Friday, October 1, 2004

Avoid Exchange Hell by having multiple domain controllers


By David Gewirtz

Enough time has passed since My Thirteen Days in Exchange Hell that I can talk about it without getting the shakes. Unfortunately, it's been almost seven months, so some of the details have blurred in my mind. Actually, I tried to block it all from my mind so I could again sleep without nightmares, but no such luck.

As I mentioned last week, our Exchange server crashed hard. My challenge was reinstalling the backups. Along the way, I got some clues about what went wrong. This week, I'll talk about multiple domain controllers.

"I hate Active Directory with an unhealthy and all-consuming passion."

The biggest lesson that came out of this is that we should have had multiple domain controllers. To understand why I say this, you need to know about Exchange and an evil, evil concept called Active Directory. In theory, Active Directory is good. After My Thirteen Days in Exchange Hell, I hate Active Directory with an unhealthy and all-consuming passion.

How to explain Active Directory in ten words or less? OK, let's try this. Active Directory is a network-wide permissions system for enterprise-level Windows networks. The idea makes sense. Let's say you have a company with a hundred users and need to set permissions for file access, email, and the like for all those users.

Active Directory, which came out with Windows 2000, allows you to set those permissions once, and have the permissions propagate throughout the network. The alternative would be to set up permissions on each machine, for each set of users. This is complex and can often lead to errors.

Of course, Active Directory can lead to an emotional breakdown.

Managing the Active Directory database is a machine called a Domain Controller. This one machine is like the Master Control Program from Tron. It runs permissions on your network. And if you lose your Domain Controller and you're in an Active Directory domain, you loose your network.

It gets worse. Active Directory has something called a "tombstone lifetime setting." According to Microsoft,

Windows 2000 prohibits the restoring of old backup images into a replicated enterprise. Specifically, the useful life of a backup is identical to the "tombstone lifetime" setting for the enterprise. The default value for the tombstone lifetime entry is 60 days.

So, if you can't restore your backups after 60 days, or your backup is more than 60 days old, you're toast. Now, why didn't I see a Surgeon General's warning about that on the front of my Windows 2000 Server box?

The bottom line is this: if your domain controller tanks, you're in Hell.

Lessons learned

The solution is multiple, active, replicating domain controllers. We only had the one domain controller running here at ZATZ. We don't have all that many local employees and have very little physical floor space to store servers, so there seemed no need to have an additional domain controller.