0

We are currently running 2 Server 2008 R2 Active Directory Domain Controllers at work, and a fail-over cluster running on them to provide resilient File, Print and DHCP serving. Server1 holds all of the FSMO roles, and is a GC, and Server2 is just a GC....

What we have observed is that bringing Server1 up takes a very long time (which I believe is a result of no DNS being available due to waiting for ADDS, and ADDS not being able to find anything because it can't see any DNS). Usually we power up Server1, wait 30 seconds or so, and power up Server2. Server1 will sit and wait at 'Applying Computer Settings', to the point that Server2 will finish its startup. DNS on Server2 does not start working until I'm able to log into Server1 and initiate a restart. Once Server1 completes its restart, everything is fine and we can continue with startup.

The result of all this is that the fail-over cluster requires manual intervention to start, because it fails as AD/DNS are not ready. I've done some research to understand that this long startup delay is caused by a lack of DNS for server1 (chicken and egg type scenario). I'd very much like to solve this issue, as it makes things easier to document (and thus have someone else do it:) ) when there is a defined process, so the solution to me seems to be to add another DNS server (I'm thinking not an AD DNS server, perhaps even a Linux DNS server) and start this before Server1 & 2. Am I on the right track with this, or does the DNS server need to AD Integrated? Or would it even be better to add an RODC and start that first?

gavin0001
  • 51
  • 1
  • 3

2 Answers2

2

Solve the solution: have a separate small machine with Active Directory that sits there on their own UPS and acts as last resort AD. Other AD's use it as DNS. Problem solved. This is what I do in my environment and it seriously took down boot times.

The DNS is normally AD integrated unless you manually destroy that - which has other implications.

JP Hellemons
  • 267
  • 6
  • 16
TomTom
  • 50,857
  • 7
  • 52
  • 134
  • That makes sense about DNS - although if we ran a Linux DNS machine, would treating it as read-only solve the problem? I'd love to say putting a machine on its own UPS is a solution, but as our machines are blades that's not really an option, plus I don't think having a machine on its own UPS would sustain us across a 2 day power outage (which we just had - hence the question now:) ) – gavin0001 Oct 18 '11 at 08:28
  • Except it is not read only. WIndows loves dynamic updates with security on the individual entries. Regarding ups - get a samll atom baed server that does only that. I run a lot of vitualization, too, and I 1 separate machien acting as "first dc" that has a separate UPS JUST to have a core from which to start the network. – TomTom Oct 18 '11 at 10:49
0

TomTom's answer is right on the spot. I'm just posting a separate answer to clarify some things.

From Microsoft KB 281662:

To have Windows Clustering function properly (where the Cluster service starts on each node) the node that forms the cluster must be able to validate the Cluster service domain account, which is the account that you configure during the Windows Clustering installation. To accomplish this, each node must be able to establish a secure channel with a domain controller to validate this account. If the node cannot validate the account, the Cluster service does not start. This is also true for other clustered programs that must have account validation for services to start, such as Microsoft SQL Server and Microsoft Exchange.

So - with only two domain controllers in one cluster the cluster service does not have anywhere to authenticate during boot, wich then causes other services to either fail or take a tremendous amount of time to start up.

I might wanna add: Clustering domain controllers isn't common practice..

pauska
  • 19,532
  • 4
  • 55
  • 75
  • Understood, I don't see a problem with running one that is 'always on', but there's always going to be that time when the ups just isn't enough (not to mention it requires purchasing an additional ups + some sort of 'lightweight' machine - which isn't an option atm). Is there definately no way in which AD can be partially started on another machine (either using an RODC or some sort of DNS machine) to allow the two DC's to be able to find the resources they need and start properly? – gavin0001 Oct 18 '11 at 22:57
  • I don't understand.. you're saying that you cannot purchase another machine, but you're still asking if it's possible to use another machine for the job. – pauska Oct 19 '11 at 07:02
  • Correct, I'm saying it's not possible to purchase another machine, I do however have a spare blade I can use. Make sense now? :) – gavin0001 Oct 19 '11 at 11:25
  • I see. All industry standard servers have BIOS-controlled start up delay when power returns. How about setting your cluster blades to a much longer delay than your spare blade? – pauska Oct 19 '11 at 12:09
  • I'm aware of that, however I think we're getting away from the original question... Is there a way that I can partially start AD on another machine (i.e. an RODC or something like that...) that would allow me to start the Domain Controllers/Fail Over Cluster such that they start correctly from a completely cold boot assuming a clean shutdown? – gavin0001 Oct 23 '11 at 01:30
  • Anyone have any ideas? – gavin0001 Nov 14 '11 at 06:44