, , , , , , ,

After thinking about the logistics of managing an enterprise network, I’ve decided to post something I could refer to later, should I be called upon to do it without supervision.

One of the first considerations is redundancy. On a business-critical network there should ideally be two of everything that can’t be replaced quickly. This is especially true of a Domain Controller, as it’s the brains of an Active Directory system, storing the user accounts, the database of ‘objects’ representing the resources within the domain, and other stuff to enable things to find each other and authenticate. While I’ve played with Active Directory a number of times, I’ve never really given the practicalities of adding a failover machine much consideration.

Thankfully Micro$oft has already thought of this, and servers can be designated ‘Primary Domain Controller’ (PDC) and ‘Backup Domain Controller’ (BDC). Wikipedia describes a backup Domain Controller as simply being a machine storing a recent copy of the Active Directory database.

There are actually two modes of operation here. First option is to set the backup database as read only, which ensures only the primary DC is updated. When the primary server fails, the backup server is promoted to function as the acting Domain Controller.
The other option is to set the backup database as writeable, in which case both databases are synchronised, which then effectively means we have a single logical Domain Controller with load balanced between two physical machines.

The Procedure
1. Create a new stand-alone Windows Server installation on the network, as you do.
2. Set the machine to have whatever static IP address, so the primary DC can find it.
3. Both primary and secondary controllers should have the DNS running. These are the primary and alternate DNS servers.
4. With the Server Manager – Add roles Active Directory Domain Services and DNS.
5. Run DCPromo. Add a Domain Controller to an existing domain (ours).
6. Enter the administrator’s username and password for the existing domain. The existing Domain Controller should appear in the console after this point.
8. After the reboot, the Active Directory Domain Services and DNS Services should be present in the Roles Summary. The Active Directory database of the backup machine should be populated with everything from the primary DC.