas on the second DC and then install DFS, am I going to have
problems with quotas not being supported by DFS or am I getting somewhat
confused?
Another thought - if I were to replicate the shares and data manually (to
avoid massive amounts of replication when DFS is first setup), would that
cause any problems or should I just let DFS and FRS handle it?
"kj" wrote:
OK, well I believe this is what I was thinking. Suggest OP research and
test
and consider other opinions as I haven't tested it myself (yet, but I
have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use
the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second
source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC
register
SRV records with a different (lower) priority. It would keep the
second DC
online and replication current, yet not be primary target of logons
and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then
you
would have to intervene instead of the system doing it automatically
for
you. If you were to shut this dc off and only turn it on in the
event of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are
logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to
the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
Arkane
Guest
|
| Posted:
Sun Nov 13, 2005 1:50 pm Post subject:
Re: DC Query |
|
|
Unfortunately, I don't even believe they know 'why' they want it this way.
I can understand their point that if the second DC logs someone in, they
won't get all the data - granted, but that can be gotten around by
replicating the data or better yet, having a server just for important data,
let the DCs do their job.
I'm not a fan of 'patching' anything, if somethings' worth doing, it's worth
doing right or not at all.
Thanks for your help though, I'm hoping I won't need to use the link you
gave me and that they'll either let me use DFS or put a data-only server up.
"kj" wrote:
| Quote: | With all due respect Arkane, your management is really painting themselves
(and you) into a corner seemingly needlessly.
It's important to understand their thinking and the 'why' part of their
requirements before designing a robust solution instead of just creating a
Band-Aid patchwork kludge.
--
/kj
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:E520C3A3-1FC9-4201-86A5-6C6E81BD9EF1@microsoft.com...
KJ: Thanks for that link, it looks like a good arguement I can use to keep
the second DC online, as long as clients don't logon to it then it should
do
what we originally wanted it to do.
Paul: A bit of background might help - the first DC was put in place some
2
years ago as a single DC for the entire site. It was never envisaged or
thought that the number of computers and users would grow as it has done.
This DC went belly-up about 2 weeks ago, no-one could logon or do
anything,
as a result management got scared of what could happen. They ordered a new
server and wanted it put in so people could logon if the first DC ever
went
down again. This was fine up until the clients started to use the
secondary
DC last week, sometimes they would use the first DC, sometimes the second.
I
couldn't track down a pattern to why it was doing this, the first DC
wasn't
under heavy load or anything that I could see. Management ordered the
secondary DC to be shut down or to be crippled so it couldn't log users on
except with manual intervention, in the event that the first DC goes down.
I didn't like this idea entirely, but you know how it goes - so I left the
secondary DC online and changed the login scripts to point everything at
the
first DC. Not the way I like to do things. I was told I couldn't have
another
server just for the data, it had to stay on the first DC. They didn't want
the data on the second DC (not sure why).
I thought if I could convince them to let me use DFS, I could replicate
the
data across both servers, so if the first DC did go down, the secondary
could
do it's job and still have copies of important data sets. I didn't want to
approach them with this idea until I knew DFS could cope with disk quotas
or
whether I'd have to either remove disk quotas or go for a 3rd party
solution.
The link KJ provided lets me do what management want, but it's not a very
robust solution in terms of keeping the data accessible and secure.
So, all I need to know is if I have disk quotas on the first DC and use
the
same quotas on the second DC and then install DFS, am I going to have
problems with quotas not being supported by DFS or am I getting somewhat
confused?
Another thought - if I were to replicate the shares and data manually (to
avoid massive amounts of replication when DFS is first setup), would that
cause any problems or should I just let DFS and FRS handle it?
"kj" wrote:
OK, well I believe this is what I was thinking. Suggest OP research and
test
and consider other opinions as I haven't tested it myself (yet, but I
have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second
source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC
register
SRV records with a different (lower) priority. It would keep the second
DC
online and replication current, yet not be primary target of logons and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then
you
would have to intervene instead of the system doing it automatically
for
you. If you were to shut this dc off and only turn it on in the event
of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are logged
in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to
the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
Arkane
Guest
|
| Posted:
Sun Nov 13, 2005 1:50 pm Post subject:
Re: DC Query |
|
|
Inline.
"Paul Bergson" wrote:
| Quote: | There wouldn't have been a problem had you always had two dc's up and
running the problem happen since you only had ONE up and running. Forget
all other arguments, you lose one dc and even if the other is on the side
(Unless you have replication going, I haven't look at the article kj came up
with but that sounds like it might work) you are just like you were before.
I know, I've tried to tell them this BEFORE I put the second DC in but they |
didn't listen. They want their cake and eat it, they want the 2 DC model so
the AD is backed up but they don't want the second DC to service logons. Of
course if they let me put the data on another server, then it wouldn't matter
if the second DC did log a user on. If they won't do that then I'm gonna push
the DFS idea rather than having to shut down the secondary DC.
| Quote: | They should make management decisions and you should make IT decisions.
Keep both online all the time. If they can't follow your guidance I think
it is time you started looking for another job. If there is a disaster you
will be held respondsible.
I quite agree, I'll try and push the 'new data server' or DFS idea and if no |
go, I'll start job hunting. Thanks for your help though, it's appreciated.
| Quote: | --
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:E520C3A3-1FC9-4201-86A5-6C6E81BD9EF1@microsoft.com...
KJ: Thanks for that link, it looks like a good arguement I can use to keep
the second DC online, as long as clients don't logon to it then it should
do
what we originally wanted it to do.
Paul: A bit of background might help - the first DC was put in place some
2
years ago as a single DC for the entire site. It was never envisaged or
thought that the number of computers and users would grow as it has done.
This DC went belly-up about 2 weeks ago, no-one could logon or do
anything,
as a result management got scared of what could happen. They ordered a new
server and wanted it put in so people could logon if the first DC ever
went
down again. This was fine up until the clients started to use the
secondary
DC last week, sometimes they would use the first DC, sometimes the second.
I
couldn't track down a pattern to why it was doing this, the first DC
wasn't
under heavy load or anything that I could see. Management ordered the
secondary DC to be shut down or to be crippled so it couldn't log users on
except with manual intervention, in the event that the first DC goes down.
I didn't like this idea entirely, but you know how it goes - so I left the
secondary DC online and changed the login scripts to point everything at
the
first DC. Not the way I like to do things. I was told I couldn't have
another
server just for the data, it had to stay on the first DC. They didn't want
the data on the second DC (not sure why).
I thought if I could convince them to let me use DFS, I could replicate
the
data across both servers, so if the first DC did go down, the secondary
could
do it's job and still have copies of important data sets. I didn't want to
approach them with this idea until I knew DFS could cope with disk quotas
or
whether I'd have to either remove disk quotas or go for a 3rd party
solution.
The link KJ provided lets me do what management want, but it's not a very
robust solution in terms of keeping the data accessible and secure.
So, all I need to know is if I have disk quotas on the first DC and use
the
same quotas on the second DC and then install DFS, am I going to have
problems with quotas not being supported by DFS or am I getting somewhat
confused?
Another thought - if I were to replicate the shares and data manually (to
avoid massive amounts of replication when DFS is first setup), would that
cause any problems or should I just let DFS and FRS handle it?
"kj" wrote:
OK, well I believe this is what I was thinking. Suggest OP research and
test
and consider other opinions as I haven't tested it myself (yet, but I
have
an ideal candidate in mind!).
Quote from the article
http://support.microsoft.com/default.aspx?scid=kb;en-us;315071
===
"If the setting is applied to one domain controller, reduce the DNS LDAP
priority on the domain controller so that clients are less likely use
the
server for authentication. On the domain controller with the increase
priority, use the following registry setting to set LdapSrvPriority:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
On the Edit menu, click Add Value, and then add the following registry
value:
Entry name: LdapSrvPriority
Data type: REG_DWORD
Value: Set the value to the value of the priority that you want."
===
More information can be found in
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
SRV priority is like MX records and the default priority is 100, so use
something like 200 on the non preferred DC.
--
/kj
"kj" <kj@nowhere.com> wrote in message
news:OQPHaI75FHA.2888@tk2msftngp13.phx.gbl...
If one were to have capability mismatched servers, like say a Virtual
Machine or a very low end Server platform providing just a second
source
for AD. Otherwise, like you said Paul, what's the point?
As I recall, there was a way (registery setting?) to have the DC
register
SRV records with a different (lower) priority. It would keep the
second DC
online and replication current, yet not be primary target of logons
and
lookups.
I'll dig around and see if I can find it.....
--
/kj
"Paul Bergson" <pbergson@allete.com> wrote in message
news:%23QM5$x65FHA.1032@TK2MSFTNGP11.phx.gbl...
AD is a multi-master DB why would you not want to so you would have a
balanaced work load. If you have set it up so only one responds then
you
would have to intervene instead of the system doing it automatically
for
you. If you were to shut this dc off and only turn it on in the
event of
an
emergency you wouldn't have a proper ad replication (Out of sync and
tombstoned).
I highly, highly recommend against this.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Arkane" <Arkane@discussions.microsoft.com> wrote in message
news:480E03AD-B929-4793-8E3C-42C2C33F60C9@microsoft.com...
Hi there,
We have a single DC (AD Win 2003 Native), we added a secondary DC to
provide
a backup for the AD. However we've found that some clients are
logged in
by
the first DC and some by the second. We thought all clients would be
logged
in by the first DC unless the first DC was offline.
How can we make the clients logon to the first DC and only logon to
the
second DC if the first one is offline?
Thanks.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in