Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What should I do before degrade this Windows 2000 domain controller?

Posted on 2007-11-27
2
Medium Priority
?
598 Views
Last Modified: 2011-10-03
Dear Sir or Madam:

I have a Window 2003 domain. On our domain there is only one 2003 domain controller, the other 7 are all  windows 2000 domain controllers. My company pass the budget to upgrade our domain. I am planning to upgrade our domain to Windows 2003 base. Before I do that, i need degrade my old DCs. My question is some of the DCs are DHCP servers and DNS servers. If I degrade them, what should i do before that. Do i need set up another DNS server and DHCP servers.

I have five branches and HQ. At very branch, i have a DHCP server (also DC, altogether 5 DCs). At HQ, i have One primary DNS server and Secondary DNS server. Do i need to degrade them?

Thank you for any help, the more detailed, the more appreciated.
0
Comment
Question by:Jason Yu
2 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1600 total points
ID: 20362336
before you demote any DCs you need to find which one(s) are holding FSMO roles (http://www.petri.co.il/determining_fsmo_role_holders.htm) and transfer these roles to another DC (http://www.petri.co.il/transferring_fsmo_roles.htm).

It whould also be a good idea to make sure at least one DC on each of your sites hosts the global catalog - Go to Administrative Tools, Active Directory Sites and Services, Expand ,Sites, Default first site and Servers. Right click on the new server and select properties and tick the ‘Global Catalog’ checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

When you install the new DCs add DNS as Active Directory Integrated - best to have a DNS server on each site as well to avoid cross-site DNS lookups. Active Directory Integrated DNS is much more efficient and secure than an old fashioned primary/Secondary DNS server setup)

Make sure all the clients are configured with the address of one Windows DNS server as the preferred DNS server (the one on their own site), and the address of another Windows DNS server as the alternate DNS server for backup - this may be done be configuring the settings manually or as DHCP options.

Talking of DHCP, it may be a good idea to provided a DHCP server at each site as well

If you have not already done so then define you subnets and assign them to sites in AD sites and services, then windows will attempt to authenticate with the local DC - reducing cross site traffic and speeding up responses.

make sure that if you remove the old DCs you remove them gracefully by running DCPROMO to dematoe them.

0
 
LVL 12

Assisted Solution

by:Amit Bhatnagar
Amit Bhatnagar earned 400 total points
ID: 20470284
Please make sure to go through these documents before you proceed. They give you a very good insight on what to do and what NOT to do while performing such steps. Best of luck..:)

http://support.microsoft.com/kb/325379
http://support.microsoft.com/kb/555040
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question