Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Apr 2016
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    2 replicated domain controllers or clone the 1st domain controllers to another as cold standby

    Hi Guys,
    I am not sure if this is the right forum to ask such question or perhaps someone can divert my question. Any implication of a Windows 2008 server running on cold standby without any network connection for a period of time, tombstone issue? and the reason I asked is I am thinking of whether to do a 2 domain controllers replication where 1 fail and 2nd domain controller to take over or just to clone it as standby and plug in the network whenever the 1st domain controller fail. Appreciate any feedback.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,207
    Thanks
    49
    Thanked 989 Times in 919 Posts
    Domain controllers have a secure connection with members that is secured by a machine generated password, which is changed regularly - every 7 days or so. A DC not connected to the domain will not have the latest machine passwords and will fail to extablish a secure connection with workstations, rendering the domain useless. Then there is the issue of user passwords, DHCP, DNS and anything else that is updated in the normal course of use.

    A second DC will get you around all these issues, but will still fail to authenticate users unless you promote it to a Global Catalogue - you now have 2 GCs. You can't have multiple GCs unless you have only a single domain, which seems to be the case for you.

    You could create the 2nd DC on a virtual machine, making it easy to migrate to other hardware.

    cheers, Paul

  3. #3
    New Lounger
    Join Date
    Apr 2016
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Paul appreciate your feedback. I guess cloning the standby server as a 1st DC will not be an ideal scenario with all constant update of user password, DHCP, DNS & anything else in a normal course of use.
    I am interested on your 2nd comment of "but will still fail to authenticate users unless you promote it to a Global Catalogue - you now have 2 GCs". Assuming I have a single domain, 2nd DC will not take over automatically to serve my client login on security setting & profile that applied to user login if my 1st DC are down?

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,207
    Thanks
    49
    Thanked 989 Times in 919 Posts
    Only if both DCs are GCs.

    User Logon

    When a domain user logs on interactively to a domain, the contacted domain controller must retrieve information from a global catalog server under the following conditions:

    The user's domain is Windows 2000 native domain functional level or higher. In this case, the user might belong to a universal group whose object is stored in a different domain.

    The user’s logon name is a user principal name (UPN), which has the format sAMAccountName@DNSDomainName. In this case, the DNS domain suffix is not necessarily the user’s domain and the identity of the user’s domain must be retrieved from a global catalog server.
    Given this requirement, you need a GC to be able to logon, so having 2 DCs and only one GC means if you lose the GC you lose the ability to logon. What actually happens is logon takes ages because the DC attempts to contact the missing GC.

    cheers, Paul

  5. #5
    New Lounger
    Join Date
    Apr 2016
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    In that case I don't see any reason why we are not enabling Global Catalogue on 1st DC and 2nd DC for redundancy in case of 1st DC down.
    Paul , appreciate your feedback .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •