If we have our main DC still running 2003 on a ESXi Host, with the schema upgraded to 2008 R2 and a 2008 R2 DC.
Am I right in thinking if the main DC (the 2003 server) were to go down I would only be able to replace with another 2008 R2 DC.
I would dearly like to purchase a new server and then have the primary DC on that so there would be some tolerance, or as we have vMotion and HA maybe leave the DC's where they are and just rely on HA in the event of Hardware failure.
I guess there is someone out there that has recovered their infrastructure with this setup?
We would be doing system state backups on the 2008 R2 using windows backup from scheduled wdadmin tasks. The main DC (running 2003) has backup exec. There are also scheduled tasks on the main DC to backup the system state on a nightly basis to another server. Probably overkill I guess.
Davit2005 (15th February 2012)
You need to ensure that the Global Catlog function is enabled on both DC's, so that if one conks out, User logons can be processed on the other:
What Is the Global Catalog?: Active Directory
I would install the new server, add the AD roles and then transfer the FSMO roles from the 2003 server to the new 2008 one before removing the 2003 server.
I'm not sure if DPM works with ESXi, but I've found it quite useful in my hyper-v setup.
In event of failure I would only restore a single DC (the one with the FSMO roles), and then build another.
Last edited by Mr.Ben; 15th February 2012 at 06:46 PM.
dhicks (15th February 2012)
I rebuilt a DC at the last place when the RAID went bad but it was a physical host.
Would HA be ok to use on DC's, if the hardware went bad it should swap to the other server but not sure how this would work on DC's?
Backing up a DC is not the best of ideas - it should only be used for recovery in a disaster situation. Best practice is to simply have another DC. We run a Virtual environment using Hyper-V and our Hyper-V Host servers are domain joined machines - this means we have to have a DC outside of our cluster as it will not start the cluster and failover services until it can verify a DC is available (we have then made two virtual DC's inside our environment).
The FSMO roles all belong to the physical machine, the other 2 DC's are global catalog servers as well. If the physical machine dies compeltely, i would simply forceable sieze the roles to one of the virtual servers, and keep the cluster running whilst I set up a new physical machine and transfer the roles to the physical machine once complete.
The short answer is have a second DC - this is your backup.
I setup 4 ESXi hosts at a last employment with a vCenter managing them. The main point of my thread was to establish wether it would be best to have both DC's on one host with HA enabled in case of hardware failure or just have one DC on each, both would have DHCP, DNS and Global Catalog roles to provide failover. Both servers are also in the same server room as we have limited space, also does HA rely on a SAN based datastore or can it work with local based storage (on the ESXi host itself). We have HA and vMotion in our ESXi licence and the CPU count will allow us to have another couple of hosts.
I can suggest you to use Veeam backup in order to backup those machines properly.
That's incorrect. Your role master is a 2003 DC, but the schema has been upgraded to 2008 R2 due to a 2008 R2 DC in your domain. This is completely normal. If your 2003 DC went down, you could replace it with another 2003 DC.Am I right in thinking if the main DC (the 2003 server) were to go down I would only be able to replace with another 2008 R2 DC.
Currently your Domain and Forest functional levels are going to be 2003, due to your 2003/2008 R2 server. You cannot for example have a 2000 DC and 2008 R2 DC in the same domain.
If your Domain and Forest functional levels were set to 2008 R2, you could only introduce a 2008 R2 or better. You couldn't run any 2003 DCs. Any 2003 servers could only be member servers running File/Print services for example.
Over summer I'll probably introduce another 2008 R2 server, move the roles and de-commission our last 2003 DC. Our filter box may not approve but it will give a decent excuse to have to replace it (if we haven't allready done by then) ;-D . I suppose I could just move the roles but leave the filter box pointing at the Ldap on the 2003. One thing for sure, when raise the functional level of the forest there's no going back.
Cheers for reply
Spot onOne thing for sure, when raise the functional level of the forest there's no going back.
Two examples of how this might happen:
- A Hacker removes all users from Domain Admins/Administrators, resets the password for the domain administrator account, then deletes all other accounts.
- Or a worm/program goes berserk and corrupts ADS.
You still need to take regular backups of ADS to deal with these types of scenarios, no matter how many DCs you have it won't help. And...
A) If all of your DCs are on one site you should keep the backups "off-site" from where your DCs are.
B) Store them offline (e.g. a USB drive or tape) to prevent the said hacker from wiping your backup at the same time as the DCs.
In my opinion Windows Server Backup (2008/2008 R2) is good for ADS backups. Microsoft trusts it to perform ADS backups for DPM.
Last edited by Bruce123; 9th April 2012 at 11:03 PM.
Roberto (10th April 2012)
I've been wondering as I also have 2 DCs but I only one of them is running DHCP (I'm told that this isn't ideal either) I've so many reservations etc how do you share the DHCP role?
Just give DHCP its own VM
Used to have it split across two DHCP servers but seems like after going virtual most people just put it on one VM
As for DC backups... we use Veeam. The SureBackup feature is handy as you can spool up your entire network from the backup files to check everything works as expected if you needed to restore from them... very funky!
Last edited by gshaw; 10th April 2012 at 12:08 PM.
chazzy2501 (10th April 2012)
There are currently 1 users browsing this thread. (0 members and 1 guests)