Adding a Server 2008 R2 Domain Controller at a remote site


  • Hello. I have been trying to set up a hot site at a remote location.  The story is long and involved but a few weeks ago it seemed to be finally working.  Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take.  The hot site is the same except that so far I only had one server working.  The two sites connected via site to site VPN.

    About a week later our primary server basically crashed.  At first it worked but very slowly.  I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting.  It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message).  He then discovered that the server at the remote site had some fsmo roles assigned to it.  He transferred the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).

    After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem.  The way I originally set up the remote server was to use an IFM file, generated from our primary.  This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.

    The remote server(s) are wanted to be in the same domain as the primary.  They will also be mirrored from the primary (with Double Take).  If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site (after a fail over).  I freely admit that I am swimming out of my depth here.  I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers.  I am looking for information about what went wrong, and whether some other setup is more desirable.

    Thanks for any help, Russ


    Tuesday, December 31, 2013 6:34 PM


All replies

  • Hi,

    Regarding your request, maybe you should add the DC in the remote site via IFM as you mentioned. I suggest you could refer to the following article for details about the best practices.

    Adding Domain Controllers in Remote Sites

    Hope it helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Andy Qi
    TechNet Community Support

    Wednesday, January 01, 2014 9:34 AM
  • Hi Andy. Thanks for your note. Using IFM is how I did it the first time.  I am reluctant to do this again until I have some idea of what went wrong, because I do not want to "screw up" the primary server again.  I am hoping that someone can tell me what happened.  I have spent literally days reading documentation, searching the internet, and have not been able to find any information that is contrary to the way I set it up in the first place.

    I guess what I mostly need to know is how the fsmo roles could have gotten transferred to the remote server.  I am certain that no one did it manually!

    Thanks, Russ


    Wednesday, January 01, 2014 3:29 PM
  • Hi

    In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?

    - In your AD' Site and Service MMC, do you configured the remote site ?

    - Do you added that remote server as a Global catalogue ?

    - Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash.

    For the FSMO's role holder, that never auto-transfer, did you tried to clone a server or such ? So the remote server thougth it got the FSMO and your server in the main site got it too ?

    I already seen in the past FSMO's role holder with DC name no longer alive, so the fact your remote DC was the holder, is strange.

    Regards, Philippe

    Thursday, January 02, 2014 12:57 AM
  • Philippe, thank you for you answers.  I do not understand everything you said but I will address each point as best I can:

    1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?"  Yes, but I use the method described at, The GUI method.  At step #8 I specified to use advanced mode so I could use the IFM file.

    2. "In your AD' Site and Service MMC, do you configured the remote site ?"  R do not know what you mean by this. How does one configure the site as 'remote'?

    3. "Do you added that remote server as a Global catalogue ?".  Yes, when I built the IFM file I specified to add the global catalog.

    4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash."  I am not sure I understand this item.  After the remote server was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain.  I do not recall if the new items were last, but I expect that they would be.

    I have since reviewed the happenings with my associate and have a little more information.  The order of the problems and the actions taken are:

    1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site.  Rebooting the production server took over 25 minutes and the server to came up saying that domain information was not available.  After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.

    2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil.  I would expect that if the role was not held by the remote, the transfer command would have shown that fact.

    3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".

    4. He forcefully demoted the remote server.

    5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).

    6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.

    At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.

    All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller.  However nothing I have read says that this should happen.  I hope someone here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.

    Thank you, Russ

    PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.


    Tuesday, January 07, 2014 9:02 PM
  • Hi

    1. I never used the IFM's method, always did the GUI method.

    2. No, you can't !  By remote I try to keep that simple, a site not in your headquarter, linked by a WAN's link :)

    3. Perfect !

    4. You need to have your computer point to both DNS's server, as if site1 DC go down, computer in site1 would be unable to locate a DC, thus you need to have a second DNS's configured into then to allow a HA scenario.

    I did a lot of setup like that (without IFM) when the WAN is a problem to syncronize the AD I simply use a small so-ho router in my main site.

    Thus you give the additional DC the real IP it will have, but isolated behind a so-ho router hooked in your LAN. In the primary DC I overrule the routing table by adding a router. (route add ip_remote_dc mask ip_of_soho_router. After you send the DC at the remote location. Else I just sync via the WAN

    The problem I think was the IFM or a human error, as I'am sure of one thing, FSMO role does not transfert automaticly.

    You got 5 roles in differant location to confirm, to have the error on all 5 is strange.

    Thanks !

    Regards, Philippe

    Tuesday, January 07, 2014 11:42 PM