Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD Sub-Domain
AD Sub-Domain [message #160383] Wed, 26 August 2009 10:15 Go to next message
travelfreak  is currently offline travelfreak  United States
Messages: 14
Registered: August 2009
Junior Member
Hi,

i have a forest with some Sub-Domains only having 1 Domain Controller.
What if this DC fails? OK, the hole Sub-Domain is dead, but how
to rebuild a new DC and the Sub-Domain again?

If i install a 2nd DC in the Subdomain, is there any AD Replication
from
the Sub-Domain Controller to the Root Domain? I assume there might
be some DNS Replication, if the 2nd DC will also be a DNS Server.

Thanks a lot,
Marco


--
travelfreak
------------------------------------------------------------ ------------
travelfreak's Profile: http://forums.techarena.in/members/128759.htm
View this thread: http://forums.techarena.in/active-directory/1237428.htm

http://forums.techarena.in
Re: AD Sub-Domain [message #160384 is a reply to message #160383] Wed, 26 August 2009 10:49 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"travelfreak" <travelfreak.3xjafb@DoNotSpam.com> wrote in message
news:travelfreak.3xjafb@DoNotSpam.com...
>
> Hi,
>
> i have a forest with some Sub-Domains only having 1 Domain Controller.
> What if this DC fails? OK, the hole Sub-Domain is dead, but how
> to rebuild a new DC and the Sub-Domain again?
>
> If i install a 2nd DC in the Subdomain, is there any AD Replication
> from
> the Sub-Domain Controller to the Root Domain? I assume there might
> be some DNS Replication, if the 2nd DC will also be a DNS Server.
>
> Thanks a lot,
> Marco
>


Yep, you would lose the child domain (the term sub-domain is too general) if
you only have one DC. How do you rebuild it if you lose the DC? You would
rebuild a new box, and restore your System State backup with a full copy of
the c: drive (or d: or wahtever else you have drives backed up), and it will
be up and running like nothing happened.

Oh, you don;t have a System State? Unfortunate. And yep, that means you
lost your user accounts. Then you would have to remove all references to the
child domain from the current forest by running a Metadata Cleanup, as well
as deleting any references in Sites and Services. Now build a new machine
from scratch and promote it as a new child domain in the existing forest.

If you have a replica DC in the child, that will at least help preserve
user, computer and everything else in the child domain. So all you would
have to do if you lose the one DC, is to seize FSMO roles to the existing
one, run a Metadata Cleanup to remove the old DC, delete its references in
Sites and Services, and build and promote another DC as a replica into the
domain.

Will there be replication between a replica DC and the forest parent? Good
question. It depends if the KCC deemed it necessary. Look in Sites and
Services for the replication partnership objects the KCC created. And oh,
being a DNS server doesn't have anything to do with if a specific DC
replicates wtih another DC as a partnership. Sure the data replicaets from
one DC to another, but DNS installed has nothing to do with controlling
replication or the KCC auto-determining the best partnership algorithm.

Keep in mind, when there are more than one domain ina forest, there MUST be
two minimal DCs per domain. I mean you should have minimal two per domain
anyway for fault tolerance of your users, groups, etc, but the fact wtih
multiple domains, the FSMO roles need to be addressed. In multiple domains,
the GC (not a FSMO role) must not be on the Infrastructure Master FSMO role,
therefore you would need to move that role off the GC. Otherwise, the domain
would not be able to "see" data in other domains. That's the short of it, I
can give you the long of it, but that is the basic rules.

I hope that helps.

Remember, two DCs per domain... let the KCC do the rest.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: AD Sub-Domain [message #160388 is a reply to message #160383] Wed, 26 August 2009 12:15 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello travelfreak,

Without at least a system state backup from the DC you are lost. You should
always have to DC/DNS server per domain. Also at least one GC per domain,
see here about FSMO/GC placement:
http://support.microsoft.com/kb/223346/en-us

Let the AD handle the replication part from the KCC, see here about:
http://technet.microsoft.com/en-us/library/cc782376(WS.10).aspx

Also see this one about DNS and child domains:
http://support.microsoft.com/kb/255248

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> i have a forest with some Sub-Domains only having 1 Domain Controller.
> What if this DC fails? OK, the hole Sub-Domain is dead, but how
> to rebuild a new DC and the Sub-Domain again?
> If i install a 2nd DC in the Subdomain, is there any AD Replication
> from
> the Sub-Domain Controller to the Root Domain? I assume there might
> be some DNS Replication, if the 2nd DC will also be a DNS Server.
> Thanks a lot,
> Marco
> http://forums.techarena.in
>
Re: AD Sub-Domain [message #160392 is a reply to message #160384] Wed, 26 August 2009 12:23 Go to previous messageGo to next message
travelfreak  is currently offline travelfreak  United States
Messages: 14
Registered: August 2009
Junior Member
Hi Ace,

thanks for your answer.

> In multiple domains,
> the GC (not a FSMO role) must not be on the Infrastructure Master FSMO
> role,
> therefore you would need to move that role off the GC

The Infrastructure Master is not allowed to run on a Global Catalog
Server if either
there are multiple Domains in the Forest
there are Domain Controllers in the same Domain which are not Global
Catalog Servers

The Infrastructure Master is allowed to run on a Global Catalog Server
in a Domain if either
there's only one Domain in the Forest
every Domain Controller in the Domain in question is Global Catalog
Server


> Will there be replication between a replica DC and the forest parent?
> Good
> question. It depends if the KCC deemed it necessary. Look in Sites and
> Services for the replication partnership objects the KCC created. And
> oh,
> being a DNS server doesn't have anything to do with if a specific DC
> replicates wtih another DC as a partnership. Sure the data replicaets
> from
> one DC to another, but DNS installed has nothing to do with
> controlling
> replication or the KCC auto-determining the best partnership algorithm.

Isnt there AD Replication, when my DNS Server Zones are AD integrated?
Do the DNS Server of the Child Domains need to talk with the DNS Server
of the parent Domain? Think so.

Cheers,
Marco


--
travelfreak
------------------------------------------------------------ ------------
travelfreak's Profile: http://forums.techarena.in/members/128759.htm
View this thread: http://forums.techarena.in/active-directory/1237428.htm

http://forums.techarena.in
Re: AD Sub-Domain [message #160393 is a reply to message #160392] Wed, 26 August 2009 13:47 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello travelfreak,

See inline

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Ace,
>
> thanks for your answer.
>
>> In multiple domains,
>> the GC (not a FSMO role) must not be on the Infrastructure Master
>> FSMO
>> role,
>> therefore you would need to move that role off the GC
> The Infrastructure Master is not allowed to run on a Global Catalog
> Server if either
> • there are multiple Domains in the Forest
> • there are Domain Controllers in the same Domain which are not Global
> Catalog Servers
> The Infrastructure Master is allowed to run on a Global Catalog Server
> in a Domain if either
> • there's only one Domain in the Forest
> • every Domain Controller in the Domain in question is Global Catalog
> Server

If you think in your case you are allowed to run the GC on the IM, it is
NOT. You have a multi-forest domain, ont a single-forest domain. Or what
did you mean with the entry above?

>> Will there be replication between a replica DC and the forest parent?
>> Good
>> question. It depends if the KCC deemed it necessary. Look in Sites
>> and
>> Services for the replication partnership objects the KCC created. And
>> oh,
>> being a DNS server doesn't have anything to do with if a specific DC
>> replicates wtih another DC as a partnership. Sure the data replicaets
>> from
>> one DC to another, but DNS installed has nothing to do with
>> controlling
>> replication or the KCC auto-determining the best partnership
>> algorithm.
> Isnt there AD Replication, when my DNS Server Zones are AD integrated?
> Do the DNS Server of the Child Domains need to talk with the DNS
> Server of the parent Domain? Think so.
> Cheers,
> Marco
> http://forums.techarena.in
>
Re: AD Sub-Domain [message #160394 is a reply to message #160392] Wed, 26 August 2009 14:43 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"travelfreak" <travelfreak.3xjirb@DoNotSpam.com> wrote in message
news:travelfreak.3xjirb@DoNotSpam.com...
>
> Isnt there AD Replication, when my DNS Server Zones are AD integrated?
> Do the DNS Server of the Child Domains need to talk with the DNS Server
> of the parent Domain? Think so.
>
> Cheers,
> Marco

Marco,

Based on the statement above, yes, AD integrated zones will replicate as
part of the AD replication process, but I think you missed the point. DNS
does not dictate if a DC replicates wtih another DC. If DNS is installed, it
will pull data out of the relevant partition to be available for queries.

Let's try it this way...

Say you have a parent domain.com with DC1 and DC2, and a child domain called
childdomain.domain.com with DC3 and DC4, the KCC may establish a partnership
between DC1 and DC3, depending on a variety of criteria (that I won't get
into here). Let's say, for example, the KCC created a partnership between
DC3 and DC4, and DC3 and DC1, and DC1 and DC2. Also let's asssume you just
have DNS installed on DC4 and not DC3. So you're trying to say that DC4 MUST
replicate with one or two of the DCs in the parent domain? NO. Just because
DNS is on a DC4 in the child domain, does not mean it will directly
replicate with DC1 or DC2. In the example scenario I described, DC4 has a
replication partnership with DC3, and DC3 has a replication partnership with
DC1, therefore replication data flows between DC4 to DC3 to DC1 and vice
versa. The partnership is based on the KCC's evaluation, not just because it
has DNS on it or not.

Therefore, DNS data will replicate. But there are other factors whether the
data in the child DC/DNS server will replicate to the parent. It will, but
it may not. It TOTALLY depends on the zone's replication scope.

If in the DomainDnsZones partition or the DomainNC partition, NO and will
ONLY replicate with other DCs in its own domain.

If the zone's replication scope is in the ForestDnsZones partition, then
yes, it will replicate with ALL DCs in the forest.

As for terminology, nothing really "talks" to other servers. That's a human
feature, although I know some people growing up that have difficulty with
that, too! (joke). DCs establish communication between each other to
replicate data.

Therefore, if you choose the child zone zone to be domain based scopes
(DomainDnsZones partition or the DomainNC partition), then that means you're
probably designing a parent-child delegation.

How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain:
http://support.microsoft.com/kb/255248

I hope that clears it up. :-)

Ace
Re: AD Sub-Domain [message #160395 is a reply to message #160392] Wed, 26 August 2009 14:49 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"travelfreak" <travelfreak.3xjirb@DoNotSpam.com> wrote in message
news:travelfreak.3xjirb@DoNotSpam.com...
>
> Hi Ace,
>
> thanks for your answer.
>
>> In multiple domains,
>> the GC (not a FSMO role) must not be on the Infrastructure Master FSMO
>> role,
>> therefore you would need to move that role off the GC
>
> The Infrastructure Master is not allowed to run on a Global Catalog
> Server if either
> • there are multiple Domains in the Forest
> • there are Domain Controllers in the same Domain which are not Global
> Catalog Servers
>
> The Infrastructure Master is allowed to run on a Global Catalog Server
> in a Domain if either
> • there's only one Domain in the Forest
> • every Domain Controller in the Domain in question is Global Catalog
> Server
>

As for the IM and GC, that statement above is a bit skewed. As I said,
(repeat) first, you should have two DCs per domain. Period. Best practice if
you have one domain. If you have more than one domain (in example minimum
two domains), then you MUST have two DCs per domain.

If you have one domain, it is recommended that ALL domain controllers are
GCs. This is because there is no work for the IM to perform. The IM gathers
data from other domains and creates a 'phantom' object of that data. This
provides the ability to say, add a user or group from another domain to a
local domain group in its domain.

Therefore, if you have more than one domain, the GC MUST be separated and
NOT run on the same machine as the IM, or the IM will not do its job.

The first link explains what I summarized regarding the GC and IM role in
more detail, which hopefully will give you a better understanding.

By the way, a GC is not a FSMO role, it's just a service that runs on a GC.
I don't know if you knew that or not. I just wanted to make that clear. Some
folks get that confused.

Phantoms, tombstones and the infrastructure master role conflict with a
global catalog
http://support.microsoft.com/kb/248047

Infrastructure Education:
http://social.answers.microsoft.com/Forums/en-US/winserverge n/thread/d238de68-3423-40cd-9bf1-8416bd1d4591

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx

Phantoms, tombstones and the infrastructure master role conflict with a
global catalog
http://support.microsoft.com/kb/248047

FSMO placement and optimization on Active Directory domain controllers:
http://support.microsoft.com/kb/223346

Global Catalog vs. Infrastructure Master
"If a single domain forest, you can have all DCs a GC. If multiple domains,
it is recommended for a GC to not be on the FSMO IM Role, unless you make
all DCs GCs"
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/ 37975.aspx

Ace
Re: AD Sub-Domain [message #160397 is a reply to message #160383] Wed, 26 August 2009 14:50 Go to previous messageGo to next message
travelfreak  is currently offline travelfreak  United States
Messages: 14
Registered: August 2009
Junior Member
Hi,

i quoted from
http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.aspx

In my case iam speaking about one forest domain with child / sub
domains.

Marco


--
travelfreak
------------------------------------------------------------ ------------
travelfreak's Profile: http://forums.techarena.in/members/128759.htm
View this thread: http://forums.techarena.in/active-directory/1237428.htm

http://forums.techarena.in
Re: AD Sub-Domain [message #160398 is a reply to message #160397] Wed, 26 August 2009 16:14 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"travelfreak" <travelfreak.3xjoba@DoNotSpam.com> wrote in message
news:travelfreak.3xjoba@DoNotSpam.com...
>
> Hi,
>
> i quoted from
> http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.aspx
>
> In my case iam speaking about one forest domain with child / sub
> domains.
>
> Marco


Then that portion you quoted is not skewed. He's right, and is what I was
saying.

To simplify it:

If you have one domain in the forest, all DCs should be GCs (the IM is not
used in single domain forests).

If you have more than one domain, The GC cannot be on the IM. This is your
scenario, so you will need a minimum of four domain controllers.

Ace
Re: AD Sub-Domain [message #160406 is a reply to message #160398] Thu, 27 August 2009 01:14 Go to previous messageGo to next message
travelfreak  is currently offline travelfreak  United States
Messages: 14
Registered: August 2009
Junior Member
Hello Ace,

for the Replication and DNS part iam fine. All is regarding to the KCC
and normally for the 2nd DC in a child domain there is only intra-site
replication.

But for the GC-IM iam not 100% sure.

i quote from: http://support.microsoft.com/kb/223346/en-us

.... Two exceptions to the "do not place the infrastructure master on a
global catalog server" rule are:
Single domain forest:

In a forest that contains a single Active Directory domain, there are
no phantoms, and so the infrastructure master has no work to do. The
infrastructure master may be placed on any domain controller in the
domain, regardless of whether that domain controller hosts the global
catalog or not.
Multidomain forest where every domain controller in a domain holds the
global catalog:

IF EVERY DOMAIN CONTROLLER IN A DOMAIN THAT IS PART OF A MULTIDOMAIN
FOREST ALSO HOSTS THE GLOBAL CATALOG, THERE ARE NO PHANTOMS OR WORK FOR
THE INFRASTRUCTURE MASTER TO DO. THE INFRASTRUCTURE MASTER MAY BE PUT ON
ANY DOMAIN CONTROLLER IN THAT DOMAIN.

In my case i have a root.local domain with 2 DCs, both are GCs. So i
have a child domain child.root.local with 1 DC (at the moment) as GC. So
i want to install a 2nd DC also as GC.

That would fulfill the MS exception 2 mentioned in the article above.

Do i miss something ?

Cheers,
Marco


--
travelfreak
------------------------------------------------------------ ------------
travelfreak's Profile: http://forums.techarena.in/members/128759.htm
View this thread: http://forums.techarena.in/active-directory/1237428.htm

http://forums.techarena.in
Re: AD Sub-Domain [message #160407 is a reply to message #160406] Thu, 27 August 2009 01:32 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello travelfreak,

The Infrastructure Master is NOT allowed to run on a Global Catalog Server
if EITHER:
- there are multiple Domains in the Forest (YOUR ENVIRONMENT APPLIES HERE)

- there are Domain Controllers in the same Domain which are not Global Catalog
Servers

See also:
http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/08/ 37975.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Ace,
>
> for the Replication and DNS part iam fine. All is regarding to the KCC
> and normally for the 2nd DC in a child domain there is only intra-site
> replication.
>
> But for the GC-IM iam not 100% sure.
>
> i quote from: http://support.microsoft.com/kb/223346/en-us
>
> ... Two exceptions to the "do not place the infrastructure master on a
> global catalog server" rule are:
> Single domain forest:
> In a forest that contains a single Active Directory domain, there are
> no phantoms, and so the infrastructure master has no work to do. The
> infrastructure master may be placed on any domain controller in the
> domain, regardless of whether that domain controller hosts the global
> catalog or not.
> Multidomain forest where every domain controller in a domain holds the
> global catalog:
> IF EVERY DOMAIN CONTROLLER IN A DOMAIN THAT IS PART OF A MULTIDOMAIN
> FOREST ALSO HOSTS THE GLOBAL CATALOG, THERE ARE NO PHANTOMS OR WORK
> FOR THE INFRASTRUCTURE MASTER TO DO. THE INFRASTRUCTURE MASTER MAY BE
> PUT ON ANY DOMAIN CONTROLLER IN THAT DOMAIN.
>
> In my case i have a root.local domain with 2 DCs, both are GCs. So i
> have a child domain child.root.local with 1 DC (at the moment) as GC.
> So i want to install a 2nd DC also as GC.
>
> That would fulfill the MS exception 2 mentioned in the article above.
>
> Do i miss something ?
>
> Cheers,
> Marco
> http://forums.techarena.in
>
Re: AD Sub-Domain [message #160415 is a reply to message #160406] Thu, 27 August 2009 08:03 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"travelfreak" <travelfreak.3xkg3d@DoNotSpam.com> wrote in message
news:travelfreak.3xkg3d@DoNotSpam.com...
>
> Hello Ace,
>
> for the Replication and DNS part iam fine. All is regarding to the KCC
> and normally for the 2nd DC in a child domain there is only intra-site
> replication.
>
> But for the GC-IM iam not 100% sure.
>
> i quote from: http://support.microsoft.com/kb/223346/en-us
>
> ... Two exceptions to the "do not place the infrastructure master on a
> global catalog server" rule are:
> Single domain forest:
>
> In a forest that contains a single Active Directory domain, there are
> no phantoms, and so the infrastructure master has no work to do. The
> infrastructure master may be placed on any domain controller in the
> domain, regardless of whether that domain controller hosts the global
> catalog or not.
> Multidomain forest where every domain controller in a domain holds the
> global catalog:
>
> IF EVERY DOMAIN CONTROLLER IN A DOMAIN THAT IS PART OF A MULTIDOMAIN
> FOREST ALSO HOSTS THE GLOBAL CATALOG, THERE ARE NO PHANTOMS OR WORK FOR
> THE INFRASTRUCTURE MASTER TO DO. THE INFRASTRUCTURE MASTER MAY BE PUT ON
> ANY DOMAIN CONTROLLER IN THAT DOMAIN.
>
> In my case i have a root.local domain with 2 DCs, both are GCs. So i
> have a child domain child.root.local with 1 DC (at the moment) as GC. So
> i want to install a 2nd DC also as GC.
>
> That would fulfill the MS exception 2 mentioned in the article above.
>
> Do i miss something ?
>
> Cheers,
> Marco


That statement from KB223346, was also quoted in Ulf's blog, that you,
Meinolf and I have posted.

Actually, I don't like to follow the exception rule, because I would like to
ensure that my phantoms exist and are up to date. That is why I go by the
rule, and many will agree, that if you have one domain, make all DCs a GC,
and if you have more than one domain, make sure you have at least two DCs in
each domain, and make sure the GC is not an IM in each domain.

Ace
Previous Topic:Server DNS host names keep deleting, what could be the reason?
Next Topic:Password synch between ADAM instance
Goto Forum:
  


Current Time: Tue Jan 23 16:22:31 MST 2018

Total time taken to generate the page: 0.12382 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software