Installing a Second Domain Controller in Active Directory Domain Services for Fault Tolerance

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so picture the scene you've got a complete active directory environment in play you've got a domain controller you've got a dns server you've got a dhcp server it's handing out addresses and authenticating users and managing this entire virtual world what does it need redundancy in this video we're going to add a second domain controller for fault tolerance in our active directory environment hey everybody troy here and we are back in the second part of our active directory deployment i'm talking part two part one was in the video just before this if you want to catch up to where we are right now with the infrastructure we're gonna build have a look at the video in the description below as always in this video i'm going to cover a variety of things there's some time stamps here for you if you wanted to bounce through looking for something specific if not walk your way through with me step by step we're going to get this done now here's our goal for this particular video what we're going to build on is the infrastructure that i built in the previous video where we had a virtual machine running windows server 2022 that windows machine was called dc01 it was running active directory domain services dns and dhcp and it was handing out addresses and authenticating clients to a joined domain client called pc-01 we also built some specific users in the form of a very straightforward organizational unit structure called acme with an it group and a staff group we've got myself as it administrator and we've got a staff colleague called batman who we've proven can authenticate against our domain controller and have access to this client machine now in this video what we're going to do is we're going to add a second domain controller this is going to be a second domain controller to add fault tolerance and redundancy to our environment so in the event something happens to our initial or our existing primary domain controller all our users and pcs can still authenticate against another active directory domain controller without interrupting our network let's do it i'm going to move to my new server there it is i've got dc02 set up what i've done here everybody is i've installed windows server 2022 and my core config included two things what i did is i changed the name of this machine from its default name to dc02 that's the name it's going to take i also configured a static ip of 192 1680.2 it's the second machine on my network it is statically assigned four best practices and it can communicate with my primary domain controller dc01 now what we're going to do is we're going to add our active directory services role and we're going to make this machine a second domain controller for the first now there's a couple ways you can do this this is the order that i find works best for me what i'm going to do first and foremost is i'm going to add this machine to the domain of int.acme.com i'm going to actually join this machine to the domain first and then i'm going to install the requisite wall rules and install this as a secondary domain controller now there are alternative ways to do this i'm just walking you through one way you could install the active directory services role then you could promote this to a dc and simultaneously join it to the domain i find that this is a much more functional way of doing it it's less prone to errors and it always gets me where i'm going so let's do it that way i'm going to start off with a right click on my start menu i'm going to go to my system tab and i'm going to join this machine to the domain just like i did the pc just like i would do with any machine i'm going to move down to my advanced system settings and you're going to find a chance to name the computer where i can change it to bring this part of the domain i'm going to click on domain i'm going to type in int dot acme dot com it has to be exact everybody if i mis-type this it's not going to find it the other thing that actually has to happen is i actually have to have my dns pointing to the correct dns server now what i mean by that is that in order for this to work it needs to be able to find the ip address of int.acme.com which means my dns server actually has to be configured statically on this machine the preferred dns is 192.1680.1 so it should be able to resolve this with no problem i'm going to hit ok and i'm challenged with the credentials this is going to be the credentials for the domain the domain is saying do you have the right to join my world and i need domain privileges to do so i'm going to type in my domain administrator privileges administrator and my domain admin password and as soon as it accepts the credentials i should be welcomed to the int.acme.com domain and there we go i am now welcome to the domain everything is great it prompts me to restart the computer i'm going to hit close i'll restart this right away and we'll join the domain excellent and now what i'm going to do here is i'm going to log in as a domain administrator now look very carefully i've got a local administrator account and if i if i use this local admin i'm going to be logging in locally there is an account called administrator that administers this computer and manages it has the rights and privileges to manage this computer i don't want to be logged in as this administrator i want to be logged in to uh this machine as an administrator for acme now watch what happens this is kind of a cool thing i'm going to type in the word administrator right here and look at what happened really important everybody it said well i have an administrator account on this machine let's log in to administer and manage dc02 i don't want that i want to use my domain administration credentials to manage this machine so i've got two options i have a domain administrator my account that i set up in my previous video will actually open the door here however i could solve this problem by prepending my administrator account by typing in the word acme with a backslash and you can see just by prepending this i have actually said i'm going to log into the the account called administrator on the acme.com domain and i'm going to use my admin credentials here and away go okay i harped on that for a second because it was really important because if you log in as the wrong administrator a lot of different things will happen you won't have the same rights and privileges to do what we need to do on this machine so we have to make sure we get that right terrific up comes our server manager we are now logged in as the domain administrator so we have administrative privileges for the domain let's click on the local server and see that we can verify that dc02 is now part of the int.acme.com domain it is my firewall is on i have statically assigned the ip address of 192.1680.2 okay we're just going to make this a domain controller let's start with installing the active directory domain services role dashboard add roles and features next role based installation it recognizes the configuration my i my ip address my computer name everything's great let's add active directory domain services as well as all the features it's going to hit next there's my group policy management being included by default notice i am not installing dns it's going to do this for me it does take me through the exact same wizard that we saw in the previous video where it warns me we should have more than one domain controller and it should have dns which we are completely aware of lets it install and get this installation happening and configuration complete installation set successful installation remember we have a post configuration requirement that we're going to see i'm going to hit close and there is my little yellow notification up on the top right telling me that we're not done we need to promote this to a domain controller that's been our intent all along so with active directory installed we can now proceed to make this a domain controller on our acme.com network let's do it i'm going to promote this server to a domain controller up comes my active directory domain services configuration wizard this time i am not adding a new domain to a new forest now this is one of the reasons that i like this way of doing it i'm now going to add this controller to an existing domain and because this machine was already part of the int.acme.com world all of this now is ready to go so it discovered that yeah i'm already part of a world i might as well become a controller in the world that's the reason i did it in the order that i chose to do so i could select and find a different domain but this is exactly what i want to see i'm going to simply hit next great now i get a chance to specify the role of this dc now by default it is going to run domain name system so it's going to be a dns server we remember that it's going to share dns actually from the other domain controller it is also going to be a responsible authoritative source of something called the global catalog which means that it will have all the information that it needs to have with respect to the objects resources computers users everything on our active directory world we also have a chance to designate this machine as something called a read-only domain controller what that would mean is that we would not write changes to this dc it's only going to receive information from another domain controller so in other words it reads information from another source we can't make changes or write adjustments or anything like that to this dc there's a variety reasons why we would do that normally it's about security sometimes it's about propagation of when links you're trying to expedite and make your whole production environment more effective however in this case i want this to be a fully functional domain controller and i'm going to leave the read only domain controller box unchecked i need to give it a password for my dsrm i'm going to hit next and it again warns me that it does not have dns i'm fine with this just like in the last video just like in our last installation active directory built dns for us i'm going to hit next and i'm going to let it find a replication it is now going to pull information from another domain controller and you can see it recognizes that dc01.in dot is actually online talking we're going to pull all the information we need replicating from that source i could do any domain controller if there were more than one or i could simply select the one that i want either way we are going to carry forward with our database configuration again i'm going to accept my defaults here and this leaves me a chance to install active directory domain services based on those parameters there we go i've passed my prerequisite check and so all the elements have passed successfully active directory telling me i can actually proceed with this installation couple yellow hazards here but the most important thing that i want to see is this green checkbox saying that i can begin this installation i'm going to pause the video so you don't have to wait for this and i'll see you back shortly when this is ready to reboot oh there we go successful configuration about to be signed out i'm going to let this reboot there we go acme administrator ready to log on you can see that now i have promoted this server to a dc already things are feeling and looking different let's log in and see what else has changed now as our environment loads our server manager is going to be one of the very first things to kick in and we'll take a quick look and see what transpired between these servers so things slowly loading here for me active directory domain services are now loaded as well as my domain name system so we can see that dns as was was part and parcel this let's open a couple snap-ins and see what replicated from the primary server i'm going to go to tools first and foremost i'm going to go to active directory users and computers now remember again if you watch that previous video you'll have seen that we actually created a very specific set of organizational units and in our int.acme.com we had a high-level ou called acme.com and inside there there was an it member called troy and there was a staff member called batman you can see that we pulled that information from the other domain controller that replicated look at this i'm going to go to computers oh there is my domain join pc pc01 and let's look at my domain controllers there's my domain controller's organizational unit and you can see that now i have both of my dc's 1 and dc2 are right there and in play fantastic let's talk dns i'm going to go over to my dns manager and let's see what we found here i'm going to open a couple of these things let's go to my forward lookup zone and look at this it now recognize dc02 as a name server i'm going to right click here and go to my properties here so look at that what it did was actually create a ns record as well as a host record for dc02 and it is now a fully functional name server in my active directory environment i didn't have to do a thing now if i look at the start of authority for this particular zone this is dc02 so this is a fully functional authoritative zone i'm going to cancel this let's see what happened with my reverse lookup zone oh look at this it created the reverse lookup zone that's fantastic now in the in the previous video we saw when we deployed dns as part of active directory it did everything except the reverse lookup zone we built it when we deployed our first domain controller and we set it to replicate that information throughout the environment and as soon as this machine became a second domain controller it actually created that reverse lookup zone as well take a quick look here you'll see that the authoritative server the soa is actually dc02 so this isn't a secondary zone this is an authoritative zone unto itself but it replicates information and shares that information with dc01 fantastic let's now do one final test we want to verify i want to test the replication i'm going to show you that i could actually make a change to dc01 and have that replicated over to dc02 i could also make a change on dc02 and have it replicate over to dc01 to pop into dc01 really fast there it is here let's pop into my active directory users and computers right here what i'm going to do is i'm going to add a new organizational unit let's go acme right click new organizational unit and i'm going to call this not just staff i'm going to call we've got it we've got staff let's just call this one test i'm going to use all caps here so it stands out there is now a new ou i could put a user in there if i wanted to let's see if it replicated i'm going to go back to my second domain controller let's open up my active directory users and computers and let's refresh there we go there it is couple refreshes to make that replicate there's my replication so we can see how quick it replicates it's instantaneous i'm going to create a new user on dc02 remember this is not a read-only domain control this is a writable second domain controller let's add a new user and i'm going to call this test user okay and i'm just gonna go t user for the login name i'm gonna hit next give it a password here no problem uh remove that check box hit next there's the user created i did this on dc02 now let's go back to my friend dc01 and see if i refresh here there is my test user it replicated from the other machine both domain controllers can read and write and serve as authentication authorization and accounting in our active directory world dns propagated immediately and automatically i didn't have to do any additional configuration that worked out without a hitch the only thing i could do right now is i could configure dc02 as a second dhcp server but that's been covered off in another video we could do dhcp failover i'll put that video in the description below you could do that if you wanted to you'd have an environment with complete failover for active directory dns and dhcp wicked right and so much fun to come we're going to keep playing with this environment in future videos to see what further things we could do with active directory see you again soon
Info
Channel: Troy Berg
Views: 11,047
Rating: undefined out of 5
Keywords:
Id: sQmnKeL37qo
Channel Id: undefined
Length: 18min 21sec (1101 seconds)
Published: Mon Feb 07 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.