Hello

Right then. I’m pretty much completely new to networks.

I’ve installed a new server running 2008 R2, and configured 10 workstations all correctly connected to the domain. Active directory seems to be up and running properly, file server also and everything so far looks okay.

There was a slight fly at first in that I hadn’t realised that I’d need to log in as a new user on the workstations and connect to the domain properly (despite system properties suggesting the local user was connected to the domain), but anyhow now all users are logged in on the login screen as domain.com\user.

I’m about to do the same with my laptop, which I think means I’ll have to create a new profile for that too. What happens though when I work online at work on that profile, then come away from work and try to log in again as that user to continue where I left off?

Will it fail to log in as it’s not connected to the network, or log in but simply fail to find any network resources (I guess meaning I won’t be able to do anything needing administrator clearances)?

If I have to log in as a local user when I’m not connected, is it easy enough to grant access to my networked profile’s ‘local’ files, to the actual local user profile?

Does any of this make sense?!

Thanks

Craig

you can log on with cached credentials when a DC isn’t available, shouldn’t be a problem. Do you really need a domain in this setup though?

First thyings first – are you really sure you have installe and configured Active Directory? Just adding the AD role does not install AD.

Once AD is “created” you then need to join the workstations to the domain. This will require configuring the workstations and they will need a reboot afterwards.

Doesn’t sound to me as though you have configured AD yet.

As mentioned you can log in with cached credentials (unless you’ve explicitly denied ability that via GPO, pretty sure it’s still not the default in 2008 R2). If you also have the local admin user credentials then you can also login with those, you’ll then have access to most of the stuff on the laptop straight away but for some of the domain user’s profile area you might need to grant yourself rights first (and possibly even take ownership in order to do it which could be an issue later).

I take it you just don’t have 1 server in this environment? If so then a domain is a bit overkill but as you’ve gone down that route I’d definitely add a second domain controller into the mix (preferably on a dedicated server, doesn’t need to be high spec but 2GB RAM would be advisable).

Yes, you can login with cached credentials, and a domain is just fine in this setup – it’ll save you some bother later if you have to add extra servers for file/print and apps. See SBS for an example of all of it in one creaking, groaning usually underspecced box.

PS – you can copy your old local profile to the new domain user profile, or copy it all to ‘Default User’ before you login – and your old desktop etc. will be there for you.

A second server is a fine idea, and reserve one to act as main FSMO role holder, DNS and DHCP and put you files and printers on the other box.
But I appreciate in small environments getting the cash is a hassle for the hardware and the OS licence.

One will work OK, but make sure it’s well backed up and you know how to get it back from bare metal.

Thanks all.

I’m pretty sure AD is set up, bikingcatastrophe. It was a complete bitch to do with no background but after a good few hours figuring it out I think it’s set up, and all users are logged at to it correctly. The DNS appears to be working fine within the scope and all users are accessing the server and it’s drives. Any installs on the workstations are needing server admin credentials so it appears it’s up and running.

We’re installing a new piece of software which is ran on the server which the workstations need to access. I have no idea if a domain necessary other than I was told by the software vendor that a domain was needed. Given the structure of the business, and the last set of computers and the state they got into, I was to be able to bring in group policies, and I thought this was only possible in a domain too?

I’ll have a look at cached credentials in GPO, thanks for that. I don’t mind granting sharing rights but I’d rather not have to take ownership whenever I need access…

We do only have one server, yes. Some article I read recommended a second DC too, but didn’t say why. If I don’t add a second server as hardware, is it still advisable to set up a socond as part of my forest (a term that is also completely new to me)?

Thanks again

Brassneck. Do I just create two profiles then from copy here: My Computer Properties > Advanced > User Profiles Settings?

We’ve just spend about £8k on a decent server (GL380), workstations and backups. I’ve scheduled daily bare metal recovery (the VSS setting was changed) and I think it’s all in order.

A second server right now is cost prohibitive as we’re about to spend another £8k or so on the software we need. We’re pretty much over our IT budget for the next few years 😉

I’ll have alook at cached credentials, thanks for that…

The problem with only 1 DC is if you lose it and can’t recover it then you’ve lost your domain. It’s probably not so critical in your environment as it sounds like it would also mean losing the app that the domain was created for so it’s not like app would be available but the users just couldn’t authenticate as the domain had gone tits up.

As Brassneck mentions you need to have a good backup that you can do a bare metal restore from. It’s very easy to get backups that you can’t do full bare metal restores from (e.g. boot from special CD, insert tape and restore the complete system), on just an app server that’s normally not a problem, just build the system again and restore the data only from tape but that’s not an option with a domain controller. Ofc testing your ability to restore would be difficult with only one server 🙁

You mention VSS so I presume you’ve looked into getting a recoverable DC backup with whatever software you’re using so that’s a good start (it’s very easy to get a backup of a DC that shows as successful but that’s not actually recoverable without a lot of hassle as it’s only crash consistent).

A DC is a server role so you can’t just create a second one logically (i.e. having 2 different DCs running on the same server which sounds like what you were wondering). A forest is just the overall ‘unit’ that can contain one or more domains but for smaller, single-domain environments it doesn’t really mean much (you would have created a new forest at the same time you created your domain).

£8k on a server + 10 workstations + tape backup sounds like a good deal though. Please tell me the server has RAID 5 disks 😉

Thanks Fuzzy. I’ll look further into the backups to make sure I’m covered. I think I am but I’ll be certain (I’m just using the built in backup but have carefully chosen my options. I’m backing up to two USB hard drives, one stays on site on one goes off-site.

What you’re saying about a second DC confirms what I thought seemed logical, thanks.

We didn’t go RAID5, we’ve just gone for two RAID1 arrays some decent SAS drives. One covers the OS, the other has any software installs and the users files. I did wonder if RAID1 was good enough mind, but again cost came into it… Do you think that’s a big mistake?

EDIT: Sorry, daft question. Why would I lose a domain, as such? Would it just corrupt (does this happen often), and is it a case of re-building it if it does?

Do I just create two profiles then from copy here: My Computer Properties > Advanced > User Profiles Settings?

Been years since I did any desktop work, but I think that’s the right place – if you copy your ‘old’ profile over the default user, any new accounts that login get that profile – so you’d retain your favourites, desktop, cookies etc. Remember to set the security to Everyone though, else you won’t be able to access the copy. There are better guides out there if you google a bit.

You don’t need to change anything for cached credentials to work. You’ll get around 60 days before it need s to contact the DC again (i.e. be plugged into your LAN and logged in) off the top of my head.

I hate myself for saying this, but even an old desktop would do as a second DC/infrastructure server if you can get another licence – another copy of the AD database is better than none.

You could run 2 DCs under Hyper V on one piece of hardware but to be honest I can’t see a real benefit, and I’m not convinced by Hyper V being a VMWare fanboi 😉 – you’d still lose the whole lot if the hardware failed catastrophically.

RAID1 is OK but more wasteful of space – you don’t need the performance benefit I would think.

Buy a hot spare if you possibly can, just in case the maintenance man pitches up with the wrong disk. We have 4 hour response 24×7 and this still happens. Try and eliminate as many possibilities of HAVING to do a BMR you can.

I’ve not seen a domain corrupt, very rare but it does happen – and manual granular AD recovery is not pleasant (if the whole lot doesn’t die). If you lose that server, the whole AD db is on it, unless you have another DC. This DC would have another copy, and you could seize the roles necessary to keep the domain running whilst you fix the other server. OK, all your data is offline, but you’ve just saved yourself a lot of time. You could potentially restore some of the critical data to the other box, and share it out again.

Thanks for that, I’ll definitely look into a second DS.

The application we’re installing is essentially a decent sized database. Frequent read/writes of small packets of data, hence the RAID1.

When you say a hot spare, are you talking about making another image of the drive every day, that’s not a USB backup? We’ve got 4 spare hot swap bays so it’ll be cheap enough to bash another drive in there…

Really appreciate everybody’s help. Thanks! 🙂

I probably should just have said RAID array, RAID 1 is fine (we usually spec. RAID 1 for the operating system and RAID 5 for the data), RAID 5 (as mentioned above) is less wasteful but does require a minimum of 3 drives, it’s also easier to expand than RAID 1 should you run out of disk space. I wouldn’t worry about changing it now though, having RAID 1 gives you drive failure redundancy which is what I was getting at.

As for losing a domain, the main thing is with bigger environments (say 1 DC, 1 file server, 1 app server, 1 email server and 50 users), if you lose the DC in that scenario then you’ve lost access to everything even though only the DC itself is hosed as everything else is in the domain nothing can authenticate (and although users could log on locally with cached credentials they wouldn’t be able to authenticate with other servers in the domain using cached credentials). I’ve actually been ion-site to health check one client and they had over 200 users and multiple servers with just a single DC.

In your situation though with just 1 server running the DC + app then it’s not so critical as if you lose that main server your users still won’t be able to do anything as the app is down, even if a second DC existed that they could authenticate against. A second DC is also good when you’re doing upgrades (especially of the domain itself) as you can take one off-line first in case it all goes Pete Tong, again though this would be of limited benefit in your environment.

Agree with Fuzzy stick with RAID1 now it’s running. A hot spare is just another drive of equal or greater capacity than the others in the array. Once it’s configured, as soon as a drive fails it will start to sync with the drive that remains in the mirror set (in your case) so fairly soon it will protect you from another drive failure again. So it sort of doubles the redundancy on both your mirror sets, if you make it global.

Costs you one new drive, and about 2 minutes in ACU (assuming it’s HP, MegaRAID Manager on IBM, no idea for Dell sorry!) to configure.

It’s a fair point actually that in your scenario another DC doesn’t buy you too much. Whilst I normally only use DCs as DCs we’re talking enterprise environments – in your case it’d make sense to get another server as you need to for file/print/mail or to run an app and maybe make that a DC too. There are security and other issues with running stuff on DCs though so do some reading before you jump into that – sounds like you might have a while before you can buy again anyway 😉

RAID1 is “better” than RAID5, but relatively more expensive. If you’ve already done it, I’d suggest leaving it alone.