dee30
asked on
Demoting my last 2000 DC box - what happens to my authenticated machines/Exchange during
I have one forest and one domain. 2000 function level. My first/main Domain box is 2003 R2(holds on FSMO roles) and I have two replicating servers. One in a remote office over a manual IPSEC tunnel running on a 2003 R2 machine and one within the same LAN as the first/main DC box running. It is running on 2000 SP4 and also replicating. They are all GC and all running DNS servers that are AD integrated and set to see their see their DNS servers first. I noticed that more and more my machines are being authenticated by the 2000 box, which I understand is an okay thing due to AD design/model. I even noticed my new exchange is now being authenticated by that 2000 box. I know I can do some reg changes to set the first/main DC to be my authenticating server, but don't think I need to do that.
One question I have about that authentication behavior is besides the fist/Main DC being busy during an authentication request, is possible the loc of the servers on the four uplinked switches I have to the machines making the logon authentication request make a difference in which it authenticates to?
My question though is I plan on demoting the 2000 DC box, so that I can change my func level to 2003. What happens to the machines being authenticated by that 2000 dc box when I do that and they are logged in either working or not? What happens to my Exchange/Email box/functionality that's authenticating to that 2000 box? I know this may be obvious, but I want to hear it from experts. My plan is to do this on a late Friday and ensure users reboot and my exchange box be rebooted once done, but what happens if I was to do this during the work day and is my plan not to required/best practice?
Thanks,
Dee30
One question I have about that authentication behavior is besides the fist/Main DC being busy during an authentication request, is possible the loc of the servers on the four uplinked switches I have to the machines making the logon authentication request make a difference in which it authenticates to?
My question though is I plan on demoting the 2000 DC box, so that I can change my func level to 2003. What happens to the machines being authenticated by that 2000 dc box when I do that and they are logged in either working or not? What happens to my Exchange/Email box/functionality that's authenticating to that 2000 box? I know this may be obvious, but I want to hear it from experts. My plan is to do this on a late Friday and ensure users reboot and my exchange box be rebooted once done, but what happens if I was to do this during the work day and is my plan not to required/best practice?
Thanks,
Dee30
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Provided all the other DCs are GCs and DNS servers, Exchange will be happy. You will still need to restart it or wait 30+ minutes for it to scan for a new DC after the 2000 Server is demoted, though.
-tigermatt
-tigermatt
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
> You can assign subnets to specific DC's
I believe I already mentioned this. "Without using VLANs and having one server per network segment(s)".
In a single site it isn't really worth controlling what server is used for authentication, anyway.
-tigermatt
I believe I already mentioned this. "Without using VLANs and having one server per network segment(s)".
In a single site it isn't really worth controlling what server is used for authentication, anyway.
-tigermatt
ASKER
tigermatt: majority points bc you took the time to answer each question at length and concisely.
exx1976: becuse of the island article, which gave me a better understanding as to the 'why' regarind self pointing dns.
mwvisa1: just b/c although the point was already expressed. although the different subnet thing is a bit obvious.
Thanks experts.
exx1976: becuse of the island article, which gave me a better understanding as to the 'why' regarind self pointing dns.
mwvisa1: just b/c although the point was already expressed. although the different subnet thing is a bit obvious.
Thanks experts.
ASKER