make 2nd domain controller stand alone

[johncan20]

hi,

i have a server (laptop) set up as a stand alone DC with about 100 tablet PC's as members of its domain.

i have another 4 servers (laptops) that i need to be stand alone DC's with all the 100 tablet PC's as members of that domain. So i can send each DC out on site and with any of the tablets - say 25 random ones and not be worried that the computer (tablet) account isint on the DC.

any suggestions on how to set this up?

im thinking my options are

1. use nortom ghost to clone the HDD on the existing DC and restore that onto the unprepared laptops to make them standalone DC's.

2. set up an unprepared laptop as a 2nd DC so it will copy off the accounts from the first DC, then make this a primary standalone DC. (not sure how to make standalone after its a 2nd DC)

3. set up an unprepared laptop as a standalone DC, export the computer accounts etc from the first DC and import into the new DC. (not sure how to export accounts)

not sure how do-able any of these options are and if anyone has a better method id be very glad to hear from you.

many thanks

John

 

[gmail2]

I don't think using imaging software would be a good idea because of active directory. Now then, as for the computer accounts etc - if you're installing AD then there's no need to import any accounts. AD is not tied down to one particular domain controller (although one does act as operational master) but instead it is constantly replicated across all the domain controllers. So when you run DCPROMO and install AD on the second DC, then all the computer accounts, user accounts, group policy settings, etc will automatically replicate across to the new domain controller.

However, you say that you want to send these laptop domain controllers out to remove sites. Are the sites linked together? If not, then this will make replication impossible obviously. If they are linked together, then you would need to setup sites in AD sites and services, for each of the subnets of the four sites.

Out of curiosity, why are you using laptops for domain controllers? Do you send the table PC's out to sites for training or ... ???

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[johncan20]

hi,

Why dont you recommended using imaging software? i know the DC's will replicate and the user/computer accounts will be on both but can i then the secondry ones primary after they have been secondary?

when i send the DC and tablets out they are used for 1 day events in a conference envoiroment to work collaboratively on a bit of s/w we have written. We use the DC's to push out the software/lock the tablets down with GP etc, there is no need for them to talk to other DC's on remote sites so there is no link.

This probably isint very clear - sorry! What i need bascially is 4 standalone DC's all with the same user/computer accounts!

thanks

John

 

[gmail2]

>> Why dont you recommended using imaging software?

Because AD is already installed. There are 5 FSMO roles in 2000/2003 - like PDC emulator, Infrastructure Master etc. If you image the laptop and then apply it to the second laptop then I'm not too sure how AD would cope with this. Also, is it even possible to run sysprep on 2003 with AD installed? Would AD have to be uninstalled first?

>> can i then the secondry ones primary after they have been secondary?

No. Even in an "ordinary domain", there is one PDC emulator. What you are doing will be no different to any other domain. However, I think moving the domain controllers around may give you some problems. All Domain controllers synchronize time from the PDC emulator - and workstation sync time from any DC. If time is out of sync by more than 5 minutes, then users will not be able to authenticate or access any resources on the network. Also, because the "roaming" DC's will not be able to see the PDCE, they may start forcing a master browser election. And, to the best of my knowledge, all Group Policy changes are made on the PDCE, so if you make changes to Group Policy on another DC while it is not connected to the PDCE, I'm not too sure what the effects will be. Check out the following link for more on FSMO roles

http://support.microsoft.com/?id=324801

I'm open to correction on all this, but I do think you may run into some problems. Hopefuly somebody else will post back to clarify a little more

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[johncan20]

thanks.

it may be quite hard to do the imaging. Im happy for each DC to be 100% standalone and never even know aboout any others. So they would be PDCE's and have nothing to sync with which would be ideal as long as they all have the computer accounts in. So the real questions is how do i set them up as all PDCE's with all the computer accounts/GP in without having to manually join the tablets into each of the PDC's.

thanks

john

 

[gmail2]

You can't have them all as PDE Emulators - there's only one per domain. Maybe it would be possible to take the DC's away to remove sites, but I don't think that's what AD was ever designed for. Maybe we need to rethink this? what kind of things are you trying to tie down using AD? What about going with local policy instead and forget about the laptops? You could logon using cached credentials and then the local policy would get applied.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[johncan20]

they would all be on the same domain but never actually see each other so the could be PDCE's. i just need a way of adding the computers.

im locking down the desktop/control panel etc and i need to use a logon script to install updates of our software from the central server.

 

[johncan20]

anyone know how to export all the computers from a AD OU?

thanks

John

 

[gmail2]

>> they would all be on the same domain but never actually see each other so the could be PDCE's

They'd have to see each other - when you join the additional 3 to the domain as domain controllers they'll have to be able to contact a domain controller in the first place to join onto the domain

I think it would be a good idea to take a step back, and re-think this. Maybe you don't need to bring a PDC with you when you go onsite. Maybe you could initiate a VPN connection to your main site and then once the policy has aplied you could disconnect. Not a brillant idea but worth a go.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[johncan20]

hi,

i dont think ive explained myslef very well. I want 4 standalone DC's all seperate domains but with the same domain name and 100 tablets as members of that domain so i can interchange (say 25) of them with any DC and they would be able to log onto that domain.

John

 

[rwullems]

That will never work. In ech domain you would have a different computer account (SID) for each tablet.

_____________________________________
Robert Wullems
Network Specialist
SCM/CNX/MCSA/Network+/CNA

 

[58sniper]

rwullems is right. Even if you named them the same, they have different SIDs, making them essentially, different.

In THEORY (and I would never support this), you could theoretically make them DCs of the same domain, add all your laptops & tablets, then remove the network cables from each DC and manually sieze the FSMO roles.

That MIGHT work, as long as no TWO (or more) of those DCs is ever on the same wire at the same time.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

http://support.microsoft.com/kb/255504

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[gmail2]

Sorry, I was writing a reply earlier today but I got called away. Like rwullems said, a client can only be joined to one domain at so even creating the computer accounts manually wouldn't work. You could create 4 different domains and create trusts between them, but as your primary reason for doing this was to apply GPO settings, that wouldn't help as group policy does not get applied across domains. I still think that you have two options, either use a dial-up connection of some sort to apply the policy or use local policy. Maybe if you let us know what policies you are trying to apply we could find a way around it. Are the policies under user configuration or computer configuration?

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau

 

[johncan20]

hi,

thanks for your responses.

i guess the policys arent the most important thing after all, i use it to force classic style, apply the desktop background, remove access to certain things, set up WIFI etc. i would sacrifice all those things to be able to get the tablets interchangeable betweem domains.

what i really use the domain for is a logon script to install updates to the software, other than that i guess im just using it for DHCP and DNS. if there is a way to automatcially install updates to all the clients then perhaps i could try that.

John

 

[johncan20]

if they were standalone is there a reson why disk imaging to another laptop wont work?

thnaks

John

 

[Davetoo]

Wow! Where to start?

I don't think you've explained enough about what your setup is exactly. You have currently one server ( a laptop, not my first choice to be a server) and 100 tablet PC's. These tablet PC's are not connected to each other directly, but 25 of them can be connected to each other at any one time.

Sorry...just can't get my mind around your setup....could you specify a bit more exactly what you're dealing with?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[johncan20]

This is just an enviorment that i take to conferences for one day and connect the tablets to to run some s/w we have written. i could have anything from 1 to 100 tablets connecting to the DC for DHCP, DNS, software updates and GP.

I want to be able to have 4 events on the same day in different locations, comepletly seperate from each other, using any of the tablets with any of the DC's. how do i get all the tablets to be members of all the DC's which are standalone DC's?

probably still not very clear - let me know if not and ill try and explain better.

thnaks

John

 

[Davetoo]

So, to be clear, this is not a "production" environment but more a test environment? i.e. you don't have users on these tablet PC's on the days you're not at a conference?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[blakey2]

Hi Johncan20,

In THEORY (and I would never support this), you could theoretically make them DCs of the same domain, add all your laptops & tablets, then remove the network cables from each DC and manually sieze the FSMO roles.

That MIGHT work, as long as no TWO (or more) of those DCs is ever on the same wire at the same time.

I would have thought the above suggestion by 58sniper would have worked, and is the solution that I would try. Heck if you end up with 3 laptops which are unhappy DCs then you could always dcpromo them to remove DC status and repromote them again??

2 additional points though that I might bring up.

1. After seizing FSMO roles, make the IP the same as the original PDC emulator DC. (Assuming this was also hosting DNS).

2. Group policy would need to be updated across all 4 DCs should you ever need to update it. I really don't know if this will be of concern but I'd look into it further before proceeding..

Cheers.

 

[johncan20]

Great i think ill give blakeys suggestion a go.

yeah its more of a test enviroment.

anyone got any suggestions on whether disk imaging would work?

thanks

John