Clustering AD Dc's

[Beast]

Has anyone any experience of Clustered 2k Dc's?

Is it possible?

Have a problem at present that contains 2 nodes, both DC's. The active node is a GC and is working pukka, but the other node is not a GC and has a well out of date AD?

I.e missing computer accounts and users - a very old copy dating back to the original install 2 years ago.

Am I correct in thinking that if this Cluster fails over onto the other node then all hell will break loose?

What is likely to happen?

[Mac]

Why would you cluster AD controllers?? You cannot cluster AD for fail-over as there's no way to move the AD databases to a shared* device.

<font color="#666666">* Ok I know they're not shared exactly BUT you know what I mean - a storage device that is owned by one node of the cluster at a time </font>

Anyhows, you CAN cluster two servers that HAPPEN to be domain controllers - sounds to me though that you have replication issues between the two. You need to double check your FSMO roles and your replication connections.

Check out this MS article - has some details on how to do it.

Might be better off qualifying what you're trying to achieve here rather than stating the problem????

[Beast]

Just been asked to take a look at 2 servers that are in a cluster.

Both 2K advanced server and both DC's of the same domain.

One server homes all FSMO roles and is the active node in the cluster.

All is fine at this point.

The second node however is 2 years out of synch in terms of AD. I.e computer accounts and user accounts created in the last 2 years are not present here. Also using NetIQ ADcheck, it shows that the last time the AD replicated was 2 years ago.

I agree there are replication issues here, just wondered if there were specifics that anyone could recommend as I've never seeen Dc's clustered, no sure if it was deemed possible or even good practice.

Could this be a result of an incorrect DNS config?

Server 1 (working server, active node) is running DNS

Server 2 (2nd inactive node, Out of date AD) is NOT running its own DNS but instead is using the first servers.

Sorry if this sounds a bit vague, only had an hr or so looking at these remotely to help out a sister company.

[Mac]

Ok if all your FSMO roles are one server then I bet it's the one with GC on right?

Configure a GC on the other unit too and it'll probably start working - basically with your setup no updates make it to the replication service Sorry a bit stressed for time otherwise I would explain. Basically due to the role lay out you could either move the IM to the other server or put a GC on the other. To start with to make sure it is the problem put a GC on the other box.

Once you've proved replication works now you can then put a better FSMO role allocation out.

[Mac]

Oh, and after you've created the GC leave it a while - the convergence time is pretty big I think? Sorry, would look it up for you fella but I have a 16:00 and I can't remember what it's about

[Beast]

Thats cool dude,

At least it gives me somewhere to start!

And yes the FSMO role server is a GC, and the other isnt.

Cheers bud

[Mac]

Right, you've highlighted the issue then.

Basically you can't have the Infrastructure daemon on a global catalogue server unless ALL of your domain controllers are GC servers.

If the Infrastructure Master runs on a Global Catalogue server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalogue server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

So, simplest way is to configure the other server to be a GC, let it all converge, and then sort out your FSMO roles.

Incidently, what are they clustering? As I mentioned you can't cluster AD domain controllers for failover as such.

[Beast]

Theyre clustering SQL.

It just happens that these are the only servers in the forest and as such Dc's.

You wouldnt believe their purpose in life, in fact if they were to stop, much of the IT distribution industry would grind to a halt!

Being that its out of date by 2 years, is it not worth dcpromo'ing it out of the domain and readding it?

Will simply making the other node a GC force an update?

[Mac]

If you DCPromo it out now...hmmm, doesn't sit right with me although can't quite put my finger on it.

Also, when you dcpromo'd it back in you'd still have the GC issue - nah just add the GC and let it sort itself out.

When you make the other a GC it'll be able to see what's out of date so sync'ing will happen

[Beast]

Cheers Mac - I'll let you know how it goes.

Have to schedule in time with the business to do this, but shouldnt be long

[Frodo]

Hmm so two DC/GC's also running SQL. Great design you are having to fix I feel for you! Does MS support this? I know that if you put Exchange onto a DC and you have another DC then you are unsupported as far as MS are concerned.

[Mac]

It's a supported design apparently!! They don't recommend it though....Must admit I wouldn't do that.....

[Frodo]

Nope I wouldn't do it either seems silly. The extra cost and complexity of a cluster, when you could have two separate DC's/GC's and let them do what they are designed to do.

[Beast]

Problem is that the two nodes of the cluster are the ONLY servers. The other machines are all clients, who's primary purpose is monitoring a conveyor belt system.

So unfortunately clusters were specced for high availablity and failover of the monitoring system, meaning that when a domain was created to home everything - these were the only resources available.

Not my design either - but Im the one tasked to fix it

[Frodo]

Poor you! In this case AD is really overkill don't you think?

[Beast]

Certainly an overkill, gets worse though - they have clustered DNS as a generic resource. A no-no in a clustered DC environment!

Its the root of the problem