none
New AD Environment

    Вопрос

  • Hi,

    We are going to deploy our AD environment. we need your some suggestions over this, here is the scenario,

    we have total three offices one in the New York one in Washington and one in Bombay India.

    Following are the details:

    India Office: Primary DC

    New York : RODC 

    Washington : RODC 

    My question is , will it be feasible to make this happen that if India DC will down. all the controls will forwarded to the New york if me make it as secondary DC with respect to geographical location. or its better to keep it as RODC.

    Because we are planning to make NY as our secondary DC.

    Please advice..

    Thanks,

      


    Akshay Vithalkar
    (MCTS) | Windows Server 2008 R2 Server Virtualization
    (MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
    (MCTS) | Windows Server 2008 R2 Active Directory, Configuration
    (MCITP)| Windows Server 2008 Server Administrator
    (MCSA) | WindowsServer2008;

    15 декабря 2012 г. 7:28

Ответы

  • First of all, there is no primary and backup DC. All DCs are RW except RODCs. However, there is FSMO roles that can be holded by your DCs: http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html

    Also, please note that an RODC cannot be used for recovery operations of your AD. That means that, if a disaster occurs in New York Office and you have only RODCs in other sites then your AD will be lost. That is why it is recommended to have RWDCs in mutiple sites so that if there is a disaster in a site, the other one can be used for recovery.

    If you are not planning to minimize the AD traffic (It will be one-way replication instead of two-ways replication using RODCs) and your sites are secure enough physically then I would recommend using RWDCs instead of RODCs.

    If one of your site is down then client computers can use another one for authentication. Also, cached credentials can be used in this case. Note that you can control the DCs to be contacted first based on AD sites and subnets configuration and how DC locator process works.

    To configure your AD sites and subnets: http://technet.microsoft.com/en-us/library/cc776449(v=ws.10).aspx

    How DC Locator Process works: http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    15 декабря 2012 г. 14:09
  • Hi Sandesh,Pleasure to get advice from you.

    But my question is will it be feasible to have writable DC at remote as concerned with the geographical location? because having only writable DC is not the end of the part we also have to plan for DRS?

    You are correct with only one RWDC you will be always at risk its better to have atleast two DC.I would have 1RWDC at reach 3 locations with DNS/Gc role installed.

    Domain controllers # Determining the number of domain controllers you need
    http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx

    How many domain controllers are recommended
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e

    2 DC at one site its good idea, but do we need to place additional DC's with the every writable DC or it will be good enough to have 2 DC's at the DC which is Primary?

    In general it is recommended that at least two DCs in a domain for high availablity and fault tolerance, but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication. To me you can have two DC at primary location and 1 DC at remote location or if there is no buget issue you can plan to have two DC in each location the choice is yours.Refer above kb link for DC requiremnets.

    Thanks,

    Hi,

    See by line comments.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    17 декабря 2012 г. 3:34

Все ответы

  • I would recommend to have Writable DC in other location instead of RODC.You can have atleast two DC in each site with DNS/GC role enable on it or have two DC in main site and single DC on the remote sites and configure the sites and services accordingly and map the required subnet to AD sites and services for authentication.

    If the server remote location server is down other sites DC will be used for authentication.
    Domain Controller Locator : an overview;http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx

    RODC are ment for branch office where nos of users are less.There are some limitation of RODC refer below links for the same.
    http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx

    If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail,you can cache the user/computer password see below link for more details.

    How’s user authentication working in a site with a RODC?
    http://www.frickelsoft.net/blog/?p=232

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Помечено в качестве ответа Akshay V 15 декабря 2012 г. 9:55
    • Снята пометка об ответе Akshay V 15 декабря 2012 г. 10:09
    15 декабря 2012 г. 8:22
  • Hi Sandesh,

    Pleasure to get advice from you.

    But my question is will it be feasible to have writable DC at remote as concerned with the geographical location? 

    because having only writable DC is not the end of the part we also have to plan for DRS.

    2 DC at one site its good idea, but do we need to place additional DC's with the every writable DC or it will be good enough to have 2 DC's at the DC which is Primary?

    Thanks,



    Akshay Vithalkar
    (MCTS) | Windows Server 2008 R2 Server Virtualization
    (MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
    (MCTS) | Windows Server 2008 R2 Active Directory, Configuration
    (MCITP)| Windows Server 2008 Server Administrator
    (MCSA) | WindowsServer2008;

    15 декабря 2012 г. 10:01
  • First of all, there is no primary and backup DC. All DCs are RW except RODCs. However, there is FSMO roles that can be holded by your DCs: http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html

    Also, please note that an RODC cannot be used for recovery operations of your AD. That means that, if a disaster occurs in New York Office and you have only RODCs in other sites then your AD will be lost. That is why it is recommended to have RWDCs in mutiple sites so that if there is a disaster in a site, the other one can be used for recovery.

    If you are not planning to minimize the AD traffic (It will be one-way replication instead of two-ways replication using RODCs) and your sites are secure enough physically then I would recommend using RWDCs instead of RODCs.

    If one of your site is down then client computers can use another one for authentication. Also, cached credentials can be used in this case. Note that you can control the DCs to be contacted first based on AD sites and subnets configuration and how DC locator process works.

    To configure your AD sites and subnets: http://technet.microsoft.com/en-us/library/cc776449(v=ws.10).aspx

    How DC Locator Process works: http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    15 декабря 2012 г. 14:09
  • Hi Sandesh,Pleasure to get advice from you.

    But my question is will it be feasible to have writable DC at remote as concerned with the geographical location? because having only writable DC is not the end of the part we also have to plan for DRS?

    You are correct with only one RWDC you will be always at risk its better to have atleast two DC.I would have 1RWDC at reach 3 locations with DNS/Gc role installed.

    Domain controllers # Determining the number of domain controllers you need
    http://technet.microsoft.com/en-us/library/cc759623(v=WS.10).aspx

    How many domain controllers are recommended
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/991d4f68-5178-4c9a-8b7d-8f2b5f53867e

    2 DC at one site its good idea, but do we need to place additional DC's with the every writable DC or it will be good enough to have 2 DC's at the DC which is Primary?

    In general it is recommended that at least two DCs in a domain for high availablity and fault tolerance, but how many DCs at each site will depend on your requirement. Normally one DC at each site can serve thousands of users with regard to authentication. To me you can have two DC at primary location and 1 DC at remote location or if there is no buget issue you can plan to have two DC in each location the choice is yours.Refer above kb link for DC requiremnets.

    Thanks,

    Hi,

    See by line comments.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    17 декабря 2012 г. 3:34
  • Hi, Sandesh, 

    Thanks for your reply, This really helps me out.

    appreciate your help.

    Thanks,


    Akshay Vithalkar
    (MCTS) | Windows Server 2008 R2 Server Virtualization
    (MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
    (MCTS) | Windows Server 2008 R2 Active Directory, Configuration
    (MCITP)| Windows Server 2008 Server Administrator
    (MCSA) | WindowsServer2008;

    20 декабря 2012 г. 9:18
  • Hi Mr X,

    I have little question for you, 

    How can we set the DC or DNS orders? if one fails the whole controls will be forwarded to other DC.

    Thanks,


    Akshay Vithalkar
    (MCTS) | Windows Server 2008 R2 Server Virtualization
    (MCTS) | Windows Server 2008 R2 Network Infrastructure,Configuration
    (MCTS) | Windows Server 2008 R2 Active Directory, Configuration
    (MCITP)| Windows Server 2008 Server Administrator
    (MCSA) | WindowsServer2008;

    20 декабря 2012 г. 9:21
  • Hi Mr X,

    I have little question for you,

    How can we set the DC or DNS orders? if one fails the whole controls will be forwarded to other DC.

    Thanks,


    Akshay Vithalkar

    Hi,

    You just need to ensure correct dns seeting in client PC as below.
    1.Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
    2.Do not set public DNS server in TCP/IP setting of domain member.

    If the one DC is down client will locate other DC. See below link for Domain Controller Locator process in details.
    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
    http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    20 декабря 2012 г. 9:29