1domain/site, dual locations...if link goes down what to do with OP masters?

The setup is one domain, and one site with dual locations (2 server
2003 DCs in both locations)...yes we should have two sites, but it's
currently set up THIS way. All the operations roles are on one DC in
one location. The link between the physical sites has sometimes gone
down, and the computers that are on the side that is separated from the
operations master have all kinds of troubles. IS there a good way to
set this up so that this is not an issue. Assuming that the domain
structure is fixed, but that sites are flexible, is there a better way
to set this up, so that if the link goes down there won't be major
issues (something to temporarily pick up the operations masters roles
on the 'dark' side?)...I feel really dumb asking this (personally right
now I just don't see how this would be done...I mean from my
perspective it's just like as if all the computers were on the same
desk, and you just separate them...balabing bala bung, won't work), but
it's really late, so maybe I'm just missing something. If you'd revel
in proving me wrong, well I'd be glad to accept any technical
suggestions. Thanks

there are GC's in both locations

there are GC's in both locations, and forcefully seizing the roles is
not acceptable.

It sounds to me more like you are having a dns issue. It really shouldn't
matter from an authentication point of view if you lose a DC temp the other
will handle things -except- that Outlook needs the GC it used at logon time.
That can be a real snare.

Do you have dns services on both dc's and the clients pointing to both dc's
for dns services? Do you have both dc's pointing to themselves and then
each other as secondary for dns services?

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> The setup is one domain, and one site with dual locations (2 server
> 2003 DCs in both locations)...yes we should have two sites, but it's
> currently set up THIS way. All the operations roles are on one DC in
> one location. The link between the physical sites has sometimes gone
> down, and the computers that are on the side that is separated from the
> operations master have all kinds of troubles. IS there a good way to
> set this up so that this is not an issue. Assuming that the domain
> structure is fixed, but that sites are flexible, is there a better way
> to set this up, so that if the link goes down there won't be major
> issues (something to temporarily pick up the operations masters roles
> on the 'dark' side?)...I feel really dumb asking this (personally right
> now I just don't see how this would be done...I mean from my
> perspective it's just like as if all the computers were on the same
> desk, and you just separate them...balabing bala bung, won't work), but
> it's really late, so maybe I'm just missing something. If you'd revel
> in proving me wrong, well I'd be glad to accept any technical
> suggestions. Thanks
>

all 4 DCs, have a DNS server on them running Active Directory
Integrated zones.

Thanks for the reply...I posted this right at the end of the day, from
a third party perspective. Tomorrow we'll go over and post the
specific error messages and issues that came up.

I guess, for now I just wanted a more abstract answer. I guess that
cutting off the operations masters would be kind of like cutting off
the head of an organim; how long can something keep going in this state
before issues start to arise?

There is absolutely no reason to seize (Transfer gracefully) the roles.
They have nothing to do with any of the problems you describe. Check your
clients to make sure they point to more than 1 dns server.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> all 4 DCs, have a DNS server on them running Active Directory
> Integrated zones.
>
> Thanks for the reply...I posted this right at the end of the day, from
> a third party perspective. Tomorrow we'll go over and post the
> specific error messages and issues that came up.
>
> I guess, for now I just wanted a more abstract answer. I guess that
> cutting off the operations masters would be kind of like cutting off
> the head of an organim; how long can something keep going in this state
> before issues start to arise?
>

Paul, In looking at the matter, the 4 servers are running ADIZ DNS and
are setup as forwarders between each other. Each DC is set to it's own
IP as the primary DNS in the network properties with the other 3 in the
list. The clients point to the dns server on their local LAN. There was
in fact good reason to transfer the roles also. The Physical site that
contained the first DC in the forest had a major substation explosion,
thus taking out all power to the entire complex. The 2nd site was not
able to perform any sort of authentication (just cached sessions), and
the DFS was failing because it could not be found in AD so in turn, the
applications were not able to run at the 2nd site. We were able to get
the WAN link and servers back online temporarily with generators. We
transferred roles so the 2nd site could keep production going, without
it, we'd have issues controlling our water supply. It took a full week
for the electricians to restore power to the 1st site, and now it's
back online. We want to ensure that any site can be self sustaining
barring power failure. The only way I've seen this to be done is to
have a child domain at each site. The PDC emulator role seems to be the
issue here from what I can see. You're allowed one per domain. This is
definitely not a PC issue with DNS settings in the network properties,
especially when you're standing at a console of one of your domain
controllers (not the PDC Emulator) and it tells you that it can't log
you on because the Primary Domain Controller for this domain can't be
contacted. Please let me know if you know of any other way to make it
survivable without having to create child domains.


-Cory

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> The setup is one domain, and one site with dual locations (2 server
> 2003 DCs in both locations)...yes we should have two sites, but it's
> currently set up THIS way.

Then create the Sites

> All the operations roles are on one DC in
> one location. The link between the physical sites has sometimes gone
> down, and the computers that are on the side that is separated from the
> operations master have all kinds of troubles.

Create the Sites. Sites will help make everything more dependable over the
slow WAN link. That is what Sites are for.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I don't know your network but I do know AD good enough to tell you, you
don't need to have a child domain at each site to have things working
properly. There is some misconfiguration that is cuasing you the hardship.
Are there firewalls between sites that are blocking communications.

Try running netdiag, repadmin and dcdiag. Look for fail, error and warning
errors.

If you don't have the tools installed load them from your install disk.

d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)

Copy the following to a cmd file and run look for error, fail and warn
within the reports. Post any errors you can't figure out. make sure you
modify DC_Name to the name of a dc in your domain.

@echo off

c:
cd \
cd "program files\support tools"

del c:\dcdiag.log
dcdiag /e /c /v /sC_Name /f:c:\dcdiag.log
start c:\dcdiag.log

netdiag.exe /v > c:\netdiag.log
start c:\netdiag.log

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
start c:\repl.txt


See for more details

http://www.microsoft.com/technet/pro...509c38837.mspx

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Cory" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Paul, In looking at the matter, the 4 servers are running ADIZ DNS and
> are setup as forwarders between each other. Each DC is set to it's own
> IP as the primary DNS in the network properties with the other 3 in the
> list. The clients point to the dns server on their local LAN. There was
> in fact good reason to transfer the roles also. The Physical site that
> contained the first DC in the forest had a major substation explosion,
> thus taking out all power to the entire complex. The 2nd site was not
> able to perform any sort of authentication (just cached sessions), and
> the DFS was failing because it could not be found in AD so in turn, the
> applications were not able to run at the 2nd site. We were able to get
> the WAN link and servers back online temporarily with generators. We
> transferred roles so the 2nd site could keep production going, without
> it, we'd have issues controlling our water supply. It took a full week
> for the electricians to restore power to the 1st site, and now it's
> back online. We want to ensure that any site can be self sustaining
> barring power failure. The only way I've seen this to be done is to
> have a child domain at each site. The PDC emulator role seems to be the
> issue here from what I can see. You're allowed one per domain. This is
> definitely not a PC issue with DNS settings in the network properties,
> especially when you're standing at a console of one of your domain
> controllers (not the PDC Emulator) and it tells you that it can't log
> you on because the Primary Domain Controller for this domain can't be
> contacted. Please let me know if you know of any other way to make it
> survivable without having to create child domains.
>
>
> -Cory
>