Need help with Windows Server 2003

Hi all, this is my 1st post here. I got a few questions to ask about Windows Server 2003 and Domain. I'm trying to setup a Domain network in my office for internal use, so my question is:

1. How do I setup a second Server(identical hardware & software setting with the primary DC) to become my secondary(backup) domain controller? Is there any setting in the windows? This secondary DC server is for emergency, just in case my primary DC fail and it will be in the same network.
2. Do I have to hook up the second DC on simultaneously? Can it be done?
3. How would the primary sync and update the secondary DC? is there a setting?
4. What is the minimum & maximum character limit in User ID & Password? Where can I set the limit?
5. How do i broadcast to my client connected to my DC if I need to do maintenance on the DC or any member servers?
6. For software deployment to my clients, is Windows Server 2003 equip with this setting? Any recommendation on a 3rd party software for software deployment?

TQ very much.....

Find more posts tagged with

Comments

Sie

Welcome

Sorry to sound sharp but if your asking this many and varied questions I think you really need a book or guide to start with to run you through these processes.

What material are you using to help you set this up or is it just making it up as you go along?

(This is meant in no way offensive

I just mean i think it will be easier and quicker for you to have reference material to take it step by step and understand what is being down than to just say press 'a' then 'b' then 'c' )

Ricka182

I would partially agree with Sie..you may need to get a reference manual for Server2003. If you're not interested in geting certified, there are just admin manuals you can buy, for not that much. I can say the following about your questions, without going to much in detail...

For a second server, just set it up. You should wait until the PDC is up, to make sure it's what you want, then just do the BDC. When you run dcpromo, you can indicate a lot there as to the machines position on the network and domain...replication between DCs is automatic, and yes you can change the settings....for password, I think the minimum is 8 by default, and 127 for a max, I may be wrong there....I'm certainly no expert on Server2003, but like Sie said, you should get a more permanent reference than this or another forum......

sprkymrk

69cents wrote:

1. How do I setup a second Server(identical hardware & software setting with the primary DC) to become my secondary(backup) domain controller? Is there any setting in the windows? This secondary DC server is for emergency, just in case my primary DC fail and it will be in the same network.
2. Do I have to hook up the second DC on simultaneously? Can it be done?
3. How would the primary sync and update the secondary DC? is there a setting?
4. What is the minimum & maximum character limit in User ID & Password? Where can I set the limit?
5. How do i broadcast to my client connected to my DC if I need to do maintenance on the DC or any member servers?
6. For software deployment to my clients, is Windows Server 2003 equip with this setting? Any recommendation on a 3rd party software for software deployment?

I have to agree with the others. We like to be helpful here, but it sounds like you really need to pick up a good W2K3 book. I would recommend one by author Mark Minasi.

Here are the short answers to your questions:

1. Make sure your first server is online, run dcpromo on the second server, and during setup make sure you select the option to set the DC up on an existing domain and not a new one.
2. Not sure exactly what you mean. Both servers need to be online and able to talk to each other (ie - on the network).
3. Automatic among domain controllers.
4. You set this in Group Policy under the default domain policy- Computer Policy>Windows Settings>Security Settings.
5. Email or net send will work.
6. You can deploy it through Group Policy if it's an MSI file, otherwise third party or another MS product is recommended like SMS.

Good luck, and after you pick up a good book if you have any trouble implementing or understanding something you read please feel free to post back.

Sie

Just to clarify I wasnt saying we arnt willing to help here just i know for myself i HAVE to know why im doing things rather than just how to do them.
So when something goes wrong (as it usually does) i have a much better idea of how to rectify it.

Hope it didnt come out as a big grumpy ogre!

69cents

TQ all for the reply. Actually I'm not looking for a step by step guide, I just need a quick direction on where or how on my questions. I was in a rush while composing mu questions, sorry didn't for not explaining....

Btw, I just took a Microsoft Course 2273B and did a small presentation so I was asked about the questions I asked and I need to give feed back. I still haven't have a real hand on with Windows Server 2003 yet thou.... So anyway if you guys have any more feed back, let me know. TQ

69cents

Oh, the domain is not set yet.... This question is for giving feed back from my presentation purpose..

Btw what is the general term for the second backup DC called?

sprkymrk

69cents wrote:

Btw what is the general term for the second backup DC called?

In W2K and W2K3, the concept of a Primary Domain Controller and Backup Domain Controller (PDC and BDC) is now somewhat gray. MS says that in W2K and up all DC's are created equal, which in a way they are. I'll get to that in a minute.

In the old days (NT) the PDC held the only writable copy of the SAM file and database, while the BDC's all had a read only copy. So users could authenticate against a BDC (logon to the domain, access network resourses, etc.) but any changes (such as creating new accounts, changing passwords, etc) had to be done on the PDC. Replication then copied the changes to the BDCs from the PDC. This could obviously create problems in a large distributed network/domain that spanned multiple remote sites or a wide geographic area, as you could only have 1 PDC, all others were BDC's.

Now, changes can occur on any DC in the domain. AD replication is much more efficient than the old NT4 systems. Since changes can happen on any DC in the entire domain, all DC's are supposedly equal. However, there are a few roles that are by default only on the first DC brought up in a domain/forest - referred to as the Flexible Single Master Operations (FSMO). These include things like the Global Catalog and PDC emulator. These can be moved to other DC's, but by default are on the first (and only the first) DC in a domain/forest. This in effect makes one DC more important than the others by default, as certain operations in the domain can only be handled by that server. As mentioned though, the defaults can be changed if desired.

So to answer your question - they are all just called Domain Controllers, not primary or backup.

jasonboche

And in Windows 2008 (old codename Longhorn) we go back to the concept of read-only domain controllers again (albeit for a specific reason/purpose). Wish they'd make up their minds.

royal

69cents wrote:

3. How would the primary sync and update the secondary DC? is there a setting?

The way I usually do this is as follows:

Set the dns to point to the DC1. Do the DCPROMO and add it as another DC in an existing DC. It will then become DC2. Install DNS on DC2 and don't do any configurations. When replication occurs, DC1 will see that DNS is installed on DC2 and will automatically bring over the DNS partitions to DC2. They will then add a NS record for DC2 and replicate that to each other as well. I would then point DC1's primary DNS ip to DC2 and have itself as the secondary dns. Since DC2 already has DC1 as its primary, I would leave that alone and then have itself as the secondary dns.

sprkymrk

I wanted to let you all know I moved Royal's first reply to the W2K8 forum:

http://www.techexams.net/forums/viewtopic.php?t=23692

It was a very informative post, but since it was a bit off-topic here I wanted to move it where it would be found easier by some one looking for W2K8 information. I named the topic Read-Only Domain Controllers in W2K8.

Thanks for the post Royal, hope you don't mind me moving it.

sprkymrk

PS - This topic was also moved here to 70-290 from the Off Topic forum for the same reason, ie it belongs here.

royal

How could you Mark! Just kidding, all is good. At first I started to type in reply to Jason's post and then since I was bored in a hotel with nothing to do, I just kept typing. Eventually I thought, this should probably be in the 2008 forums, so you made the wise choice.

royal

royal wrote:

I would then point DC1's primary DNS ip to DC2 and have itself as the secondary dns. Since DC2 already has DC1 as its primary, I would leave that alone and then have itself as the secondary dns.

I just wanted to add some more information on why you would want to do this. In 2000 Server, there was an issue called Island DNS. Basically, if a DC would point to itself for DNS, then it would register the Domain Controlller locator CNAME record for DsaGuid._msdcs.ForestDnsName in its own zone. This would cause other Domain Controllers not having a copy of this. Becuase of this, a DC would essentially be on an "island." In Server 2003, there were several things behind the scenes that were done to prevent this. One of them was by creating an application partition called ForestDNSZones. The msdcs zone is now a forest replicated dns zone and a delegation within your domain's dns zone has been created to point to this forest replicated msdcs zone. This msdcs forest wide dns zone will contain all the Domain Controller locator CNAME records. Now all Domain Controllers in a forest will contain that forest replicated dns zone so they will all know about all the Domain Controllers in the entire forest.

Even in Server 2003, it's still advised to configure another server as its primary dns server. I can think of 2 reasons. 1 is reassurance that no bizzare case of island dns reoccurs. Another is because if a DC is configured to use itself as a DNS server, you will notice that it will take forever at Network Connections to start up. This is because Active Directory requires DNS to function. Since it's a DC, it has to wait for DNS to full start up and become functional. Then other functions for AD can begin and then the box eventually comes up. If you have the primary dns server pointed to the other DC, it will most likely be booted up already. Now when you're booting up a DC, it'll be able to pull DNS information immediately due to its primary dns being pointed to an already booted up DC.

Hope this helps as well

69cents

Wow guys, TQ so much for the reply. I'm not that advance Win Server 2003 users, infact, I haven't start with the installation yet. So, I'm a little bit confuse & SCARE hehehehhehe...... anyway TQ so much...

69cents

Got my question 1 til 3 answered after reading from the replies and a little research. TQ

For question # 4, I managed to find out for the password, Minimum is 0 character, Maximum is 127.
http://www.microsoft.com/technet/security/smallbusiness/topics/networksecurity/enforce_strong_passwords.mspx
Still can find for the user name. Question 5 til 6, still searching....

69cents

sprkymrk wrote:

69cents wrote:

5. Email or net send will work.
6. You can deploy it through Group Policy if it's an MSI file, otherwise third party or another MS product is recommended like SMS.

Can you tell me more on the net send? What if I want to deploy antivirus patches or maybe software like microsoft office, is that consider to be MSI file?

royal

Well for 5, as Mark stated, you can use the net send command. One issue with this, is that you need the messenger service to be running. Since XP SP2, messenger service is disabled by default.

A popular choice for software deployment is to use Systems Management Server (SMS). The upcoming successor to SMS is entitled System Center Configuration Manager 2007 is currently available via beta distribution. You can read more about this here.

Also, here's a cool little trick regarding password lengths. Group policy does not let you configure password policies to be greater than 14 characters. If you want to take advantage of longer passwords, there are a couple ways of doing this. There is one way for Windows 2000 and another for Windows 2003.

The following is taken from: http://www.techgalaxy.net/Docs/Security/How_secure_is_your_password.htm

Forcing the Use of Longer Passwords
On a Windows Server 2003 you can force users to use passwords longer than 14 characters by using ADSI Edit, as described below.

1. Start ADSI Edit.
2. Go to the domain object, e.g. DC=TechGalaxy,DC=net.
3. Right-click and select Properties.
4. Look for an attribute called MinPwdLength.
5. Edit the value and enter a new minimum length for the password. The default value is 7.

In Windows 2000 you can edit the .adm file to force users to use a password that's more than 14 characters. In Windows Server 2003 this technique doesn't work. In fact, if you try this in Windows Server 2003 and set the password length to more than 14 characters, you will get errors and the password length will be set to 7. Luckily, you can use ADSI Edit to work around this problem.

royal

69cents wrote:

Can you tell me more on the net send? What if I want to deploy antivirus patches or maybe software like microsoft office, is that consider to be MSI file?

There are very basic software distribution methods via Group Policy. This is done by using MSI files. Lots of software these days come distributed by an MSI file. If there is no MSI file, you can actually use something called a ZAP file. You can read about how to distribute non msi-files using zap files here. MSI files are essentially files that are packaged with all the files and instructions on how to install the program in 1 file. It also allows for enhanced features such as self-healing. For example, if a file has installed software due to the distribution of an MSI file becomes corrupt, the installation will automatically re-install the specific file needed from the remote MSI package and fix itself. MSI distribution also allow for remote uninstallation. If you use ZAP files and ever need to uninstall the software off of a client machine, you have to actually go to that machine to do the uninstall.

Microsoft office does come in MSI files, so you will be able to distribute Office via Group Policy. In addition to distributing office via an MSI file, there is a Custom Installation Wizard that allows you to specify how Office should be installed via an MST file. You can ready more about using the Custom Installation Wizard and MST files here.

SMS offers a ton more features. As for Antivirus distribution, you'll want an enterprise Antivirus solution. These solutions often come with a centralized Administration server which will download updates and distribute it to clients through its own mechanisms.

Here are some links on software installation via Group Policy:
http://support.microsoft.com/kb/816102
http://technet2.microsoft.com/windowsserver/en/library/4bdaf0f7-b7ac-41a6-9d25-9eab6aa1965c1033.mspx?mfr=true

69cents

Will have a look, tq for the links

sprkymrk

Basic net send:

Open a cmd prompt.
Type: net send name message

Example: net send workstation01 Please log off the server, rebooting in 10 minutes.

Another useful option (if the messenger service is running, thanks Royal) is to connect to the server that you want to take down for maintenance, open computer management, right click on Shared Folders, go to All Tasks>Send Console message.

royal

One thing I've wondered but have never really looked into, is since the messenger service is pretty much always disabled now on most networks, if there is a third party product that will give you a better net send type of functionality. Perhaps one that allows more restrictions such as only allow messages from trusted machines in a domain, multiple specified domains, current forest, trusted forest, trusted domain, etc...

sprkymrk

royal wrote:

One thing I've wondered but have never really looked into, is since the messenger service is pretty much always disabled now on most networks, if there is a third party product that will give you a better net send type of functionality. Perhaps one that allows more restrictions such as only allow messages from trusted machines in a domain, multiple specified domains, current forest, trusted forest, trusted domain, etc...

I think there are some freeware utilities, but I generally don't trust most freeware. Here is one:
http://www.freedownloadscenter.com/Network_and_Internet/Text_Chat_Clients/Bopup_Secure_Messenger.html

Otherwise, I think Microsoft Office Live Communications Server 2005 has similar features, as it replaced the Instant Messenger service in Exchange 2000.

69cents

Hi guys, got another question to ask. Well i started doing the windows server 2003 installation already and now it's updating service pack. So my question is can i change the raid controller? Like, from raid 0 to 1 or 2 and so on? Or is it a fixed hardware? My server is Dell Poweredge 1750. If you need anymore info on my server let me know.TQ

sprkymrk

69cents wrote:

Hi guys, got another question to ask. Well i started doing the windows server 2003 installation already and now it's updating service pack. So my question is can i change the raid controller? Like, from raid 0 to 1 or 2 and so on? Or is it a fixed hardware? My server is Dell Poweredge 1750. If you need anymore info on my server let me know.TQ

You can change the RAID in the SCSI setup (watch for the prompt at bootup - CTRL+A or something) or by using the Server Assistant CD that came with the Dell. However, you'll need to reinstall Windows if you change the RAID now.

If that Dell didn't come with a RAID controller (not familiar with the 1750) and all you did so far was format a single disk/partition to install Windows, then you can use Disk Management in Windows to add new volumes if using Dynamic Disks. If you are using basic disks you will need to upgrade them to dynamic first.