New DC, FSMO roles, etc

Bl8ckr0uter · November 2010

We have two virtual DCs and a situation came up that has basically made it extremely apparent that we need a physical domain controller. When adding a new DC to an environment, what are some of the major considerations that need to be addressed? BTW I want to make this box a 2k8 machine.
Would a RODC be the best for this type of situation?

undomiel · November 2010

Sounds like a Hyper-V cluster may have gone down and not had a physical DC around to allow it to come back up again? You'll want to check your DNS and make sure your replication is healthy. The majority of AD problems I've found can be tracked back down to AD. You'll also want to make it a GC. Since you're setting this up to add redundancy to the virtual DCs you'll not want to go with an RODC. Those are purposed towards security and not really disaster recovery.

Essendon · November 2010

I would go with the following link > Installing an Additional Domain Controller

Why would you want to build a RODC, is this new DC you talk about going to be in a remote branch office? If not, just go with a normal DC.

unnamedplayer · November 2010

Bl8ckr0uter wrote: »

We have two virtual DCs and a situation came up that has basically made it extremely apparent that we need a physical domain controller. When adding a new DC to an environment, what are some of the major considerations that need to be addressed? BTW I want to make this box a 2k8 machine.
Would a RODC be the best for this type of situation?

Adding a new DC should be pretty painless for the most part. Some things to consider or watch out for include:

-Domain functional level. Can't install a DC running 2003 server in a 2008 functional level domain or a DC running 2008 server in a 2008 R2 functional level domain.

-Possibly schema updates to Active Directory. For example if you're current DCs are running Windows 2003 and your new DC will be the first 2008 DC, you'll need to update the schema/prepare the domain using ADPrep.

-You mentioned FSMO roles. With multiple DCs you may want to spread those out to reduce a single point of failure.

-Is the DC being installed in the same site? You'll probably want to make it a Global Catalog either way.

Just some things off the top of my head. Regarding RODC, is this DC going to be in a branch office or remote location? Are you worried about it being compromised or stolen in some way? RODC is as the name implies Read-Only so you won't be able to make changes to Active Directory directly. It also can't be used for fault tolerance ie it can't transfer or seize FSMO roles. You're also going to have to configure password replication policies. Again depends on where the DC is going. If its going to be in the same site next to your other DCs I see no reason to use RODC.

I am sure plenty of others will be able to offer advice as well, but that's my $0.02.

rogue2shadow · November 2010

I'm not a Windows guy by any means (as you know :P) but I'll take a stab.

First, I'd say write out what roles are on each of the VM'd servers. I've heard/read that putting the RID and infrastructure on the PDC (server 1), the schema, domain, naming, and GC on server 2, and making server 3 a standby master for redundancy, makes for a decent setup.

If both VM DCs go down and the RODC is the only thing left, I think you would technically still have some functionality until you can get em back up but you wouldn't be able to edit any configurations. Maybe you could make the new DC a standby master with DNS, and GC so you can still reach the outside sites and resolve your domain.

Once again if this is totally ridiculous, please disregard my attempt at M$ understanding haha.

Bl8ckr0uter · November 2010

undomiel wrote: »

Sounds like a Hyper-V cluster may have gone down and not had a physical DC around to allow it to come back up again? You'll want to check your DNS and make sure your replication is healthy. The majority of AD problems I've found can be tracked back down to AD. You'll also want to make it a GC. Since you're setting this up to add redundancy to the virtual DCs you'll not want to go with an RODC. Those are purposed towards security and not really disaster recovery.

No but pretty close. Our SAN had a hiccup and locked up the datastore. Long story short, nothing worked. But the good news is that it is all back to normal but the boss wants a physical DC. Our domain is 2003 w/ 2000 compatibility mode (I think) so I am not sure if a 2008 box can even be added to our domain.

unnamedplayer · November 2010

Bl8ckr0uter wrote: »

No but pretty close. Our SAN had a hiccup and locked up the datastore. Long story short, nothing worked. But the good news is that it is all back to normal but the boss wants a physical DC. Our domain is 2003 w/ 2000 compatibility mode (I think) so I am not sure if a 2008 box can even be added to our domain.

You'll have to be in 2000 Native Mode at least.

Bl8ckr0uter · November 2010

unnamedplayer wrote: »

You'll have to be in 2000 Native Mode at least.

Where can you find out the mode of your AD?

earweed · November 2010

Determining the Functional Level in Windows Server 2003 I'd try to explain but I'm sick and typing hurts my head today.

Bl8ckr0uter · November 2010

earweed wrote: »

Determining the Functional Level in Windows Server 2003 I'd try to explain but I'm sick and typing hurts my head today.

So it looks like it is 2003 native. Awesome. I can at least go from there.

earweed · November 2010

Make sure you do the finding the schema master and prepping the forest if it's your first 2008 DC.
Also do some documenting like that link I gave you above shows. It'll save work later.

New DC, FSMO roles, etc

Comments