DC's in small companies

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have 3 W2K Servers, File, Exchange and Application. The File Server was
the original DC (with all FSMO roles except Infrastruture). The Exchange
server is also a DC with the Infrastructure Role, both are Global Catalogs.

Recently a hardware failure on the File Server meant a clean install and
recovery. It turned out that during the original Crash AD was corrupted on
both machiones and I had to rebuild/Fix AD manualy.

In order to prevent this happening again would I be better off running all 3
servers as domain controllers? Should I have one DC which does nothing else
with 2 backups which synch with that machine and not each other.

I'd appreciate any advice going.

Thanks
Peter
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Peter,

I would consider the following ( depending on what small means ):

Server01.........Make this one the first Domain Controller. Make sure that
it holds all five of the FSMO Roles. It will, by default, be a Global
Catalog Server. Make sure that it is running Active Directory Integrated
DNS ( Dynamic DNS, or simply DDNS ).

Server02.........Make this one the second Domain Controller. Make sure
that this one is a Global Catalog Server ( please see
http://support.microsoft.com/?id=313994 on how to do this ). Make sure that
it is also running DDNS.

Server03........Keep this one as a Member Server. Install Exchange 2000.
However, before installing Exchange 2000 you need to prepare your Active
Directory environment for Exchange 2000 so you will need to run setup
/forestprep ( just drop in the Exchange 2000 CD and run it from that ) on
the Domain Controller that holds the FSMO Role of Schema Master using an
account that is a member of the Schema Admins group - the 'Administrator'
account is, by default, a member of this group. You would then need to run
setup /domainprep on the DC that holds the FSMO Role of PDC Emulator using
an account that is a member of the Domain Admins group - again, the
'Administrator' account is, by default, a member of this group. This
extends the Schema in WIN2000 for the addition of the Exchange Server.
After running /forestprep let things replicate. Then, after running
/domainprep let things replicate. Then install Exchange 2000 on a MEMBER
SERVER. This is much better than deploying Exchange 2000 on a Domain
Controller. It makes things easier to troubleshoot and recover from a
'opps!' or from a disaster situation.

It would be better if you had another Server so that you could make this one
the File Server. Were this the case, you would make this Server a Member
Server and store all of the user's folders and files here. However, this is
probably not the case. I would take Server02 and use that as the File and
Print Server. Again, were money not an issue I would avoid using a Domain
Controller for anything but a Domain Controller and DNS Server........

Some hints:

1) make sure that you create a subnet ( or subnets, whatever the case might
be ) and associate that subnet ( or those subnets ) with the appropriate
Site ( there will be one created for you, called Default-First-Site-Name )
in the Active Directory Sites and Services MMC. Even though you have only
one Site ( I am assuming this...you might need to correct this? ) it is
still a really good idea to do things correctly,

2) in your DNS make sure to create a Reverse Lookup Zone ( Active Directory
Integrated ). I always do this. You can get away without doing this as I
am pretty sure that AD does not need this. However, some applications
might....I just like to have it,

3) install the Support Tools from the Windows 2000 Service Pack CD or
download them from the MS Web Site. I would not use the Support Tools from
the Server CD ( Support | Tools folder ) as these are the older versions (
and there were some problems with dcdiag and one or two others IIRC ). Get
to know dcdiag, netdiag, repadmin, replmon, nltest, netdom, et al. Very
very useful.

4) go to http://www.joeware.net and get oldcmp and adfind. Very useful
tools. oldcmp is a nifty little utility that will help you to find all of
your 'old' computer account objects. adfind does, er, pretty much
everything you want it to! Joe really ought to market these tools. They
are really awesome.

5) get ADModify from
ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/. If
you can not script - or even if you can - it will make your life so very
easy.

6) get the Account Lockout Tools ( ALTools.exe ) from the MS Web Site and
make use of them. They are very useful!

7) install the ADMINPAK on a WIN2000 system and do most - if not all - of
your Administrative stuff from that workstation, not on a Domain Controller.
Please see http://support.microsoft.com/?id=308196 on how to do this. You
will also need to do a Custom Installation of Exchange 2000 to get the
Exchange 2000 related ADUC.

8) enable some auditing. It all depends on what you want to audit ( bad
passwords, deletion of files, whatever ). But, the main thing is that you
need to determine what you want to audit and then configure auditing BEFORE
you need to figure out who deleted that all important file! After-the-fact
will not help you. It is toooooo late.

One more point: in a single domain environment you do not need to put the
Infrastructure Master on a Domain Controller that is not a Global Catalog.
This issue is moot. And, in a smaller environment, most people in here
would suggest that all of your Domain Controllers are also Global Catalog
Servers. The issue with the Infrastructure Master is 'phantom objects'. In
a single domain environment this 'phantom object' phenomenon does not exist.
It is when you introduce another domain ( say, for example, a child domain )
that this phenomenon *could* exist. What is a phantom object? If you have
a group in DomainA that has members from DomainB it is very important that
DomainA knows where those objects are located ( er, essentially the DN:
...... ). If an Admin in DomainB moved these user account objects from, say,
the default location of the USERS container ( where the DN for Joe Blow
would be DN: cn=Joe Blow,cn=USERS,dc=domainb,dc=com ) to an OU called
Marketing ( where the DN for Joe Blow would now be DN: cn=Joe
Blow,OU=Marketing,dc=domainb,dc=com ) DomainA has to know this. And it is
the job of the Infrastructure Master from each Domain to know this
information. Make sense?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Peter" <Peter@discussions.microsoft.com> wrote in message
news:659ADDA5-E450-4521-BBA4-0EA544BC2893@microsoft.com...
> We have 3 W2K Servers, File, Exchange and Application. The File Server was
> the original DC (with all FSMO roles except Infrastruture). The Exchange
> server is also a DC with the Infrastructure Role, both are Global
> Catalogs.
>
> Recently a hardware failure on the File Server meant a clean install and
> recovery. It turned out that during the original Crash AD was corrupted on
> both machiones and I had to rebuild/Fix AD manualy.
>
> In order to prevent this happening again would I be better off running all
> 3
> servers as domain controllers? Should I have one DC which does nothing
> else
> with 2 backups which synch with that machine and not each other.
>
> I'd appreciate any advice going.
>
> Thanks
> Peter
 

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Cray,

Great answer, it should be framed for all those that will come later
especially admins in small companies, because experience is better than all
the stuff published by MS which tends to be technically correct but not
always practicable in the SME environment. Small being less than 50
Workstations per site in my book. The original configuration was down to cost
as you correctly suppose.

After last week (600 man hours lost in the 27 elapsed hours the network was
down) Senior management have agreed to let me spend money - and if that means
2 extra servers to take on the AD/DNS/FSMO roles then that is what they will
let me do (I inherited this network, I'd never seen AD + DNS on the
file/exchange servers before but it did work so I hadn't really thought about
the consequences).

What makes it more difficult at present is that I have 2 other similarly
configured networks which now have to be joined to this one in a WAN. As the
same IP address ranges were used in each site (they bascially copy each
other) I have changes coming plus major changes to AD and exchange servers.

The thing with this scenario was that Exchange wouldn't load the Information
Stores because it couldn't login to the downed DC. The application server was
fine and ran because it worked from the AD on the Exchange server. It was
only the downed DC's records and the file shares that were
corrupted/inaccessible for some reason.

As I said great answer, thanks a lot
Peter
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Peter,

Glad that I was able to help.

In your current environment if you made all DCs a Global Catalog Server
Exchange might not have as many problems. Exchange really needs a GC.

For the other two environments: are they completely different companies and
you are simply going to be creating a Trust so that all three can talk (
remember, a Trust simply makes it possible to have access to resources in
another domain / forest - you still need to set both the NTFS and Share
permissions on the resources in question ) or is this the same company that
is located in three physically disperse locations?

The reason that I ask is that if it is the same company that has an office
in three different locations then all you need - based on the information
that I have so far - is one domain ( yourdomain.com ) and to make use of the
Sites functionality in WIN2000 and WIN2003 Active Directory. Does this make
any sense to you?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Peter" <Peter@discussions.microsoft.com> wrote in message
news:B6D8B9BB-9AB3-4206-B9B3-DD1AC8928404@microsoft.com...
> Cray,
>
> Great answer, it should be framed for all those that will come later
> especially admins in small companies, because experience is better than
> all
> the stuff published by MS which tends to be technically correct but not
> always practicable in the SME environment. Small being less than 50
> Workstations per site in my book. The original configuration was down to
> cost
> as you correctly suppose.
>
> After last week (600 man hours lost in the 27 elapsed hours the network
> was
> down) Senior management have agreed to let me spend money - and if that
> means
> 2 extra servers to take on the AD/DNS/FSMO roles then that is what they
> will
> let me do (I inherited this network, I'd never seen AD + DNS on the
> file/exchange servers before but it did work so I hadn't really thought
> about
> the consequences).
>
> What makes it more difficult at present is that I have 2 other similarly
> configured networks which now have to be joined to this one in a WAN. As
> the
> same IP address ranges were used in each site (they bascially copy each
> other) I have changes coming plus major changes to AD and exchange
> servers.
>
> The thing with this scenario was that Exchange wouldn't load the
> Information
> Stores because it couldn't login to the downed DC. The application server
> was
> fine and ran because it worked from the AD on the Exchange server. It was
> only the downed DC's records and the file shares that were
> corrupted/inaccessible for some reason.
>
> As I said great answer, thanks a lot
> Peter
>
>
>
>
 

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

According to the information I received both DC's were GC's but I now believe
only the downed DC was a GC, if the other DC (Exchange had been a GC then it
would not have need the downed DC (I think).

At present the 3 networks each use a different domain, they are in 3
different countries. I had planned to,

1. Create a new domain, new site here using new IP address, migrate the
users, files, exchange server etc.

2. Go to the second site and repeat the process incorporating the second
site into the new domain

3. Repeat the process at the third site.

So at the end I'll have one (internal domain - don't ask - whoever set it up
used our real domain name instead of a .local) and three sites with either
local site users or domain users.

Everything you say makes sense but as I say I moved to a small business last
time and I need to get from where they are to where I want to be and dealing
with these issues is something I'm not that used to

Thanks again
Peter