Home / server / Questions / 256429
In Process
Payson Welch
Asked: 2011-04-07 07:43:18 +0800 CST

Secondary domain controller methods

  • 772

Hi I am aware of several 'modes' that domain controllers can be setup as. Right now we only have a primary domain controller and I would like to setup a secondary. We also will need to have a tertiary or perhaps a read only domain controller in our data center. Any suggestions, or suggested reading on how to setup a secondary DC? Our primary is on Server 2008, the new DC will be installed on Server 2008 R2.

windows windows-server-2008 domain-controller active-directory windows-server-2008-r2

4 Answers

  1. Modes of domain controller went away with the advent of Windows 2000 11 years ago. They're all uniform domain controllers, with the exception of Read Only Domain Controllers which are used in special cases. The primary/secondary paradigm died a long, long time ago.

    The domain database itself is what's called a 'multi-master database' in that any node hosting the database can perform updates on their local copy, and the replication methodology ensures consistency. In the WinNT days, only one node could update its database, the Primary Domain Controller, and backups just kept a full copy just in case they needed to be promoted to Primary.

    Adding domain controllers is simple. You just add them. No need to consider their primary/secondary/tertiary status.

    The one case where you do need to consider things is when you're adding a new domain controller at a higher OS version that what you already have running. So if all of your current DC's are at Server 2008 and you're adding a new one at Server 2008 R2, you will have to run a few adprep routines to update the directory schema and a few other details before you can install the DC itself. That's it.

    • 10

  2. I've not heard of "modes" in Domain Controllers, other then marking it a Read Only DC, which you ONLY need to do if its location is physically insecure. Every DC should also be a DNS server, which it will setup automatically when you add the AD Domain Services role in your new servers. Then run dcpromo.exe and choose the defaults (additional DC in existing forest) and boom you have a 2nd DC. Only other change is to set your DHCP, client, and server IP settings to list the new server in the DNS server list, that way you can take the 1st DC down and users are not affected. DNS is the lifeblood of Active Directory connectivity.

    • 2

  3. Since you are asking these questions you probably only have two site setup. Some of the important things you need to take into consideration are:

    • DNS is very import in AD - the DCs must be able to find each other and themselves in DNS.
    • Its a good idea to have two DCs on each site - a DC doesn't cost anything and any box can be a DC.
    • Each of these DCs should use the other as a secondary DNS server
    • The DCs in each site should use one of the DCs in the other as a DNS server
    • Don't elevate the functional level of your domain to 2008 R2 unless you are sure you will never want to use one of those 2003 boxes as a DC

    Install Virtual PC on your desktop, add some memory, set up a few DCs and play. There isn't any better way to learn how this all works than doing it and messing things up a few times.

    • 2

  4. Different windows versions, service pack versions and even patch versions will require you to run 'adprep' on the current domain controller. dcpromo will tell you this, and the location of adprep is in support\ folder of the installation media.

    You need to:
    adprep /forestprep
    adprep /domainprep
    and a third syntax which I dont remember, in case you want read only

    • 0