DOMAIN SETUP QUESTIONS 2

[itsfisko]

Hi all I have 1 win 2000 sever setup servicing 100+ xp pro machines. I would like to set up 3 additional servers to share the load and to allow users in certain areas to access one of these servers,
Questions.
1.How easy is this to set up?
2.I presume the users will get authenticated by the first original server? or will they get authenticated by the nearest one?
3.What if the "main" server goes down will they still be able to logon?
4.does DNS DHCP Active Directory have to be setup on all the additional servers or does it somehow get transfered to the new sattelite servers
5. Does it matter what I call them?

I know its a lot of questions but where else can I ask but on the best site?
Thanks

Some lead, some follow....I just Hope!

 

[Saugilsr]

1. Easy.
2. They will be authenticated by who ever's not busy at the time.
3. Yes.
4. Yes you need to install AD on all the servers. Remember there are no Primary or backup domain controllers anymore -- They are all equal. (For the most part.)
5. Nope.

This is very easy. All you will need to do is run 'dcpromo' on the new servers. They will then become Active directory domain controllers and authenticate users. Even if the 'First' goes down.

You don't have to install DNS on all of them just two atleast. DNS is also Active Directory intergrated so whats changed on one dns is changed on all of them.

You can leave DHCP on one server or use two with the 80/20 rule or what ever your like.

You man also want to look into implementing DFS.

Hope this helps and have fun.

 

[itsfisko]

Thanks Saugilsr, I really needed reasurance on whether I was going in the right direction thanks again

Some lead, some follow....I just Hope!

 

[technome]

I disagree on the point of being easy.

If you have experience, it is a piece of cake, but without experience and planning, the details will get you. With AD, little critical mistakes are not easy to fix. A workgroup server is in kindergarten class compared to an FSMO. DNS needs to be on at least two servers, DHCP should be on two, but the scopes should not overlap, Wins on two servers may not be needed, but if you have old software or old machines it maybe; setup properly it will cause no harm and requires little overhead. The FSMO and the next DC should have disk redundancy. FSMOs are not the easiest to rebuild.

If these servers will be WK2000, as you know, you have a limited size system partition. I suggest all server resident software not be installed to the system partition such a s c:\program files\, install it to another partition. Very few programs cannot be installed to a different partition. If Windows 2003, provide a minimum system partition of 8-12 Gigs

I would suggest you purchase Mark Minasi's Master Windows 2003 server by Sybex, as a reference. Daunting but the DNS chapters are important.. the book will also stop a .38 bullet in case the install does not go as smoothly as planned.

I suggest you get the first server DCpromo-ed, get it going exactly as you planned. Do not expect to have everything done over a weekend, go slowly, get AV software on quickly, patch it fully. When in doubt, get an answer from somewhere.

After the first DC , the others are basically clones of the first with different IP addresses. Keep the server names short, keep the domain name short, above all KISS.

 

[itsfisko]

Hi technome,
Thanks for the input, I know from experience that nothing is simple, especially DNS !!!
And I will KISS (KEEP IT SIMPLE STUPID)


Some lead, some follow....I just Hope!

 

[technome]

Itsfisko...

I meant to instill a bit of fear.
Once you have created a few clean AD networks, it is really easy. Becomes like setting up a workgroup server, but with 10 times more details. Document all changes you make to an FSMO, any tweaks, policy changes, firmware upgrades etc; Off hand; on DCs I probably make at least 100 changes, beyond the initial default settings after a DCpromo (including all software parameter changes) so documentation is important.

In the book I recommended, the author walk you through DNS and all the settings and precautions needed, concentrate on the "split brain" DNS area.


Place the least amount of resident software you can on the FSMO. No trial versions, demos, only use Internet Explorer for patches, any necessary software downloads. I run Adaware SE with adwatch.exe resident, Spybot 1.3 with it's host file added.
I have FSMOs with Symantec AV, MS SQL, Veritas Exec, PKware, Diskeeper, Undelete, PAC ups software, raid consoles, plus other resident programs, with no problems. I also have a client who decided to add software on his own, to all the above software, which is slowly turning out to be a growing nightmare on his FSMO; even after I told him him it would be a better idea to use the secondary DC for the software he wanted to install. SUS or WUS is great for auto patch updates for workstations, installed on a secondary DC; set it for the WKS, manually update the patches on the servers

To me KISS goes like..Keep it Simple (as) Sh**

 

[itsfisko]

Hi I have set up 2 servers 1 as a domain controller and 1 as a server in the same domain. Now what? I can see active directory on each one, so I suppose it is cloned to both?
If one goes down will users still be able to log on?
Thanks for any input

Some lead, some follow....I just Hope!

 

[technome]

You will need 2 domain controllers if need to have a second machine to provide login authentication for users. The second domain controller is almost a clone of the first, with a different IP address, and corresponding changes to DNS, DHCP, Wins.

You would run DCpromo for the second server to make it a DC, choosing to make it an "additional Domain controller for an existing Domain". Not sure if this if you did this.

http://www.microsoft.com/technet/pr...tory/activedirectory/stepbystep/addomcon.mspx

Pictoral...

http://www.cs.umd.edu/~mvanopst/8021x/howto/dc.html

If the two machines pass the following command line tests without major errors, your in good shape, and if one of the DCs go down the other will provide logon ability to the workstations.

NsLookup "IP address"
Nslookup "server name"
DcDiag /v
NetDiag /v

With NSlookup, you will get an error if you do not have a reverse lookup zone created for your network. Easy to do

Errors in DNS create the most problems.

After everything works as it should, make sure the first DC, the FSMO, is backed up, including the "system state".

 

[itsfisko]

Hi Technome, thanks for your post. I am unsure if I have set it up correctly.
First machine I have called Server1 and the second Server2 both are set as Bungaymiddle.local as the domain name.
I can see both machines from a WKstation and can ping from WKstation to servers and vice a versa. Active directory and DNS are set up on both servers and both ADs look to Bungaymiddle.local
The two servers seem to have the same details in AD (users etc) Have i set it up OK? or should one of the servers be a child of the other ie:- Something.Bungaymiddle.local ?
I can join a WKstation to the network but is it just seeing one server or will it allow me to unplug a server and still allow users to log on?
Thanks for any help. Stressed school tech, learning by mistake of only having one server (faulty !!) and needing to setup new system with some fault tolerance.


Some lead, some follow....I just Hope!

 

[technome]

Go to your first DC,.... go to start, programs, Administrative Tools, Active directory Users and Computers.. under domain controllers you should have the two servers showing up if the second server is a DC; if you have two, your in business

Itsfisko, you really need to get Mark Minasi's book; the reading it not that bad, once you get past the threating size of the book. Covers everything about setting up an AD network.

 

[itsfisko]

Thanks Technome,
Will check on Monday, Thanks again


Some lead, some follow....I just Hope!

 

[itsfisko]

HI TECHNOME
Do you recommmend fixed ip addresses on the work station or leaving it all to DHCP?

Some lead, some follow....I just Hope!

 

[itsfisko]

hi technome do you recommend fixed ip addresses on the stations or leaving it all to DHCPO?

Some lead, some follow....I just Hope!

 

[technome]

This is not a black and white answer, setup can vary....
For the network you will want DHCP, but you could have static address on some wks if you want or have a need for a static wks, server need to be static. Managing a 100 user static network would be too time consuming.

Basically you setup DHCP on 2 servers ,assuming you have a private address c class network you will have xxx.xxx.xxx.001 to xxx.xxxx.xxx.254 as to use. With a 100 user network I would create a scope on the first with .xx1 through .150, exclude the first 30 IP address for static use; servers, printer, maybe some wks. On the second server create a scope from xxx.151 to xxx.254 . Start the network off with xx.001 as the default gateway address, the servers following, with printer following the servers.. leaves some addresses between the servers and the printers for expansion say .4 through .10 for servers, .12 though. 22 for printers (this can vary). Go into the server options and make sure the gateway router ,Dns servers, Dns domain Name, and Win Server are defined for each DHCP server.

 

[itsfisko]

Hi Technome
I have another question, If I set up separate domains say one called TECH.local and one called ART.local, is it possible for a user on TECH.local to connect to and get authenticated onto ART.local (and visa versa) providing the user has a user name/password set up on each domain?
Would the user be able to access thier files on the second server? or only shared files? thanks John

Some lead, some follow....I just Hope!

 

[haga147]

I think you already answered your question, "you will only be able access shares" on ART.local if you are logged in on TECH.local..

 

[technome]

If they are both members of the same forest, you will have an automatic trust between the domains. Even if they are not , created trusts will allow access. Files or shares should allow access, limit only by NTFS/share permissions

http://www.microsoft.com/windows200...dows2000/en/advanced/help/sag_AD_UnTrusts.htm