Advice on Replacing First Domain Controller in Forest/Domain

Discussion in 'Active Directory' started by Zoey, Jul 31, 2008.

  1. Zoey

    Zoey Guest

    Hi All,

    We are planning to replace the original domain controller that was the first
    dc when we upgraded our network to Windows2000 and then to Windows2003. We
    have a single Windows2003 native forest, single domain, with 3 domain
    controllers all running Windows 2003 Server with Service Pack 1. The server
    to be replaced holds the all the FSMO roles, except for the PDC Emulator. We
    are running Active Directory Integrated DNS on the server we are replacing
    and we have a secondary DNS server (integrated DNS) on one of the other 2
    DCS.

    It is critical for us to keep the same server name and IP address for the
    new server, because all domain controllers and member servers (10 of them)
    are pointing to the server we are replacing, as well as several devices on
    our network.

    I have done some google searches, but I have not been able to nail down any
    step by step instructions for how to keep the same server name and IP
    address. I can't find any documents or whitepapers from Microsoft that detail
    the proper steps on doing this.

    Thanks in advance for any tips or useful links

    Zoey
     
    Zoey, Jul 31, 2008
    #1
    1. Advertisements

  2. Of course you should do this over the weekend or off hours and after a
    confirmed good backup.

    Setup the new server with a temp name and temp IP address as a member server
    in the domain Point it to the "other" DNS server in the domain, not the one
    you are going to remove.

    Transfer the FSMO roles from the first DC to another DC in the domain:
    How To View and transfer FSMO Roles in the Graphical User Interface

    http://support.microsoft.com/default.aspx?scid=kb;en-us;255690

    How to view and transfer FSMO roles in Windows Server 2003

    http://support.microsoft.com/default.aspx?scid=kb;en-us;324801

    Run dcpromo on the server you want to remove to make it a member server. At
    this point you can rename this server to servernameOLD and change the IP
    address to an unused IP address. In my experience, at this point you will
    have to wait and let the demoted DC replicate out of AD. Depending on when
    you make the change and when replication happens it may take a while.
    Usually at this point I go to bed and finish in the morning.

    Next step would be to rename the member server you gave a temp name and IP
    address to it's final name and IP address and promote to DC, install DNS and
    Change the server to point to itself for DNS, the DNS info will replicate to
    the new DC. Setup DHCP if necessary and robocopy files to the new server if
    necessary.........................Test.

    Done

    hth
    DDS
     
    Danny Sanders, Jul 31, 2008
    #2
    1. Advertisements

  3. Zoey

    Zoey Guest

    Danny,

    Thanks for the info. This has been the most helpful info i've received so
    far. Thanks to you, I almost have a plan :} I just have a couple of more
    questions:

    (1) At any point do I need to run the metabase cleanup function (From this
    link):
    http://technet.microsoft.com/en-us/library/bb727062.aspx
    (2) This is our everything server (DNS, DHCP, WINS). Clients cannot connect
    when this server is down. I work at a private school that is a 24x7 type
    environment. Downtime needs to be minimal. I realize you mention the
    replication of the demotion of this server can take some time. This is a LAN.
    I'm guessing it shouldn't take too long. Just wanted to run that thought by
    you again.

    Thanks again
     
    Zoey, Aug 1, 2008
    #3
  4. Hello Zoey,

    Move the 5 FSMO roles to one of the other DC's, also make sure that minimum
    one other DC is Global catalog server.

    FSMO:
    http://support.microsoft.com/kb/324801

    GC:
    http://support.microsoft.com/?id=313994

    For DNS i would use Active directory integrated zones. So all changes replicate
    with AD and you are also have allways a writeable DNS server instead of using
    a secondary, which stores a read-only copy.

    Run replmon, dcdiag and netdiag on all DC's to check for errors, if you have
    some post the complete output from the command here or solve them first.

    If all is fine, demote the old DC with dcpromo to remove it correctly from
    AD. If it is now a member server, you can rename it and also give it a new
    ip.

    Now you can install the new server as member with the old name and old ip
    address and then promote it to a DC. If needed you can also make DNS server.
    If you have a single forest domain i would also make all DC's Global catalog
    server.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Aug 1, 2008
    #4
  5. Hello Zoey,

    See inline.

    Best regards

    Meinolf Weber

    Normally not. If the demoting fails, then you have to run metadata cleanup.
    If you got an error during the first try, check if the DC is still Global
    catalog server, if yes uncheck the GC and try again.

    Here it is also for 2003:
    http://support.microsoft.com/kb/216498
    Make sure that all clients use more then one DNS server, so they should be
    aible to logon, even if the main DC is down.
    DNS replication, when usinf AD integrated zones can take up to 15 minutes,
    insite Active directory replication is normally really short. But you should
    think about to do the changes at close of business or at weekend times.
     
    Meinolf Weber, Aug 1, 2008
    #5
  6. Zoey

    Zoey Guest

    Hello Meinolf,

    Thanks so much for this info. This gives me a much better guideline to
    follow. Let me give you a better description on my environment, and then i'll
    hear your thoughts again:
    (1) On our primary server I have the DNS server set as active directory
    integrated dns.
    (2) On a second server I have dns configured with active directory
    integrated. On the name servers tab I have the primary dns and this seondary
    dns.
    (3) However, on all my servers everything is pointing to the primary.
    Question for you, do I need to go into the TCP/IP settings of each server and
    add the secondary dns server as the alternate dns server?
    (4) The primary server also is the DHCP server. I assume I just need to
    back up the c:\winnt\system32\dhbp\backup folder and then I export it to the
    new server?
    (5) On this primary server I have 4 of the FSMO roles here. The PDC
    emulator role is on another DC. I will transfer all FSMO roles here.
    (6) One last question. Right now when I shut down the primary server, no
    clients can connect. Can you figure out from reading my description of our
    network, why is it no clients can connect? Is there something i'm doing
    wrong? I just want to make sure when I promote the new server, that we don't
    have this issue again.

    Thanks so much for replying. I look forward to reading your reply to this
    latest post.

    Thanks,
    Zoey
     
    Zoey, Aug 1, 2008
    #6
  7. Hello Zoey,

    See inline.

    Best regards

    Meinolf Weber

    You can do it this way, i prefer itself as preferred and the other as secondary,
    also for the other DNS server. Also see here:
    http://support.microsoft.com/kb/825036
    If you have more thee one DNS server, also configure all other servers and
    also workstations to use both machines as DNS server.
    Follow this one for DHCP:
    http://support.microsoft.com/kb/325473
    In a single forest domain you can leave all 5 FSMO roles on one server. I
    would also make all DC's Global catalog server in this case.
    The reason is DNS, all machines needs a DNS server to connect to the domain.
    You said you use only one DNS server on all machines, if this DNS server
    is down, nobody can connect. Configure a second DNS server for all members.
     
    Meinolf Weber, Aug 1, 2008
    #7
  8. Zoey

    Zoey Guest

    Awesome advice. I may have a couple of more questions. I just want to read
    through all your helpful links and docs. If you don't mind I may ask you a
    few more questions after that.

    Thanks so much
     
    Zoey, Aug 1, 2008
    #8
  9. Zoey

    Jorge Silva Guest

    Hi
    -To mutch confusion for a simple process.
    -Do Backup in the DCs.
    -The network clients are using more than one INTERNAL DNS server correct?
    -Assuming yes, (As others said try to do it at weekend) first make sure that
    all services are available in additional Servers or DCs to serv clients
    (DNS, DHCP, WINS, etc...), also check if GC are available in the network,
    than demote the DC using Dcpromo (the FSMO roles are automatically
    transferred), replicate all information among all DCs in the network, then
    using the new server use dcpromo to promote it to a DC, give it the same
    name and ip address as the old one.

    DONE!!!

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Aug 1, 2008
    #9
  10. Zoey

    Bret Guest

    Also, don't forget to make one of the other dcs a global catalog before
    running dcpro on your primary dc.
     
    Bret, Aug 1, 2008
    #10
  11. Zoey

    Zoey Guest

    Hello again Menolf,

    You have been so helpful, I appreciate your time. I hope you don't mind a
    few more questions.
    (1) For the DHCP server, I have the DNS 015 option pointing to the primary
    dns server. Do I need to add the secondary DNS server as well?
    (2) If my primary DHCP server goes down, should I have the dhcp scope
    restored to a 2nd server until this comes up (like during the demotion of the
    one i'm replacing)?
    (3) Let me see if I understand the DNS correctly:
    * On the 9 Member servers, I need to add the alternate (secondary DNS)
    * On the 3 DCs I need to add the alternate. I have problems adding the
    alternate (secondary DNS) because I get the following error
    - alternate (secondary DNS) because I get the following
    error:
    Warning – Mutiple default gateways are intended to provide redundancy to
    a single network. They will not function properly when the gateways are on
    two separate networks. Do you want to save the configuration. These 2 DCs use
    to server a 2nd subnet that is no longer in use, but I still have an IP
    Address on the 2nd NICS. Should I disable this card and then try to add the
    alternate DNS server again?

    Sorry for the long noted email. I appreciate your feedback one last time.

    Zoey
     
    Zoey, Aug 1, 2008
    #11
  12. See In line:
    Not necessarily because the clients keep their leases for 8 days in the
    default config. So if the DHCP server is gonna be down only for a few hours
    the client will be OK
    Most definitely disable the unused NIC.

    hth
    DDS
     
    Danny Sanders, Aug 1, 2008
    #12
  13. Hello Zoey,

    Again inline.

    Best regards

    Meinolf Weber

    If you have a really short lease time, you should think about a second DHCP
    server and split your scope 50/50 to both servers. Otherwise with the default
    lease time from 8 days, it should be enough for shorter outtage times then
    4 days. See here for split DHCP:
    http://technet2.microsoft.com/windo...f464-40ea-ac88-2060e6769f331033.mspx?mfr=true
    Yes, unused NIC's on DC's should always be disabled. If you still like to
    have it enabled, delete the old ip configuration. But better disable it.
     
    Meinolf Weber, Aug 1, 2008
    #13
  14. Zoey

    Zoey Guest

    Meinolf,

    Thanks for your patience. You laid it out for me nicely. Based on your
    helpful information I will form a checklist over the weekend. I'll probably
    replace this server the middle of next week, so I may post back before hand
    with the checklist I formed and have you verify if all looks good.

    Thanks for your outstanding support on this.

    Also, I want to thank everyone who posted here. This newsgroup is a great
    place to share thoughts and I value the expertise of everyone here.

    Regards,
    Zoey
     
    Zoey, Aug 1, 2008
    #14
  15. Zoey

    Zoey Guest

    Meinolf,

    Couple of more questions for you.

    (1) How much free disk space is needed during the dcpromo (demote) process?
    I have about 1.02 GIG of free space, and i've cleaned up as much as i
    possibly can. Is this enough free space? I've googled and couldn't find any
    links. Do you have a link you can provide?
    (2) The new DC i'm installing to replace the DC I want to demote comes with
    Windows Server Standard 2003 (SP2). The other 2 DCs have Windows2003
    Standard with SP1. I'm running low on space on the other 2 DCs as well (I
    know I need about 1.6GIG of free space to update to SP2) as I have under a
    GIG of free space on both. Will this cause problems if one DC in the forest
    has SP2 and the other 2 have SP1?
    (3) The new server we purchased will come with a RAID 1 mirror (73GIG SAS
    Drives) on the C partition and a RAID 16 (4x146 SAS Drives) on the 2nd
    partition. It will also have 2 Quad core processors. Is this overkill?

    Thx,
    Zoey
     
    Zoey, Aug 2, 2008
    #15
  16. Zoey

    Zoey Guest

    Correction on my part on queston 2. I mentioned RAID16. It's a RAID10
     
    Zoey, Aug 2, 2008
    #16
  17. Hello Zoey,

    See inline.

    Best regards

    Meinolf Weber

    1 GB should be enough. I don't have a link.
    No, SP level is not important, they can run together. You talked about that
    you have cleaned up your drives. If you describe what you have done, maybe
    we find additional options to free some space.
    Not an overkill, powerful. I would choose this one for the main DNS and configure
    all clients to use it as preferred and another DNS as secondary.
     
    Meinolf Weber, Aug 2, 2008
    #17
  18. Zoey

    Zoey Guest

    Thanks Meinolf,

    I've just about got it all in my head what I need to do. Here is another
    DNS question for you. On the TCP/IP settings (DNS Tab) on all my domain
    controllers and member servers, in the "DNS Suffix for this connection" all
    are pointing to the servername I am replacing. As I build the new server
    with a temp name and IP Address, and then demote the server I am replacing, I
    assume during the DCPROMO of the new server that there will be downtime for
    my clients until I get the new server promoted and configured with the same
    IP Address and servername. Can you confirm for me this is the path I take, or
    is there anything different I need to do during the demotion/dcpromo process.

    Thanks,
    Zoey
     
    Zoey, Aug 2, 2008
    #18
  19. Hello Zoey,

    This field, if used, contains the DNS suffixes, NO servernames. Here is a
    description for the field:

    Provides a space for you to specify a DNS suffix for this connection. If
    a DHCP server configures this connection and you do not specify a DNS suffix,
    a DNS suffix for this connection is assigned to this connection by the appropriately
    configured DHCP server. If you specify a DNS suffix, the DNS suffix assigned
    by the DHCP server is ignored. The local setting is used only if the associated
    Group Policy is disabled or unspecified.
    It is most helpful in multi-domain environments, as you can append each dns
    suffix to properly see resources across domains. If you only have one domain,
    or no domain at all, it does not really matter, and you can leave it blank.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Aug 2, 2008
    #19
  20. Zoey

    Zoey Guest

    Meinolf,

    Sorry to keep bugging you (I probably owe you my life right now :} ). I
    just want to recap what you said here, because if true, I may have had our
    DNS all wrong here in my environment. When I upgraded our network from NT4
    to Windows2000, I had to make sure all the servers pointed to the PDC before
    the upgrade to Windows2000. I did this by entering the IP Address and then
    added the Primary server in the DNS suffix on all the servers. So i've had
    all dcs and member servers configured like this since Windows2000. As I
    upgraded our windows2000 domain to Wndows2003 I kept everything as is. It
    appears your notes state on all my servers (including the first domain
    controller in the forest) I leave this dns suffix field blank and take out
    the server name. Can you confirm? Sorry again, I just want to make sure I
    have my DNS setup properly in our environment, and afraid to remove anything
    that has been working.

    Thanks again for all your time and patience.

    Regards,
    Zoey
     
    Zoey, Aug 3, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.