Two identical W2K3 Server problem

May 28, 2010 at 02:58:34
Specs: Windows XP
Hi,

We have two identical industrial PCs we use as Servers. We are running Server 2003 Standard edition, Active Directory, DNS, DHCP.

I made a ghost copy of the hard disk of server 1 onto the hard disk of server 2.

Server2 starts up fine with no problems, but when I start the client computers, I get that message about unable to find the user or computer account and that I have to check if the Domain Controller is running or not.

Only way I then get the clients to logon again is to take all the client computers off the Domain and reconnect them to the Domain again.

Now when I want to use Server 1 again, same thing happens.

Any help would be greatly appreciated.


See More: Two identical W2K3 Server problem

Report •

#1
May 28, 2010 at 08:01:49
"Server2 starts up fine with no problems, but when I start the client computers, I get that message about unable to find the user or computer account and that I have to check if the Domain Controller is running or not."

You turned the other server off first correct? You can't have two servers on the same domain sharing the exact same FSMO roles.

http://support.microsoft.com/kb/324801

If you want to have a second backup DC for the Forest then you need ton install the second DC as a Child Domain Controller and it will replicate the Active Directory for you. Ghosting a server is only a good idea for backups and that is it.

http://www.petri.co.il/how_to_insta...

"Only way I then get the clients to logon again is to take all the client computers off the Domain and reconnect them to the Domain again."

That may work but chances are you will need to delete the OUs for each computer in the Active Directory before you can rejoin them to the domain.


Report •

#2
May 31, 2010 at 01:58:45
The two servers are not used together. The one is a complete backup for the other one. Not even switched on.

The moment the main server fails, we switch it off, unplug all cables, connect all cables to the backup server and switch the server on.


Report •

#3
May 31, 2010 at 20:15:41
Child domain controller?? Care to explain that? There are no 'child domain controllers'.

"You will need to delete the OUs for each computer in the Active Diretory"?

I know you may be trying to help, but it would help if you don't know what you are talking about, to not respond. Seriously. You are only going to make it more difficult.

Henryv. My guess is that there is some sort of time stamp or something that the clients are having issues with when connecting to the backup server. Re-adding them to the domain may be your only option but don't go deleting any OUs. It isn't necessary.

Here is a question for you. If these server are just running AD, DNS and DHCP, why not just have them both running at the same time. They can both be DCs, they can both be running DNS and the could both be running DHCP or you could just backup the DHCP database and enable it on the other server if needed. It seems to me this would be a much better option than cloning and shutting down one server etc. Just a thought.


Report •

Related Solutions

#4
June 1, 2010 at 08:30:39
"Child domain controller?? Care to explain that? There are no 'child domain controllers'."

Check this out...

http://support.microsoft.com/kb/255248

"Do not make comments unless you know what you are talking about."

Sorry but I have setup a number of Child Domains. Maybe I am not using the term correctly.

P.S. If you have some details that I don't know please post the Microsoft reference and I would love to read it. Part of participating on the Forums is to educate each other.


Report •

#5
June 1, 2010 at 08:59:12
You do understand Henryv that this configuration accomplishes nothing for you?

Proper procedure, as recommended by Microsoft, is to have two DCs minimum for AD failover.

What you have created does not address AD failover and you have created a scenerio, due to timestamps, that effect DNS, files, etc.

Nice thought. Wrong path.


Report •

#6
June 1, 2010 at 09:08:54
As for the problem. Be aware your new server is going to be running with New NICs which will have new MAC addresses. If you have reservations setup in your DHCP then you may want to make sure they are set to the new MACs.

I recommend setting up a separate LAN for testing purposes and take a couple of the PCs over to your Ghosted DC so that you don't take down your entire domain. Then you want to test your NSlookups and Ping the Domain to see if they resolve to the right IP.

Chances are you will not be able to do this because of what GLEN said that the OU will fail and you will have to delete them and readd each computer back to the domain. Like I suggest a backup DC would be better for what you are trying to achieve or if you have a lot of computers you may want to setup more than one Domain Forest in your organization.

What you are trying to do is a tough one and many different solutions. Like to see what others suggest.


Report •

#7
June 1, 2010 at 10:47:30
Servers should never use dhcp but have static ip assignments. No need for mac filtering.

There are a number of proven technologies and approaches to file server redundancy. It all depends on how much you which to spend.

The present configuration, of one drive per server, doesn't address even the basics of file server failover.

These basics start with the physical:

#1 - redundant power supplies, ups's, multiple power circuits, raided drives, tested backups, onsite hardware failure warranty.
#2 - two AD servers minumum
#3 - data replication
#4 - clustering/mirroring of servers
#5 - a number of different DR site scenerios possible.

You have none of these Henryv. Cloning servers and taking one off line does not and will not work if the strategy is to have failover.


Report •

#8
June 2, 2010 at 00:11:40
Hi guys.

Many thanks for all the inputs and help. I am definitely getting a better picture as we go on.

Something I thought worth mentioning is that, as strange as it sounds, we basically only switch on the server and clients when we need to use them.

Otherwise they are switched off and not running at all. Sometimes for days, weeks, months. So it is not a full working domain that needs to be on 24/7.

Does this change anything at all?? The idea we have is to have an exact second system so that when the one system fail, we can connect everything to the second system, start it up, and be up and running within 10 minutes.

Again thanks for all the input. Appreciated.


Report •

#9
June 2, 2010 at 07:34:12
Yes, you run the danger of your system Tombstoning. For built in security Server 2003 has a drop dead date when AD stops working. You can set the date to be large here is how...

http://support.microsoft.com/kb/924890

Like said above this is probably not the best solution because your OUs will time out and you will have to delete them and readd them so after a while it would be as if you had to rebuild the whole domain which defeats the purpose.

Also you run the danger of your server clock getting out of sync with the Stations. Make sure they match when you bring it up.


Report •

#10
June 2, 2010 at 07:59:20
And what is the issue with running your servers correctly?
You don't even have a basic level of failover. How is it you think this setup is a good idea?

Report •

#11
June 2, 2010 at 18:32:36
Ace, I don't mean to be rude, I really don't but I just have no idea what you are talking about. There is a huge difference between a child domain and a 'child domain controller'. (whatever that is.)

OUs don't expire. Not sure what you are talking about there either.

Henryv, What wanderer and I are trying to tell you, is that having a cloned machine sitting around just in case the other one fails may seem like a good idea on the surface, but it just isn't practical. You would be much better off running two domain controllers at one time. Have both servers running. They will share their Active Directory information with each other. If one fails, the other will fill in seamlessly. If the one holding the FSMO roles fails, those can be seized (taken over) by the other DC without a problem.

If you can afford it, make your servers as redundant as possible with the hardware wanderer suggested.

Two domain controllers running DNS and DHCP works just fine, is the recommended procedure, is less hassle in a failure scenario and it a better idea in every situation. And, you already have the hardware.

If I were you, I'd get the whole 'stand by server' idea out of your head.


Report •

#12
June 3, 2010 at 07:56:38
"OUs don't expire."

What are you talking about? You can go under each User and setup an Expire Date. Yes, you could set it to never expire but this would be a bad security idea. Is this what you are talking about?


Report •

#13
June 3, 2010 at 09:56:02
A user is not a OU. OU's don't expire. Yes you can set a user account to expire but a user is an object contained within a OU.

We never set user accounts to expire unless they are a temp contractor. Even then we usually just disable the account until the next time we need to use it.


Report •

#14
June 4, 2010 at 10:05:32
Henry,

As has been pointed out by everybody else that has answered you in one way or another.....having that second server setup as a redundant domain controller the the way to go.

You said: "Does this change anything at all?? The idea we have is to have an exact second system so that when the one system fail, we can connect everything to the second system, start it up, and be up and running within 10 minutes."

Well, with a redundant DC, should the primary one fail, the second one takes over immediately. There is no downtime in this scenario. There is no removing clients from the domain and readding them, there are no issues with DNS or DHCP or anything. Just a seamless transfer from the broken DC to the redundant one.

Which method makes more sense to you?

Which seems to you to be less work?

Which method strikes you as the most likely to be a hassle, and liable to problems both at the time of the DC going down, and later?

If you answer those questions honestly you'll be ready to go research 'creating a redundant DC' in MS's knowledge base.


Report •

#15
June 4, 2010 at 10:32:25
Ace, really - I'm trying to be gracious about this, but the more you dispute facts with your incorrect information, the more you prove my point. Go ahead and try to expire and OU and see how that works out for you.

Setting a account to never expire presents no security risk whatsoever. You are incorrect in almost every point you make. I don't say this to belittle you, but only for the benefit of those who may take your incorrrect advise.

Henry, I think you've gotten the same general advise from Curt, wanderer and I. Hopefully that helps you out.

Good luck.


Report •

Ask Question