+ Post New Thread
Results 1 to 13 of 13
Windows Server 2008 R2 Thread, Adding second domain controller in Technical; Hi All, We set up our new server 2008 R2 domain over summer and now have a second server that ...
  1. #1
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29

    Adding second domain controller

    Hi All,
    We set up our new server 2008 R2 domain over summer and now have a second server that we can add as DC2.
    We have installed Server 2008 R2 on it and are about to DCPROMO it.
    Are there any extra settings I should be aware of before we go ahead and do this?
    This is not the sort of thing we do every day!!

    Thanks

  2. #2
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,201
    Thank Post
    212
    Thanked 222 Times in 191 Posts
    Rep Power
    72
    Making the server into a DC will likely install DNS services, you may want to add that second servers IP as a secondary DNS server in your DHCP settings? Just for load sharing etc

    Other than that it should be fairly straight forward

  3. Thanks to themightymrp from:

    reggiep (18th October 2012)

  4. #3

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,954
    Thank Post
    862
    Thanked 1,443 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Should be fairly easy - it leads you through it in the dcpromo anyway. If you're just putting your second DC in you might want to consider splitting your DHCP scopes between the two servers - set the entire scope up on each, then disable half the range on each one, so that if a server ever goes down you can just remove the restriction and your full DHCP scope is serviceable still. Fairly brute-force load balancing, but fairly common as well.

  5. 3 Thanks to sonofsanta:

    Davit2005 (18th October 2012), laserblazer (18th November 2012), reggiep (18th October 2012)

  6. #4
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    798
    Thank Post
    82
    Thanked 131 Times in 114 Posts
    Blog Entries
    8
    Rep Power
    31
    Quote Originally Posted by sonofsanta View Post
    Should be fairly easy - it leads you through it in the dcpromo anyway. If you're just putting your second DC in you might want to consider splitting your DHCP scopes between the two servers - set the entire scope up on each, then disable half the range on each one, so that if a server ever goes down you can just remove the restriction and your full DHCP scope is serviceable still. Fairly brute-force load balancing, but fairly common as well.
    Only thing you have to watch out for when splitting a DHCP scope between two servers is to make sure the subnet has twice as many addresses available as the total number of clients in it. If one of your domain controllers does stop functioning you could run out of addresses in the scope on the backup.

    Make sure the new DC is a global catalog server too so it can process login requests.

  7. Thanks to Duke5A from:

    reggiep (19th October 2012)

  8. #5
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Quote Originally Posted by Duke5A View Post
    Make sure the new DC is a global catalog server too so it can process login requests.
    I'll take note of that.

    Thanks.

  9. #6
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    327
    Thank Post
    5
    Thanked 33 Times in 28 Posts
    Rep Power
    23
    also consider balancing out your FSMO roles, if you only have one DC now, it will hold all of them. Consider transferring some of them to the new DC.

  10. Thanks to ADMaster from:

    reggiep (25th October 2012)

  11. #7
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Last time we moved fsmo roles between DCs we couldn't move them back to demote one of them! We had to live with a slightly faulty domain DC for a year as we couldn't demote it!

  12. #8
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    Quote Originally Posted by reggiep View Post
    Last time we moved fsmo roles between DCs we couldn't move them back to demote one of them! We had to live with a slightly faulty domain DC for a year as we couldn't demote it!

    if there were no roles on it, you could have just turned it off reinstalled over the top and used ntdsutil to remove any reference of it from the domain

  13. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,808
    Thank Post
    272
    Thanked 1,135 Times in 1,031 Posts
    Rep Power
    349
    Quote Originally Posted by dana_lehman View Post
    also consider balancing out your FSMO roles, if you only have one DC now, it will hold all of them. Consider transferring some of them to the new DC.
    In small environments i prefer to have them in one place. You can always steal the roles in it fails.

    I've also read somewhere you shouldn't run DHCP from a DC for security purposes but can't remember why.

  14. Thanks to glennda from:

    reggiep (19th November 2012)

  15. #10

    Join Date
    Mar 2012
    Location
    US
    Posts
    56
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    5
    If you can stand his voice here is a video. Dcpromo does most of work for you...
    How To Add The Second Windows Server 2008 R2 Domain Controller To A Domain - YouTube

  16. #11
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    Quote Originally Posted by glennda View Post
    In small environments i prefer to have them in one place. You can always steal the roles in it fails.

    I've also read somewhere you shouldn't run DHCP from a DC for security purposes but can't remember why.
    ]

    i think its because the account that the DHCP service runs as has more access on a DC than on a Member Server.

  17. #12

    Join Date
    Mar 2012
    Location
    US
    Posts
    56
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    5
    Quote Originally Posted by oxide54 View Post
    ]

    i think its because the account that the DHCP service runs as has more access on a DC than on a Member Server.
    It's better to have the firewall handle dhcp if in te event the dc gets compromised you can still kick sessions and isolate it for damage control.

  18. #13
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    23
    Quote Originally Posted by rslulz View Post
    It's better to have the firewall handle dhcp if in te event the dc gets compromised you can still kick sessions and isolate it for damage control.

    no idea what your on about tbh, buti don't think about it being a security risk myself, i was just offering reasoning to what glennda had read.

SHARE:
+ Post New Thread

Similar Threads

  1. Adding new network card in a domain controller
    By sultan966 in forum Windows Server 2000/2003
    Replies: 1
    Last Post: 23rd July 2011, 12:03 AM
  2. Upgrading 2003 SP1 domain controller to 2003 R2
    By Andi in forum Wireless Networks
    Replies: 4
    Last Post: 27th June 2007, 01:22 PM
  3. Domain controller not registering as a DC
    By Dos_Box in forum Windows
    Replies: 5
    Last Post: 13th June 2007, 05:17 PM
  4. decommisioning a domain controller
    By Oops_my_bad in forum Windows
    Replies: 3
    Last Post: 19th April 2007, 05:54 PM
  5. Replies: 15
    Last Post: 1st April 2006, 04:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •