4

Slight problem testing fail-over procedure with my two domain controllers.

I have two domain controllers, DC1 and DC2.

  • DC1 has all FSMO roles, is Active Directory integrated DNS
  • DC2 is Active Directory integrated DNS and is the DHCP server. The DHCP scope assigns DNS1 to dc1 and DNS2 to DC2 for clients.
  • Both DC1 and DC2 are global catalog (GC)

The problem happens when I turn off dc1 to simulate the PDC FSMO role not being available. When I log in with a workstation it takes a long at the applying computer settings screen. It eventually logs in like about 3 minutes or less. Is that a common time frame?

Is this expected behavior? I have never been in a situation where I actually had to experience this problem but I am doing it as an exercise to test our network's reliability in case dc1 goes down for a period of a few hours. My understanding has always been that if you have proper DNS entries in your DHCP scope the workstation will just go to the second DNS entry to login if the first one fails.

I also tried setting the workstation DNS to have the DNS1 entry to DC2 (which is still turned on and running and DNS2 to be the DC1, which I turned off to simulate the failure) and I still get the same results, slow applying computer settings.

I turned dc1 back on and changed back the DNS settings to the way they were and the XP client logged back in quick as normal. So there is some disconnect when I turn off that first domain controller, DC1, that holds the FSMO roles, that causes this slow login issue.

Canadian Luke
  • 885
  • 15
  • 44
dasko
  • 1,244
  • 1
  • 22
  • 30

1 Answers1

2

This is the expected behavior.

You should have another system, that is a DC, and is also in the same IP subnet as the DC with the PDC role. This second DC should be a direct AD replication partner with the DC that holds the PDC FSMO role. If you only have two DCs, it will become a direct replica when promoting it.

For example, if you only have those two DCs, your second DC should already be a direct replication partner with the first DC (PDC). You can verify this by going into AD Sites and Subnets MMC (under admin tools) and expanding out sites, expanding out the PDC DC, clicking "NTDS Settings.." and then checking what DC the replication occurs to/from (it will show you in the right pane of the MMC window). It should be the second DC. This shows that the two are direct replication partners.

If you have multitudes of DCs, you may need to go into AD Sites and Subnets MMC and determine which DC is the direct replication partner of the PDC (follow the steps above and check each DC, till you find which one replicates with the PDC). Intrasite AD replication is quicker than Intersite replication (Replication between two AD sites as defined in AD Sites and Subnets).

This will allow you to quickly seize the PDC role, in the event it fails, to the DC that is the direct replication partner.

I would suggest reading up on the long list of functions the PDC role provides:

http://technet.microsoft.com/en-us/library/cc780487(WS.10).aspx

Some of the key functions include:

  • Acts as primary time source for the domain, to keep all time synchronized.
    • If clients/ servers are out of sync you could have major authentication issues
  • Acts as the final authority for password unlocks, and failed password attempts
  • Acts as the Master Domain Browser
HostBits
  • 11,796
  • 1
  • 25
  • 39
  • 1
    can you explain what you mean by "you should have another DC setup in the same site as the PDC"? do you mean same hardware or just another system that is a DC that is ready to accept fsmo role transfers in case there is an immediate issue? thanks. – dasko Sep 19 '11 at 11:08
  • updating answer. – HostBits Sep 19 '11 at 12:32
  • thanks for the update, yes we do have the second domain controller to be a replication partner in the ntds settings you mentioned above. thanks again. – dasko Sep 19 '11 at 15:25