If I have Windows PCs that are joined to a domain and the domain controller goes offline, what kind of behavior can I expect on the clients (assuming there is no second DC?)
Hi All i have a question relating to the domain controller, if i have a pc which already joined to the domain, and if the DC shutdown, all of the client pc wont be able to login to the computer, is there any GPO i can modify even if the DC broken down, all the client pc still can able to login to the computer? Hi All i have a question relating to the domain controller, if i have a pc which already joined to the domain, and if the DC shutdown, all of the client pc wont be able to login to the computer, is there any GPO i can modify even if the DC broken down, all the client pc still can able to login to the computer? Ultimately I'm interested in what complaints I should expect to receive from users if the DC is offline. Feel free to mention any other important information that I haven't covered.
Moses
MosesMoses
2 AnswersQuite a few things will happen with no DC available:
The best practice for domain controllers is to have at least two if them. So much in a windows network relies on active directory that you need the redundancy. For a smaller organization, it can share roles with file servers, though avoid having a domain controller share a server with things like sharepoint and exchange (it makes restoring and upgrading them very tricky to do properly) With two domain controllers, if one dies, you can just reinstall windows server, set it up as a new domain controller in an existing domain, and off you go. No downtime at all. With a single domain controller restoring can be tricky. And while you're restoring, you have people upset that they can't do anything.
GrantGrant
Depends on the duration. Once you remove a service from the network things become unreliable but may not break. If you just want to reboot a DC then authentication/authorization should not really be interrupted. People will log in with cached credentials, boxes that are already communicating will keep doing so with their existing Kerberos tickets etc. So people can login to their PCs with cached accounts. They can't change passwords etc. For a short (hours but not days) while they should all be able to access file shares not on the DC as well but eventually that will stop working. Things should recover automatically once the DC is back up. There is a big caveat here though. If you are using your DC for DNS as soon as it goes offline most stuff will stop working because clients won't be able to find their servers. Even things not dependent on AD rely on name resolution. The best thing to do is build a 2nd DC with backup DNS on it so clients can fail over. The AD part will happen automatically, the DNS part you will need to configure on the clients as a 2ndary DNS server either on the client or via DHCP etc.
TheFiddlerWinsTheFiddlerWins
Not the answer you're looking for? Browse other questions tagged active-directorydomaindomain-controller or ask your own question.Windows Server 2008 introduces the service-controllable domain services, which allow for explicit management of domain controller servers. Rick Vanover shares tips on using this functionality. ——————————————————————————————————————————- Windows Server 2008 systems with the Active Directory Domain Services role installed have an extra element of functionality (compared to previous versions of Windows Server) in the 'stoppable' services for the domain. This works by Active Directory Domain Services being explicitly enumerated in the Services applet of the Control Panel. One of my pet peeves in Windows is services that do not permit the processing of a stop and start command. Busywin 18 patches. Terminal Services is the holdout, as Active Directory can now be explicitly stopped. Active Directory Domain Services is managed as NTDS in the Services applet. You would use NTDS if you were using the sc command to manage Active Directory. You can also manage these services interactively. Figure A shows Active Directory being stopped on a Windows Server 2008 domain controller.Figure AClick the image to enlarge.Exercise cautionWhile this functionality is good for Windows administrators, you need to exercise caution. The first thing you should understand is what happens when Active Directory is stopped. In environments with multiple domain controllers, the other systems would process logon requests. If there are any roles on the server with the stopped services, they will resume when Active Directory is resumed. If the outage will be for an extended period of time, it would be a good idea to transfer the role to another domain controller. For normal maintenance, such as applying Windows updates or basic hardware maintenance, going without the role for a short amount of time is usually fine. Also consider this question: Just because you can stop Active Directory, should you? I'm going to wait until Windows Server 2008 R2 before fully upgrading Active Directory because of some of the new features, and it will fit my timeline better. What are your thoughts on a service-controlled Active Directory? Share your comments in the discussion. Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!
1 Comment
Leave a Reply. |