DC's in small companies

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We have 3 W2K Servers, File, Exchange and Application. The File Server was
the original DC (with all FSMO roles except Infrastruture). The Exchange
server is also a DC with the Infrastructure Role, both are Global Catalogs.

Recently a hardware failure on the File Server meant a clean install and
recovery. It turned out that during the original Crash AD was corrupted on
both machiones and I had to rebuild/Fix AD manualy.

In order to prevent this happening again would I be better off running all 3
servers as domain controllers? Should I have one DC which does nothing else
with 2 backups which synch with that machine and not each other.

I'd appreciate any advice going.

Thanks
Peter
4 answers Last reply
More about small companies
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Peter,

    I would consider the following ( depending on what small means ):

    Server01.........Make this one the first Domain Controller. Make sure that
    it holds all five of the FSMO Roles. It will, by default, be a Global
    Catalog Server. Make sure that it is running Active Directory Integrated
    DNS ( Dynamic DNS, or simply DDNS ).

    Server02.........Make this one the second Domain Controller. Make sure
    that this one is a Global Catalog Server ( please see
    http://support.microsoft.com/?id=313994 on how to do this ). Make sure that
    it is also running DDNS.

    Server03........Keep this one as a Member Server. Install Exchange 2000.
    However, before installing Exchange 2000 you need to prepare your Active
    Directory environment for Exchange 2000 so you will need to run setup
    /forestprep ( just drop in the Exchange 2000 CD and run it from that ) on
    the Domain Controller that holds the FSMO Role of Schema Master using an
    account that is a member of the Schema Admins group - the 'Administrator'
    account is, by default, a member of this group. You would then need to run
    setup /domainprep on the DC that holds the FSMO Role of PDC Emulator using
    an account that is a member of the Domain Admins group - again, the
    'Administrator' account is, by default, a member of this group. This
    extends the Schema in WIN2000 for the addition of the Exchange Server.
    After running /forestprep let things replicate. Then, after running
    /domainprep let things replicate. Then install Exchange 2000 on a MEMBER
    SERVER. This is much better than deploying Exchange 2000 on a Domain
    Controller. It makes things easier to troubleshoot and recover from a
    'opps!' or from a disaster situation.

    It would be better if you had another Server so that you could make this one
    the File Server. Were this the case, you would make this Server a Member
    Server and store all of the user's folders and files here. However, this is
    probably not the case. I would take Server02 and use that as the File and
    Print Server. Again, were money not an issue I would avoid using a Domain
    Controller for anything but a Domain Controller and DNS Server........

    Some hints:

    1) make sure that you create a subnet ( or subnets, whatever the case might
    be ) and associate that subnet ( or those subnets ) with the appropriate
    Site ( there will be one created for you, called Default-First-Site-Name )
    in the Active Directory Sites and Services MMC. Even though you have only
    one Site ( I am assuming this...you might need to correct this? ) it is
    still a really good idea to do things correctly,

    2) in your DNS make sure to create a Reverse Lookup Zone ( Active Directory
    Integrated ). I always do this. You can get away without doing this as I
    am pretty sure that AD does not need this. However, some applications
    might....I just like to have it,

    3) install the Support Tools from the Windows 2000 Service Pack CD or
    download them from the MS Web Site. I would not use the Support Tools from
    the Server CD ( Support | Tools folder ) as these are the older versions (
    and there were some problems with dcdiag and one or two others IIRC ). Get
    to know dcdiag, netdiag, repadmin, replmon, nltest, netdom, et al. Very
    very useful.

    4) go to http://www.joeware.net and get oldcmp and adfind. Very useful
    tools. oldcmp is a nifty little utility that will help you to find all of
    your 'old' computer account objects. adfind does, er, pretty much
    everything you want it to! Joe really ought to market these tools. They
    are really awesome.

    5) get ADModify from
    ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/. If
    you can not script - or even if you can - it will make your life so very
    easy.

    6) get the Account Lockout Tools ( ALTools.exe ) from the MS Web Site and
    make use of them. They are very useful!

    7) install the ADMINPAK on a WIN2000 system and do most - if not all - of
    your Administrative stuff from that workstation, not on a Domain Controller.
    Please see http://support.microsoft.com/?id=308196 on how to do this. You
    will also need to do a Custom Installation of Exchange 2000 to get the
    Exchange 2000 related ADUC.

    8) enable some auditing. It all depends on what you want to audit ( bad
    passwords, deletion of files, whatever ). But, the main thing is that you
    need to determine what you want to audit and then configure auditing BEFORE
    you need to figure out who deleted that all important file! After-the-fact
    will not help you. It is toooooo late.

    One more point: in a single domain environment you do not need to put the
    Infrastructure Master on a Domain Controller that is not a Global Catalog.
    This issue is moot. And, in a smaller environment, most people in here
    would suggest that all of your Domain Controllers are also Global Catalog
    Servers. The issue with the Infrastructure Master is 'phantom objects'. In
    a single domain environment this 'phantom object' phenomenon does not exist.
    It is when you introduce another domain ( say, for example, a child domain )
    that this phenomenon *could* exist. What is a phantom object? If you have
    a group in DomainA that has members from DomainB it is very important that
    DomainA knows where those objects are located ( er, essentially the DN:
    ...... ). If an Admin in DomainB moved these user account objects from, say,
    the default location of the USERS container ( where the DN for Joe Blow
    would be DN: cn=Joe Blow,cn=USERS,dc=domainb,dc=com ) to an OU called
    Marketing ( where the DN for Joe Blow would now be DN: cn=Joe
    Blow,OU=Marketing,dc=domainb,dc=com ) DomainA has to know this. And it is
    the job of the Infrastructure Master from each Domain to know this
    information. Make sense?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Peter" <Peter@discussions.microsoft.com> wrote in message
    news:659ADDA5-E450-4521-BBA4-0EA544BC2893@microsoft.com...
    > We have 3 W2K Servers, File, Exchange and Application. The File Server was
    > the original DC (with all FSMO roles except Infrastruture). The Exchange
    > server is also a DC with the Infrastructure Role, both are Global
    > Catalogs.
    >
    > Recently a hardware failure on the File Server meant a clean install and
    > recovery. It turned out that during the original Crash AD was corrupted on
    > both machiones and I had to rebuild/Fix AD manualy.
    >
    > In order to prevent this happening again would I be better off running all
    > 3
    > servers as domain controllers? Should I have one DC which does nothing
    > else
    > with 2 backups which synch with that machine and not each other.
    >
    > I'd appreciate any advice going.
    >
    > Thanks
    > Peter
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Cray,

    Great answer, it should be framed for all those that will come later
    especially admins in small companies, because experience is better than all
    the stuff published by MS which tends to be technically correct but not
    always practicable in the SME environment. Small being less than 50
    Workstations per site in my book. The original configuration was down to cost
    as you correctly suppose.

    After last week (600 man hours lost in the 27 elapsed hours the network was
    down) Senior management have agreed to let me spend money - and if that means
    2 extra servers to take on the AD/DNS/FSMO roles then that is what they will
    let me do (I inherited this network, I'd never seen AD + DNS on the
    file/exchange servers before but it did work so I hadn't really thought about
    the consequences).

    What makes it more difficult at present is that I have 2 other similarly
    configured networks which now have to be joined to this one in a WAN. As the
    same IP address ranges were used in each site (they bascially copy each
    other) I have changes coming plus major changes to AD and exchange servers.

    The thing with this scenario was that Exchange wouldn't load the Information
    Stores because it couldn't login to the downed DC. The application server was
    fine and ran because it worked from the AD on the Exchange server. It was
    only the downed DC's records and the file shares that were
    corrupted/inaccessible for some reason.

    As I said great answer, thanks a lot
    Peter
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Peter,

    Glad that I was able to help.

    In your current environment if you made all DCs a Global Catalog Server
    Exchange might not have as many problems. Exchange really needs a GC.

    For the other two environments: are they completely different companies and
    you are simply going to be creating a Trust so that all three can talk (
    remember, a Trust simply makes it possible to have access to resources in
    another domain / forest - you still need to set both the NTFS and Share
    permissions on the resources in question ) or is this the same company that
    is located in three physically disperse locations?

    The reason that I ask is that if it is the same company that has an office
    in three different locations then all you need - based on the information
    that I have so far - is one domain ( yourdomain.com ) and to make use of the
    Sites functionality in WIN2000 and WIN2003 Active Directory. Does this make
    any sense to you?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Peter" <Peter@discussions.microsoft.com> wrote in message
    news:B6D8B9BB-9AB3-4206-B9B3-DD1AC8928404@microsoft.com...
    > Cray,
    >
    > Great answer, it should be framed for all those that will come later
    > especially admins in small companies, because experience is better than
    > all
    > the stuff published by MS which tends to be technically correct but not
    > always practicable in the SME environment. Small being less than 50
    > Workstations per site in my book. The original configuration was down to
    > cost
    > as you correctly suppose.
    >
    > After last week (600 man hours lost in the 27 elapsed hours the network
    > was
    > down) Senior management have agreed to let me spend money - and if that
    > means
    > 2 extra servers to take on the AD/DNS/FSMO roles then that is what they
    > will
    > let me do (I inherited this network, I'd never seen AD + DNS on the
    > file/exchange servers before but it did work so I hadn't really thought
    > about
    > the consequences).
    >
    > What makes it more difficult at present is that I have 2 other similarly
    > configured networks which now have to be joined to this one in a WAN. As
    > the
    > same IP address ranges were used in each site (they bascially copy each
    > other) I have changes coming plus major changes to AD and exchange
    > servers.
    >
    > The thing with this scenario was that Exchange wouldn't load the
    > Information
    > Stores because it couldn't login to the downed DC. The application server
    > was
    > fine and ran because it worked from the AD on the Exchange server. It was
    > only the downed DC's records and the file shares that were
    > corrupted/inaccessible for some reason.
    >
    > As I said great answer, thanks a lot
    > Peter
    >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    According to the information I received both DC's were GC's but I now believe
    only the downed DC was a GC, if the other DC (Exchange had been a GC then it
    would not have need the downed DC (I think).

    At present the 3 networks each use a different domain, they are in 3
    different countries. I had planned to,

    1. Create a new domain, new site here using new IP address, migrate the
    users, files, exchange server etc.

    2. Go to the second site and repeat the process incorporating the second
    site into the new domain

    3. Repeat the process at the third site.

    So at the end I'll have one (internal domain - don't ask - whoever set it up
    used our real domain name instead of a .local) and three sites with either
    local site users or domain users.

    Everything you say makes sense but as I say I moved to a small business last
    time and I need to get from where they are to where I want to be and dealing
    with these issues is something I'm not that used to

    Thanks again
    Peter
Ask a new question

Read More

Servers Windows