AD best practices
-
Though, it's pretty unlikely that you'll get this dynamic updating feature from something like a ER-L
-
@dashrender said in AD best practices:
@marcinozga said in AD best practices:
If your clients pull IP from Windows DHCP, they can register DNS records in Windows DNS servers automatically. If you move DHCP to another non-windows server or device, you will lose that ability. If it ain't broke, don't fix it.
I was pretty sure this wasn't entirely accurate.
Linux based DHCP can update DNS - just maybe not Windows DNS, not sure.
You can setup Samba AD. I'd imagine you can do DNS as well
-
@wirestyle22 said in AD best practices:
@dashrender said in AD best practices:
@marcinozga said in AD best practices:
If your clients pull IP from Windows DHCP, they can register DNS records in Windows DNS servers automatically. If you move DHCP to another non-windows server or device, you will lose that ability. If it ain't broke, don't fix it.
I was pretty sure this wasn't entirely accurate.
Linux based DHCP can update DNS - just maybe not Windows DNS, not sure.
You can setup Samba AD. I'd imagine you can do DNS as well
We're specifically talking about DHCP dynamically updating DNS as DHCP hands out IPs.
-
@jfath said in AD best practices:
I do plan to use a second physical machine with another Win Server VM as the secondary DC. I understand AD well enough to know why it's important to have two if you're going to have one.
I'd be much more concerned with hardware failing than I would be the VM
-
@dashrender said in AD best practices:
@wirestyle22 said in AD best practices:
@dashrender said in AD best practices:
@marcinozga said in AD best practices:
If your clients pull IP from Windows DHCP, they can register DNS records in Windows DNS servers automatically. If you move DHCP to another non-windows server or device, you will lose that ability. If it ain't broke, don't fix it.
I was pretty sure this wasn't entirely accurate.
Linux based DHCP can update DNS - just maybe not Windows DNS, not sure.
You can setup Samba AD. I'd imagine you can do DNS as well
We're specifically talking about DHCP dynamically updating DNS as DHCP hands out IPs.
Yes, you join your linux machines to AD via Samba to allow secure dynamic dns updates
-
@wirestyle22 said in AD best practices:
@jfath said in AD best practices:
I do plan to use a second physical machine with another Win Server VM as the secondary DC. I understand AD well enough to know why it's important to have two if you're going to have one.
I'd be much more concerned with hardware failing than I would be the VM
So much so in a SMB (50 users) that you'd spend money on a second server with maintenance, etc, etc?
-
@dashrender said in AD best practices:
@wirestyle22 said in AD best practices:
@jfath said in AD best practices:
I do plan to use a second physical machine with another Win Server VM as the secondary DC. I understand AD well enough to know why it's important to have two if you're going to have one.
I'd be much more concerned with hardware failing than I would be the VM
So much so in a SMB (50 users) that you'd spend money on a second server with maintenance, etc, etc?
I mean the reasoning behind having two DC's is for redundancy but if it's only provides that to the VM and not the hardware it isn't that useful. Might as well remove the issues that can occur with replication at that point and just take server backups.
-
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
-
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
-
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup/recovery process.
-
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
-
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
Your problem here was failure to test backups. there is no reason to have this occur had you tested your backups.
-
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
I said that having a second dc can complicate the backup/recovery process (which I really meant to say recovery). Jared said no. I then replied to Jared saying no, not to your post.
-
@dashrender said in AD best practices:
@wirestyle22 said in AD best practices:
@dashrender said in AD best practices:
@marcinozga said in AD best practices:
If your clients pull IP from Windows DHCP, they can register DNS records in Windows DNS servers automatically. If you move DHCP to another non-windows server or device, you will lose that ability. If it ain't broke, don't fix it.
I was pretty sure this wasn't entirely accurate.
Linux based DHCP can update DNS - just maybe not Windows DNS, not sure.
You can setup Samba AD. I'd imagine you can do DNS as well
We're specifically talking about DHCP dynamically updating DNS as DHCP hands out IPs.
Why is this important? I get why it could be a good thing but not sure if it's a must have feature for a non-profit/SMB.
-
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
I said that having a second dc can complicate the backup/recovery process (which I really meant to say recovery). Jared said no. I then replied to Jared saying no, not to your post.
Not it does not. Because you simply do not recover one of them in a failure scenario. then there is no inconsistency to deal with.
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
AD should be backed up by itself not as part of the OS. There are tools (and even powershell scripts) that can make this extremely easy.
-
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
You don't recover AD like you think you recover it. When recovering in a cluster like this bring up an entirely new AD server and promote it to DC. It will pull all of the data from the other domain controller. Remove the other one from AD (forcibly if necessary) and you're good.