DC and DHCP question(s)

I have a network w/ 5 win2k3 servers.

server1 roles are DC, DNS, DHCP
server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
server3 roles Exchange server
server4 roles Application Server, Terminal Services License Server
server5 roles Terminal Services.

The reason for DC on server1 and server2 of course was backup. I don't know
if this works in Win2k3 or not but what the hey. My questions are:
1. does this look like a valid setup?
2. for backup on DHCP should I run DHCP on another server and split the
scopes between the two?
3. Should I only have one DC/DHCP/DNS server and hope to hell it never goes
down?

Dan

"Dan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have a network w/ 5 win2k3 servers.
>
> server1 roles are DC, DNS, DHCP
> server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
> server3 roles Exchange server
> server4 roles Application Server, Terminal Services License Server
> server5 roles Terminal Services.

It looks fine, but I usually run DNS, DHCP, and WINS on both DCs for
complete failover rudundency. The DHCP's are configured identically other
than the Exclusions. Each DHCP gives out half of my available addresses. A
single DHCP can take over full duties by simply adjusting the Exclusions.
The two WINS replicate to each other, but it would work even if they didn't
because both WINS Services and both DNS Services are listed in the Client's
network settings (included in the Scope for DHCP Clients) so if it can not
connect to the first one it will drop down to the second one.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

On the DHCP's: do you set them up as follows:

server1 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.129 to
192.168.1.254
server2 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.1 to
192.168.1.128
(of course excluding other static ip's)

or set the range to one half of the ips and exclude only statics ex.
server1 range 192.168.1.1 to 192.168.1.128 and exclude static's
server2 range 192.168.1.128 to 192.168.1.254 and exclude static's

Dan

Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Dan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I have a network w/ 5 win2k3 servers.
> >
> > server1 roles are DC, DNS, DHCP
> > server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
> > server3 roles Exchange server
> > server4 roles Application Server, Terminal Services License Server
> > server5 roles Terminal Services.
>
> It looks fine, but I usually run DNS, DHCP, and WINS on both DCs for
> complete failover rudundency. The DHCP's are configured identically other
> than the Exclusions. Each DHCP gives out half of my available addresses. A
> single DHCP can take over full duties by simply adjusting the Exclusions.
> The two WINS replicate to each other, but it would work even if they
didn't
> because both WINS Services and both DNS Services are listed in the
Client's
> network settings (included in the Scope for DHCP Clients) so if it can not
> connect to the first one it will drop down to the second one.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

The only other thing I would probably do would be to make your server2 a
Global Catalogue server as well.

My understanding is, and I've seen in practice , if you don't have a
second GC, then if your primary goes down you have lost all of that info and
essentially have to rebuild your domain.

Andrew

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Dan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I have a network w/ 5 win2k3 servers.
>>
>> server1 roles are DC, DNS, DHCP
>> server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
>> server3 roles Exchange server
>> server4 roles Application Server, Terminal Services License Server
>> server5 roles Terminal Services.
>
> It looks fine, but I usually run DNS, DHCP, and WINS on both DCs for
> complete failover rudundency. The DHCP's are configured identically other
> than the Exclusions. Each DHCP gives out half of my available addresses. A
> single DHCP can take over full duties by simply adjusting the Exclusions.
> The two WINS replicate to each other, but it would work even if they
> didn't
> because both WINS Services and both DNS Services are listed in the
> Client's
> network settings (included in the Scope for DHCP Clients) so if it can not
> connect to the first one it will drop down to the second one.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

Global Catalogue.......What's that....That's the first I've heard of it.

I searched "Help and Support" and returned 0 results.

Where is that set up in?

Dan

"Andrew Austen" <(E-Mail Removed)> wrote in message
news:O4DXWP%(E-Mail Removed)...
>
> The only other thing I would probably do would be to make your server2 a
> Global Catalogue server as well.
>
> My understanding is, and I've seen in practice , if you don't have a
> second GC, then if your primary goes down you have lost all of that info
and
> essentially have to rebuild your domain.
>
> Andrew
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > "Dan" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> I have a network w/ 5 win2k3 servers.
> >>
> >> server1 roles are DC, DNS, DHCP
> >> server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
> >> server3 roles Exchange server
> >> server4 roles Application Server, Terminal Services License Server
> >> server5 roles Terminal Services.
> >
> > It looks fine, but I usually run DNS, DHCP, and WINS on both DCs for
> > complete failover rudundency. The DHCP's are configured identically
other
> > than the Exclusions. Each DHCP gives out half of my available addresses.
A
> > single DHCP can take over full duties by simply adjusting the
Exclusions.
> > The two WINS replicate to each other, but it would work even if they
> > didn't
> > because both WINS Services and both DNS Services are listed in the
> > Client's
> > network settings (included in the Scope for DHCP Clients) so if it can
not
> > connect to the first one it will drop down to the second one.
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>

Dan,

Please do not misunderstand this: if you are running a network with five
Servers and you do not know what a Global Catalog is ( and have never heard
of it ) then I might suggest that you do some serious reading!

In your post you are not clear on some very basic concepts. Again, please
do not misunderstand me. It is not my intention to be critical of you ( or
anyone else, for that matter ). It is just a bit surprising to me that
someone as 'green' as you is in charge of an AD environment.

So, let's clean away some of that green-ness! That would be good!

In Windows 2000 and Windows 2003 there is not really the concept of Primary
and Backup like there was in Windows NT Server 4.0. You can write to the
database on any Domain Controller. The database is a file called ntds.dit
and it is located in C:\windows\ntds in WIN2003 and c:\winnt\ntds in WIN2000
( just for your info! ). All of the domain controllers in the Forest ( you
have domain trees that comprise the forest ) replicate two of the Naming
Contexts, or Partitions. These two Partitions are the Schema NC and the
Configuration NC. The Domain Controllers in the same domain will replicate
the Domain NC. So, what does this replication mean? It means that if you
create a user account object on DC01 within a few moments it will replicate
to DC02. AD Replication is based on incoming connection objects. So, in
the event of two Domain Controllers ( DC01 and DC02 ) you would have two
incoming connection objects: one coming in from DC02 to DC01 and one coming
in from DC01 to DC02! One of the cool things about the replication in
Active Directory is that only the attribute that was changed is replicate.
In WINNT 4.0 it was the entire 'object' that replicated.

Furthermore, Active Directory has several FSMO Roles, or Flexible Single
Master Operations Roles. There are five of them, to be exact. There are
two Forest-wide roles and three Domain-wide roles. The two Forest-wide
roles are the Schema Master and the Domain Naming Master. The three
Forest-wide roles are the PDC Emulator, the RID Master and the
Infrastructure Master. All of them have specific roles. The major one of
interest for day-to-day work is the PDC Emulator ( and possibly the RID
Master ).

There is also something called a Global Catalog Server. This holds a
partial replica of all the objects.Okay, so what is this term 'objects' that
I am using. Well, an object is a user account or a computer account or the
incoming connection object. Each object has a set of attributes. An
example of the user account objects attributes ( and the corresponding
values ) might look something like: cn, first name, last name, display name,
company, street address, city, state, zip code and mail. The Global Catalog
Server would hold a partial replica of this. Assuming that the list of
attributes that I just listed was the exhaustive list for a user account
object ( clearly not the case ) then the GC would have, for example, the
first name, the last name, display name and mail only.

DNS is the major thing in AD. If your DNS is not correctly set up and
configured then you are going to have a world of fun times! AD needs the
SRV records to located services ( such as the Global Catalog Server or a
Domain Controller ). This must be absolutely correct.

There is something called Group Policy that really facilitates the life of
the Administrator. You can make a bunch of settings and deploy a bunch of
applications through Group Policy. No more going from computer to computer
to computer to do this. However, DNS must be top notch for this to work. A
Group Policy object is comprised of two halves: the Group Policy Template
( GPT ) that resides in the shared SYSVOL folder and the Group Policy
Container ( GPC ) that actually resides in Active Directory ( in the Domain
Naming Context that I mentioned earlier ). Each replicates to the other
Domain Controllers differently ( the GPT via FRS and the GPC via Active
Directory Replication ). Additional, there are two sides to each policy:
one side affects only computers and one side affects only users.

This is probably enough for the moment.

You might want to take a spin over to my web site ( I am still working on
the activedirectory-win2000.com site and have not even started on the
grouppolicy-win2000.com site yet....sorry ) for some information.

If you have any questions please feel free to post them.....you know where
to reach us.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Dan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a network w/ 5 win2k3 servers.
>
> server1 roles are DC, DNS, DHCP
> server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
> server3 roles Exchange server
> server4 roles Application Server, Terminal Services License Server
> server5 roles Terminal Services.
>
> The reason for DC on server1 and server2 of course was backup. I don't
> know
> if this works in Win2k3 or not but what the hey. My questions are:
> 1. does this look like a valid setup?
> 2. for backup on DHCP should I run DHCP on another server and split the
> scopes between the two?
> 3. Should I only have one DC/DHCP/DNS server and hope to hell it never
> goes
> down?
>
> Dan
>
>

"Dan" <(E-Mail Removed)> wrote in message
news:emPxoN%(E-Mail Removed)...
> On the DHCP's: do you set them up as follows:
>
> server1 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.129 to
> 192.168.1.254
> server2 range 192.168.1.1 to 192.168.1.254 and exclude 192.168.1.1 to
> 192.168.1.128
> (of course excluding other static ip's)
>
> or set the range to one half of the ips and exclude only statics ex.
> server1 range 192.168.1.1 to 192.168.1.128 and exclude static's
> server2 range 192.168.1.128 to 192.168.1.254 and exclude static's

There are multiple Exclusions. The first set of Exclusions are the
"permanent" ones that represent machines with static addresses. Thos never
change no matter what on either DHCP.

The second set of Exclusions are the ones that divide up the "dynamic"
address that are given out to clients. They are done so that there is a
50/50 split of those addresses between the two DHCP servers.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Andrew Austen" <(E-Mail Removed)> wrote in message
news:O4DXWP%(E-Mail Removed)...
>
> The only other thing I would probably do would be to make your server2 a
> Global Catalogue server as well.
>
> My understanding is, and I've seen in practice , if you don't have a
> second GC, then if your primary goes down you have lost all of that info
and
> essentially have to rebuild your domain.

It is not that drastic and you don't have to rebuild anything. You would
just set the other one to a CG and that is all,...the data will rebuild.
Although it is "recommended" to only have one GC and no multiples,...I do
still have both my DCs set as GC Servers as you described.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Dan" <(E-Mail Removed)> wrote in message
news:%23ycSfc%(E-Mail Removed)...
> Global Catalogue.......What's that....That's the first I've heard of it.


Go into "Active Directory Sites and Services",.. then:

Sites->[Site Name]->Servers->[each server name]->NTDS Settings

Go to properties of the NTDS Settings and enable or disable the Globabl
Catalog Option.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks Cary,

And you guessed it, I am quite green. I had training on NT 3.5 way back when
was primarily a Unix Admin. With NT training of course have carried the
concepts forward. I have been out of the computing arena for many years and
got back in after 9/11. Of course in my current job we have a unix server
but also SBS2K which is one server all menu driven... too easy for my
tastes. Growth has moved us to win2k3 and multiple servers. Trying to
schedule classes now but newsgroups have been very helpfull.

Tks for the write-up....This one goes in my files

Dan
"Cary Shultz [A.D. MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Dan,
>
> Please do not misunderstand this: if you are running a network with five
> Servers and you do not know what a Global Catalog is ( and have never
heard
> of it ) then I might suggest that you do some serious reading!
>
> In your post you are not clear on some very basic concepts. Again, please
> do not misunderstand me. It is not my intention to be critical of you (
or
> anyone else, for that matter ). It is just a bit surprising to me that
> someone as 'green' as you is in charge of an AD environment.
>
> So, let's clean away some of that green-ness! That would be good!
>
> In Windows 2000 and Windows 2003 there is not really the concept of
Primary
> and Backup like there was in Windows NT Server 4.0. You can write to the
> database on any Domain Controller. The database is a file called ntds.dit
> and it is located in C:\windows\ntds in WIN2003 and c:\winnt\ntds in
WIN2000
> ( just for your info! ). All of the domain controllers in the Forest (
you
> have domain trees that comprise the forest ) replicate two of the Naming
> Contexts, or Partitions. These two Partitions are the Schema NC and the
> Configuration NC. The Domain Controllers in the same domain will
replicate
> the Domain NC. So, what does this replication mean? It means that if you
> create a user account object on DC01 within a few moments it will
replicate
> to DC02. AD Replication is based on incoming connection objects. So, in
> the event of two Domain Controllers ( DC01 and DC02 ) you would have two
> incoming connection objects: one coming in from DC02 to DC01 and one
coming
> in from DC01 to DC02! One of the cool things about the replication in
> Active Directory is that only the attribute that was changed is replicate.
> In WINNT 4.0 it was the entire 'object' that replicated.
>
> Furthermore, Active Directory has several FSMO Roles, or Flexible Single
> Master Operations Roles. There are five of them, to be exact. There are
> two Forest-wide roles and three Domain-wide roles. The two Forest-wide
> roles are the Schema Master and the Domain Naming Master. The three
> Forest-wide roles are the PDC Emulator, the RID Master and the
> Infrastructure Master. All of them have specific roles. The major one of
> interest for day-to-day work is the PDC Emulator ( and possibly the RID
> Master ).
>
> There is also something called a Global Catalog Server. This holds a
> partial replica of all the objects.Okay, so what is this term 'objects'
that
> I am using. Well, an object is a user account or a computer account or
the
> incoming connection object. Each object has a set of attributes. An
> example of the user account objects attributes ( and the corresponding
> values ) might look something like: cn, first name, last name, display
name,
> company, street address, city, state, zip code and mail. The Global
Catalog
> Server would hold a partial replica of this. Assuming that the list of
> attributes that I just listed was the exhaustive list for a user account
> object ( clearly not the case ) then the GC would have, for example, the
> first name, the last name, display name and mail only.
>
> DNS is the major thing in AD. If your DNS is not correctly set up and
> configured then you are going to have a world of fun times! AD needs the
> SRV records to located services ( such as the Global Catalog Server or a
> Domain Controller ). This must be absolutely correct.
>
> There is something called Group Policy that really facilitates the life of
> the Administrator. You can make a bunch of settings and deploy a bunch of
> applications through Group Policy. No more going from computer to
computer
> to computer to do this. However, DNS must be top notch for this to work.
A
> Group Policy object is comprised of two halves: the Group Policy Template
> ( GPT ) that resides in the shared SYSVOL folder and the Group Policy
> Container ( GPC ) that actually resides in Active Directory ( in the
Domain
> Naming Context that I mentioned earlier ). Each replicates to the other
> Domain Controllers differently ( the GPT via FRS and the GPC via Active
> Directory Replication ). Additional, there are two sides to each policy:
> one side affects only computers and one side affects only users.
>
> This is probably enough for the moment.
>
> You might want to take a spin over to my web site ( I am still working on
> the activedirectory-win2000.com site and have not even started on the
> grouppolicy-win2000.com site yet....sorry ) for some information.
>
> If you have any questions please feel free to post them.....you know where
> to reach us.
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Dan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I have a network w/ 5 win2k3 servers.
> >
> > server1 roles are DC, DNS, DHCP
> > server2 roles are DC (backup I hope), DNS, WINS, File/Print Sharing
> > server3 roles Exchange server
> > server4 roles Application Server, Terminal Services License Server
> > server5 roles Terminal Services.
> >
> > The reason for DC on server1 and server2 of course was backup. I don't
> > know
> > if this works in Win2k3 or not but what the hey. My questions are:
> > 1. does this look like a valid setup?
> > 2. for backup on DHCP should I run DHCP on another server and split the
> > scopes between the two?
> > 3. Should I only have one DC/DHCP/DNS server and hope to hell it never
> > goes
> > down?
> >
> > Dan
> >
> >
>
>