2 domain controllers on 1 subnet

Hey all
Is it possible to have two domain controllers on one subnet? I've got 2 windows servers on a small network, but clients seem to only recognize one of the two.

Thanks

Absoultely...What do you mean clients only recognize one of them? As I will explain, cerrtain roles can only be held by 1 of your DCs.

There are 5 FSMO roles a Domain Controller can hold; all of which have a specific duty within your AD Domain. When creating a new AD Domain, the first domain controller in an organization assumes all 5 of these roles...Even if you promote another box to have a second DC, these 5 roles will still be held by the first DC...(Unless you manually transfer them).

Having a second DC is a great idea...even for a small organization as it will provide redundancy if one were to completely die; you would simply need to transfer the FSMO roles to the other DC as your DNS and AD schema are automatically replicated between the two DCs. DNS and your AD infrastructure are automatically there so you will have no down time...

BTW: Here's an MS article covering the 5 FSMO roles, what they do and how to transfer the roles if ever need be: AD FSMO Roles

Interesting. What I mean by only recognizing one of the two is that when I connect to \\server1 on the client computers, it loads the shared volumes correctly, but when I connect to \\server2, it says the resource is inaccessible. Connecting using both of the servers' IP addresses works fine. Would transferring FSMO rules fix this? The two servers aren't communicating properly...

Server1 is running Windows 2000 Server, and Server2 has 2003. Could this be part of the problem?

Strange, you should be able to browse both. Normally inconsistencies in browsing by UNC path (\\sever) is a DNS issue...
Is the inaccessible DC listed in Active Directory Users and Computers under the Domain Controllers container? Is there a host record in your local DNS (on both DCs) for the inaccessible DC?
Check the DNS server on both DCs to make sure DNS is replicating between DCs and double check host records are the same on both DNS servers.

I would check your your 'Domain Functionality' level and make sure you are running in 'Windows 2000 native' mode. (This supports Server 2000 and Server 2003 domain controllers). To do this open Active Directory Users and Computers, right click on your domain and select 'Raise Domain Functional Level'. You should see your current Domain Functional Level and a drop down to raise it. By default, with 2000 & 2003 DCs, it is set to 'Windows 2000 Mixed'. If it is currently set to this, select 'Windows 2000 Native' from the drop down and click 'Apply'. DO NOT select Server 2003 as this puts your domain into a compatibility where ONLY 2003 Domain Controllers are supported.

Personally, I would make the 2003 DC hold all 5 of the FSMO roles. This way, the 2000 DC becomes a secondary DC and if your 2003 craps out, you only need simply transfer the 5 FSMO roles to the 2000 DC until you can rebuild your 2003 DC.

Windows 2000 native mode does not support 2003 DC's. It supports 2003 servers as member servers but not as DC's. You have to upgrade the 2000 schema to support 2003 by running adprep from the 2003 cd or the 2nd cd of 2003 R2.

http://technet2.microsoft.com/windowsserver/en/library/bc5ebbdb-a8d7-4761-b38a-e207baa734191033.mspx?mfr=true

If adprep wasn't run odds are you have two forests of the same name.

"when I connect to \\server1 on the client computers, it loads the shared volumes correctly, but when I connect to \\server2, it says the resource is inaccessible"

You don't connect to "servers" in AD but to the Forest. What you describe supports the idea adprep wasn't run or you are expecting DFS functionality without setting up DFS.

Easy way to check all this is via DNS. Are you running dns as AD intergrated or primary/secondary? You add a host entry in one dns server does it show up in the other?

I disagree:

Domain Functionality

Windows 2000 Mixed (default): NT4, 2000 & 2003
Windows 2000 Native: 2000 & 2003
Windows 2003 Interim: NT4 & 2003
Windows Server 2003: 2003 ONLY



DFS auto configures for the domain shares (sysvol & Netlogon) without having to define a DFS namespace...The DFS client service automatically engages when the workstation is joined to the domain. The only time you need to define a DFS namespace is if you are using it in your infrastructure for ALL your folder sharing...If the DFS client on the client machine has issues you'll receive Event IDs 1030 & 1058; telling you it can't resolve the GPO object...

I DO AGREE to also check if ADPREP was run, but the 2003 DC would have failed the dcpromo had it been joined to the existing 2000 domain FIRST...

BTW: My own environment is running in 2000 Native mode with 1 2000 DC and 2 2003 DCs serving 450+ clients with no problems...

I stand corrected. I thought 2003 adprep put the forest in 2003 interim. Thanks

Ah. I'm in 2000 Mixed right now, but if both modes (native and mixed) support 2003 and 2000 DC's, I see no reason to switch down to native (right?). I'm going to try adprep tonight. In the mean time, how do I check to see if the two servers are replicating properly? I glanced at the DNS records, and the differed slightly. I manually made them all the same, rebooted, but still got the same error.

[EDIT] Pinging the Server2 works...the LAN IP is resolved, so I don't think it's a DNS error...

It does make a difference as you do not have NT4 servers in your domain. When elevated to 2000 Native you then get the full functionality of a Server 2000/2003 infrastructure (see my previous link for what happens when this is elevated...)

Ad prep is run from the server 2003 disc (disc 1 if the 2003 machine is 2003 standard or disc 2 if the machine is standard R2) on the 2000 DC BEFORE the 2003 server can be promoted as part of the domain. It can not be run on a machine that has already been promoted to a DC in it's own forest/domain tree...

In a typical upgrade you would do the following;

1) Install 2003 on the new server.
2) Join the 2003 server to your existing domain.
3) Insert disc1 (if 2003 Standard) or disc 2 (if 2003 Standard R2) into your 2000 Server's CD drive and click 'Start' => 'Run' and enter: cd_drive\i386\adprep.exe /forestprep
4) When forest prep is done, you then need to run:
cd_drive\i386\adprep.exe /domainprep
5) You should then be able to promote the 2003 Server to a Domain Controller
6) Normally, I would then transfer the 5 FSMO roles to the 2003 DC and elevate the domain functional level to 2000 Native

If adprep wasn't run (hence the reason I inquired if both DC's appeared under the Domain Controller's OU) you would need to re-install 2003 on your new server as running adprep is a prerequisite to promoting a 2003 server in a pre-existing 2000 domain. As wanderer2 pointed out, you probably have 2 separate forests and domain trees that are essentially separate...

DNS
The easiest way to ensure DNS replicates properly is to make sure your forward look up zone is AD integrated. Right click on your domain in DNS, select properties. If under 'type' it doesn't say 'AD Integrated' click change and make it AD Integrated. (Allowing ONLY secure updates).

How can I verify that there are two identical forests?

*bump*