Advice on Replacing First Domain Controller in Forest/Domain

Hello Zoey,

From MS:

Configuring a DNS suffix search list
For DNS clients, you can configure a DNS domain suffix search list that extends
or revises their DNS search capabilities. By adding additional suffixes to
the list, you can search for short, unqualified computer names in more than
one specified DNS domain. Then, if a DNS query fails, the DNS Client service
can use this list to append other name suffix endings to your original name
and repeat DNS queries to the DNS server for these alternate FQDNs.

For computers and servers, the following default DNS search behavior is predetermined
and used when completing and resolving short, unqualified names.

When the suffix search list is empty or unspecified, the primary DNS suffix
of the computer is appended to short unqualified names, and a DNS query is
used to resolve the resultant FQDN. If this query fails, the computer can
try additional queries for alternate FQDNs by appending any connection-specific
DNS suffix configured for network connections.

If no connection-specific suffixes are configured or queries for these resultant
connection-specific FQDNs fail, then the client can then begin to retry queries
based on systematic reduction of the primary suffix (also known as devolution).

For example, if the primary suffix were "example.microsoft.com", the devolution
process would be able to retry queries for the short name by searching for
it in the "microsoft.com" and "com" domains.

When the suffix search list is not empty and has at least one DNS suffix
specified, attempts to qualify and resolve short DNS names is limited to
searching only those FQDNs made possible by the specified suffix list. If
queries for all FQDNs formed as a result of appending and trying each suffix
in the list are not resolved, the query process fails, producing a "name
not found" result.

Notes

. If the domain suffix list is used, clients continue to send additional
alternate queries based on different DNS domain names when a query is not
answered or resolved. Once a name is resolved using an entry in the suffix
list, unused list entries are not tried. For this reason, it is most efficient
to order the list with the most used domain suffixes first.

. Domain name suffix searches are used only when a DNS name entry is not
fully qualified. To fully qualify a DNS name, a trailing period (.) is entered
at the end of the name.



Personally i never used this field in any of my domains, because we have
only single forest domains. With your configuration to the PDC during your
upgrading, i think the main point was to get the "master" DC and also the
"master" DNS server, it was only important to configure the preferred DNS
server to this machine. From my point of view the settting with the servername
will not help you on this. And as said in the articles, you have to add there
no servername. I would remove it on all machines, have a look for 2 days,
if possible reboot the servers and see if everything is still working. I
assume it makes no difference.

Best regards

Meinolf Weber

 

Hello Meinolf,

Thanks again. It sounds like I need to take out the server name I have in
the DNS suffix for all the servers. It sounds like all I need is the IP
Address for the primary and alternate servers. Just curious how many DCs do
you have in your forest? Let me recap my checklist that you and Danny helped
provide. I hope you can just confirm if i'm missing anything:

(New Server Pre Checklist)
* Build new server as a member server with a temp ip address and temp name
(Server being Replaced Checklist)
* Backup Systemstate
* Transfer remaining FSMO roles to another DC
* Export DHCP database config.
* Remove server as a GC
* Before demoting server, run replmon, dcdiag and netdiag on all dcs to
confirm errors.
* Demote Server to member server
* If I have any errors or problems with demotion run the metebase cleanup.
* Rename server
* Change IP Address
* Unauthorize DHCP scopes - Question ==>should I be unauthorizing DHCP at
this time?
(New server)
* Rename server to server name i'm replacing.
* Change IP Address to the IP Address of server being replaced.
* Run DCPROMO and make this a domain controller in existing domain.
* Install DNS Active Directory Integrated, make this a primary server
Question - I assume this will pull the zone information from the the
other server that is also an active directory integrated and has the server
i'm replacing in the "name servers" tab. Please confirm.
* Install DHCP
Question - Should I be doing DHCP before running DCPROMO?
* Import DHCP config
* Authorize DHCP
* Install WINS
* Transfer FSMO roles back to this server. Transfer Infrastructure role to
the DC that is not a Global Catalog server.
* Make server a Global Catalog Server
* Verify DNS
* Verify DHCP

I think I should be all set after this. If you could confirm my checklist
and my remaining questions, I should be good to go.

Thansk again

 

Hello Zoey,

Minimum 2 and maximum is 6 over different sites. See inline for your list.

Best regards

Meinolf Weber

Before starting with any step run diagnostic tools

Only if you have no option to solve the problem and then the old machine
should be NEVER reconnected. If you have errors/problems you can also post
them here.

Not needed. Only after importing to the new server you have to authorize
the new one.

The advantage of AD int. is, that all DNS zone information will be replicated
automatically. You have only to wait round 15 minutes and all should be copied.

Yes. http://support.microsoft.com/kb/325473

In a single forest domain you can have all FSMO roles on one DC: http://support.microsoft.com/kb/223346/en-us

 

Awesome. Thanks. I should be good to go.

 

Hello Zoey,

Wish you all the best for your migration.

Best regards

Meinolf Weber

 

Hello Meinolf,

One more question. Is there any downside to doing this during business
hours? If I have 2 other DCs and 1 other DNS server, there shouldn't be any
downtime for the clients, correct? I'll go by your recommendation.

Please confirm.

Thanks

 

Hello Zoey,

Do you have some data or profiles or whatever else on the server? If not
and all domain machines have a reachable DNS/DHCP server configured, it should
go also during working hours. If you have exchange in the domain, make sure
that the exchange is pointing to a Global catalog server in the "Recipients
update service" in the Exchange system manager.

Best regards

Meinolf Weber

 

I would make every effort to do it off shift. While something like this
*can* be done while folks are logged on, I would avoid it if possible....

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

 

Hank,

Thanks for the reply. I will set aside a 3 hour window to do this.

Another DNS question for whomever, hopefully Meinolf is available. In the
DNS suffix, shouldn't the dns domain (example: microsoft.com) still be there
(i understand i should take the servername out, but i'm assuming I leave the
domain in there?)

 

Hello Zoey,

No, it is not needed to fill in your domain name there. Just leave it blank.
As i said never used it in my domains.

Best regards

Meinolf Weber