I have some additional questions about DC replication and DHCP, maybe you can help me. Here are my questions: 1) When i have a DC with Active Directory and create a new one with new active Directory, the two ADs replicate information between their databases? 2) What about load balacing ? when i have a AD in one DC and create a new one, on a new DC, the client machines (XP boxes), when starting, they connect to the first AD that is available? Is there load balacing between the two ADs? 3) What about DNS? if i have one DC that as one DNS and cretae a new DC with a new DNS will they replicate the information between the two databases? 4) What about Load balancing? Does the DNS divides the load with the other DNS? 5) I have installed this DCs replication using a link: http://technet.microsoft.com/en-us/...26434.aspx As you can see, through the link, one step is to do this: "Configure the Second Domain Controller as a Global Catalog Server The first domain controller in the forest (AD01) is automatically configured as a global catalog server. For additional resilience, configure AD02 to be a global catalog server too." Why do i need to configure the secondary DC as a Global Catalog server? can you explain what is the function of the Global Catalog Server, and why do i need to configure it to on the second DC server? 7) If AD and DNS databases replicate them selfs between the dirent DCs with wich frequency they replicate information betweeen them? Is there any time? can tgis time be changed? 8) As you can see, from the link that i gave you above, they say that, when i create the second DC, the network card of this DC needs to have the first DNS Server configured with the ip address of the First DC and only in the second DNS Server on the network card have the ip address of this second server, why? "Configure AD02 to use AD01 as its primary DNS server. Then, promote AD02 to be an additional domain controller in the existing Fabrikam.com domain using DCPromo." 9) The fisrt DHCP that i have is one the first DC , when i created a Second DC (AD, DNS) i created too a second DHCP so that i can have fault toulerance. In the fisrt DHCP , in the SCOPE Options i have the property "004 - Time Server" selected. Shoud i select the same property on the second DHCP that i am creating? If not, why? P.S. - When i talk in this post about DCs, its because i created a second DC on my network and a second DHCP. The DC was created as an additional Domain controller of the existing one, to offer fault toulerance. PR

1- Yes, the two domain controllers will replicate information between their databases. The replicated informations depends of the configurations made on your DCs. 2- There is load balancing between the two DCs and this is due to DNS records priorities. 3- If you install a DNS on both servers and integrate your zones in Active Directory, DNS records will be replicated with the use of Active Directory replication 4- There is no load balancing in DNS servers. The contacted DNS server depends on DNS configuration on the client computer (The primary DNS server is the one that will be contected the first) 5- All your domain objects (users, computers, groups ...) are stored in the Global Catalog. It is for that it is recommanded to have at least two DCs with global catalogs so that if you have a problem with the first DC, the second one will be used. 7-This depends of the configuration of your sites and the replication frequency can be configured 8- To create the secondary DC, you need to resolve some DNS records, it is for that you should use the first DC which hosts your DNS zones. After the install of the new DC and if you install the DNS service on it, you can use both of them. 9-No, one DHCP server is enough. You can configure the second as DHCP server but be carefull with the configuration because they should not cause IP addresses conflits.

I recommand to you to have a look to FSMO rules and the best practises of assigning the FSMO rules. This is a link about the best practises of assigning the FSMO rules: http://windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html

Hello, 1. only if the new DC is added to the existing domain, not if you just create a new DC in a new forest/domain with the same name. 2. the logon/authentication is based on the DCLocator process, see here abotu the details, well explained from Jorge: http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1 3. use AD integrated zones and they will replicate the zone information between the DCs, not the DNS server settings, like forwarders, this has to be configured on each server 4. all domain machines will use the preferred DNS server first for name resolution, except this is not available the secondary will be choosen 5. it is recommended 2 have at least 2 DNS/GC for failover and redundancy. See for details in http://technet.microsoft.com/en-us/library/cc728188(WS.10).aspx and http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(WS.10).aspx 6. missing :-) 7. intra-site replication http://technet.microsoft.com/en-us/library/cc728010(WS.10).aspx inter-site replication http://technet.microsoft.com/en-us/library/cc759160(WS.10).aspx 8. until initial replication is done you can assure that way that the new DC/DNS will only connect to the current DC and not having problems as itself is not properly working for the domain. After replication you can change the DNS server settings to itself as preferred and the other DNS server as secondary 9. don't configure the time server, in a domain the DC with the PDCEmulator role is the time master, all other DCs sync with that one and the rest of the domain members use an available DC, see more in: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx For DHCP split scope see: http://technet.microsoft.com/en-us/library/cc780311(WS.10).aspx and http://technet.microsoft.com/en-us/library/ee405264(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, First of all, thank you very much for your replys. I have been reading all your replys, but still i have some problems. 1) When i am configuring the second domain controller, it asks me for a password for the restoring of the ad, if necesssary. It says that this password is differente from the Administrator password. Can someone explain what is the process of restoring a AD? why do i need to do this? 2) if i understood your answers, when i first promote de second server to be an additional domain controller for a existing one, the preferred DNS on the NIC of this server as to be the IP address of my existing DC. After the promotion of this second computer to DC, i should change the DNS order on the NIC, and put the first option on the NIC as being it's own IP and the second DNS , the IP address of the other DC, am i correct? If i am correct, i was wondering... shouldn't i expect problems? Because i changed the order in witch the DNSs were in NIC after the computer was promoted to DC? 3) Do i really need to have the two DCs as global catalogs? my florest will have only one domain... 4) My DCs are in Multi-Master mode, when i execute commands to see where the FSMO are, they tell me they they are in the first domain controller that i have created. If i am in multi-master mode should i have FSMO in the first DC that was created? it's strange because i was thinking that if i am in multi-master mode i should not have the FSMO... PR

1- Directory Services Restore Mode (DSRM) is used on a Microsoft Windows Domain Controller to take the Active Directory on that machine offline. Have a look at these links: http://en.wikipedia.org/wiki/Directory_Services_Restore_Mode http://technet.microsoft.com/en-us/library/cc776568%28WS.10%29.aspx 2-Yes you can proceed like that. I recommand to you to use the 127.0.0.1 IP address as primary DNS server IP address for the second DC after installing and configuring the DNS service (You can do the same thing for the first DNS server). 3-In your forest you will have an only one domain. In your case, it is recommanded by Microsoft to have all your DCs hosting global catalogs to ensure the highest level of availability of GCs. 4-In your case, there is 5 FSMO rules that you can distribute on all your DCs. It is for that I gave you the best practises FSMO assigning article. By default, your first DC hosts all the FSMO rules but you can distribute them. If you don't distribute them and the first DC crashes, all the FSMO rules will be unavailable.

This is a link about how to do to display and transfer FSMO rules in Microsoft Windows Server 2003: http://support.microsoft.com/kb/324801 Best regards.

Hello, 1. The Directory service restore mode is made to access the server without starting Active directory for restore operations, so more or less a local server logon which is not possible if AD is running, then you are always on the domain. 2. yes. 3. in a single forest domain like doamin.com it is recommended to have all DCs enabled as GC. There is no problem with that. Also keep in mind that redundancy is always important in a domain. 4. you can have all FSMOs on one DC, even if more DCs are used. They will not automatically be devided between them if an additional DC will be added. http://support.microsoft.com/kb/223346Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, Thank you very much, once again for all your supporte. I still have some questions that i would like to understand , maybe you can help me. Questions: 1) I think that when i install a second DC on my network (additional domain controller of a existing one), by default the enviroment bnetween this two DCs is multi-master and all the 5 FSMOs are in the first DC, as you told me. My question is: because i am in multi-master enviroment (not in single master) , if the first DC goes down (the DC that as the 5 FSMOs) do i need to passe them (Seize) to the other DC? i think not, because i am in multi-master mode, am i right? 2) This question is related with DHCPs. I have a DHCP and i want that my DHCP only give IPs to machines that belong to my domain, is this possible? I ask this, because we have other company on the same place and they use their own domain, but when their machines connect , some times they receive ower IPs. Can i limit the DHCP to only give IPs to machines that are on my domain? PR

1- If the first DC which is hosting the 5 FSMO rules goes down, you will have several problems like: changing passwords, creating domains ... It is for that if the first one goes down, you should proceed like that: A- Restore a performed backup for the first DC so that it will be back B- If you don't want to proceed like that, you should proceed by resizing the FSMO rule (In this case, after resizing, you should not bring the down DC online because you may have several problems like: corrupted forest ... This is an article about how to display and transfer FSMO rules: http://support.microsoft.com/kb/324801 This is an article about FSMO rules resizing: http://support.microsoft.com/kb/255504 2- This is feasable on windows 2008. You can configure DHCP to accept DHCP requests for certain MAC addresses but not on windows 2003. In your case you should secure the physical access for you network and be sure you are using the correct DHCP architecture.

Hello, 1. if the DC is just shutdown for maintenance do nothgin until it is back. If the DC crashes and never comes back you have to seize the FSMO rolesto the other DC. The FSMOs must exist in the domain, so make sure to have them available. 2. you can use the following way with: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

No offense, but if you need to ask these questions maybe you need to reconsider a course..