MECIT
asked on
Virtualize Primary DNS
We have ESX4.0 and we currently have two DNS servers:
DNS1- physical and primary
DNS2 - virtual and secondary
Both server 2003 OS
I would like to make DNS1 into a vm as well.
1. What would be the best way in doing this?
2. Would physical to virtual be easier or would creating a new vm from scratch be better?
3. What if I wanted to make DNS1 reside on server 2008 instead of 2003?
4.Would that cause any issue with DNS2?
DNS1- physical and primary
DNS2 - virtual and secondary
Both server 2003 OS
I would like to make DNS1 into a vm as well.
1. What would be the best way in doing this?
2. Would physical to virtual be easier or would creating a new vm from scratch be better?
3. What if I wanted to make DNS1 reside on server 2008 instead of 2003?
4.Would that cause any issue with DNS2?
P2V would be the fastest way. If you want to go to 2008 I would definitely recommend a fresh install. It's really preference when it comes down to it. Server 2008 and 2003 servers can co-exist, so it won't cause any issues for your other server.
Is Server DNS1 an Active Directory server?
Jus a question is DNS1 just a dns server or does it host any other roles? I know we made a mistake in the past of putting a PDC in a blade and our secondary DC was a VM on a blade in the same blade chassis and we had our network switch int he chassis go down... and all hell broke loose. If it is just DNS you should be able to migrate the role to another server and 08 should not be a problem. You just might make sure if these are the only 2 DNS servers to not put them on the same ESX server.
Because normally, you integrate DNS into AD!
ASKER
DNS1 is also an active Directory server.
We have two hosts and currently DNS2 on host 2.
The hosts are in a cluster with HA and DRS enabled.
We have two hosts and currently DNS2 on host 2.
The hosts are in a cluster with HA and DRS enabled.
With HA and DRS going imho you should be golden to either build a clean 08 server and migrate the DNS role or do a p2v conversion.
With DRS and HA make sure to set a rule to keep DNS1 and DNS2 seperate that way if you lose 1 host you won't lose both DNS VMs.
ASKER
Are there documents on how to install AD and DNS on a secondary server on a server 2008?
Could I have three servers and promote the 08 server to primary and then remove the physical server?
Could I have three servers and promote the 08 server to primary and then remove the physical server?
ASKER
Where would I create the rule ?
There's no "primary" and "secondary" domain controllers anymore since Windows 2000. As far as DNS goes, any DNS server can be set as either primary or secondary. You can have 3 or more existing at one time.
To create the rule in VMware go to vCenter, right click the Cluster, select Edit Settings, then under DRS click Rules, then Add, then type is "Separate Virtual Machines", click Add, select the 2 VMs you want, and save.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have a 2008 server vm ready. When adding the AD role, which roles to I select.
AD Certificate Services
AD domain Services
AD Federation services
AD lightweight directory service
AD rights management service
AD Certificate Services
AD domain Services
AD Federation services
AD lightweight directory service
AD rights management service
Add the AD Domain Services role, then once it's installed run DCPROMO.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By running ADPREP, what will it do and how does this affect our existing environment?
Is there anything else I have to do before adding the 2008 DC?
Is there anything else I have to do before adding the 2008 DC?
I believe adprep would be your last step. It modifies your Active Directory schema. Basically, Active Directory is like a database and this will add new tables to the database to allow it to store additional information to support new features.
ASKER
Just to be sure this will not affect our users. If I was to do this now , users are not going to have an issue or nothing could could go wrong by doing this.
It is safe to do. I would recommend having a full backup of your Active Directory beforehand as there is always a possibility for problems, but in general it is a very safe procedure. Here's a TechNet article that goes over the process:
http://technet.microsoft.com/en-us/library/cc753437(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc753437(WS.10).aspx
ASKER
Do I need to do the following:
Note
If you plan to add a read-only domain controller (RODC) to the forest, you can run adprep /rodcprep right after you run adprep /forestprep and then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.
Note
If you plan to add a read-only domain controller (RODC) to the forest, you can run adprep /rodcprep right after you run adprep /forestprep and then verify that both operations have replicated throughout the forest. Both commands require Enterprise Admin credentials; therefore, you might prefer to run them consecutively.
Not at the moment. If you decide later to add a Read Only Domain Controller, you can do that later.
ASKER
I was reading around and in an article it states :
When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all the changes throughout the entire forest BEFORE proceeding to the next step
Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive
Do I need to do this to DNS2 or can I run the ad domain services wizard?
When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all the changes throughout the entire forest BEFORE proceeding to the next step
Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD media of Windows Server 2008 into the DVD drive
Do I need to do this to DNS2 or can I run the ad domain services wizard?
ASKER
I forgot to put what it stated to run adprep /domainprep.
It would be a good idea to go force replication.
ASKER
If it states Active Directory Domain Services has replicated the connections .
Did this force the replication and now should I run the wizard on the 08 server
Did this force the replication and now should I run the wizard on the 08 server
Yes, you should be good to do the DCPROMO now.
ASKER
I ran it and now it is telling me to do adprep/domainprep.
Do I have to run this on DNS1 or DNS2 or both?
Do I have to run this on DNS1 or DNS2 or both?
DNS1
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do I need to run adprep /domainprep /ggprep?
That is an optional step. If you do not need to take advantage of the 2008 Group Policy extensions you do not need to do that step at this time.
ASKER
Under additional domain controller Options
Do I select DNS Server and Global catalog?
Do I select DNS Server and Global catalog?
Yes.
ASKER
Is this Correct:
Configure this server as an additional Active Directory domain controller for the domain
domain.org.
Site: Default-First-Site-Name
Additional Options:
Read-only domain controller: No
Global catalog: Yes
DNS Server: Yes
Update DNS Delegation: No
Source domain controller: any writable domain controller
Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server
Configure this server as an additional Active Directory domain controller for the domain
domain.org.
Site: Default-First-Site-Name
Additional Options:
Read-only domain controller: No
Global catalog: Yes
DNS Server: Yes
Update DNS Delegation: No
Source domain controller: any writable domain controller
Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
The DNS Server service will be installed on this computer.
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server
yes
ASKER
Everything looks good .
Is there anything else I should do.
Is there a way I can test it ?
Is there anything else I should do.
Is there a way I can test it ?
check eventlogs.
install windows support tools, and run dcdiag, replmon.
install windows support tools, and run dcdiag, replmon.
check replication, every 24 hours for issues
ASKER
I ran dcdiag this morning and all tests passed except this portion
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Domai n,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Domai n,DC=org
......................... SERVER3 failed test NCSecDesc
Found out this is an expected issue when a 2008 DC is promoted in a windows server 2003 domain without preparing RODC. If you do not plan to add an RODC to the forest it is safe to ignore it, otherwise run sdprep/rodcprep.
I also ran repadmin and everything was successful.
Checked event viewer and everything is good as well.
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Domai
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Domai
......................... SERVER3 failed test NCSecDesc
Found out this is an expected issue when a 2008 DC is promoted in a windows server 2003 domain without preparing RODC. If you do not plan to add an RODC to the forest it is safe to ignore it, otherwise run sdprep/rodcprep.
I also ran repadmin and everything was successful.
Checked event viewer and everything is good as well.
Glad it's all working for you, keep and eye on the event logs.
ASKER
Now that I have the vm up and working . I am on step 7. Transfer All the AD roles from the physical server.
How would I do this?
How would I do this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Personally, I wouldn't rush it, and I would leave for five days.
and to be fair, I think the question has gone way off topic from the original asked. I think you should close this question and start another linked to this one.
ASKER
Thank you eveyone for helping out.