Solved

Domain Controller Replacement. Need some real advise.

Posted on 2008-09-30
9
240 Views
Last Modified: 2012-05-05
All,

I come to the experts again for guidance. I would like to replace our current Domain controller. We are running at 2K3 Functional Level. We have about 40-ish users on at any given time. We now have 3 domain controllers. The third was today's addition. I am savvy enough to add a domain controller,  however,  I am not experienced enough nor am I confident in my predecessors builds that the domain won't take a hit in some way. Sooooo ...

This is what I would like to do ...

1.) Use DCPROMO on the #2 DC and remove it and its metadata from the domain. Rebuild it and rejoin it to the domain as the #2 once again. <=== I think I can do this, However guidance is appreciated. :)

2.) I want to seize the FSMO rolls on the #1 DC and move them to the newly built and added #3. Then I would like to remove it completely from the domain. This is where my problem begins. I would like to know where/what to keep my eyes on when doing this because as mentioned I am not confident in my experience or my predecessors builds that the domain wont take a hit somehow. Thoughts, Ideas ... help ... PLEASE?! :)

3.) Rebuild the #1 box and seize the FSMO roles back to it from the #3 box.

4.) Finally .... Retire the #3 box to its role as my 'TestServer'. <== I got this part I think.

... The reason for this is that I do not trust the builds in place now. Reason's like the %systemroot% on the #2 is on the 'E' drive ... yes ... the 'E' drive. Also, on the #1 box I have been getting gpt.ini errors. Chasing down issues that were here before me is not something I want to do if I can help it ... easy fix or not. If I built the box and loaded the OS ... then at least ... I know I did it and won't be that afraid of poking around when problems do arise.

In any case, any help is appreciated.

Naerwen
0
Comment
Question by:Naerwen
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:flyingsky
ID: 22607728
Your plan should work. Just Make sure you have GCs and transfer the 5 FSMO roles. and make sure you have DNS available. And WINS Server.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 22607737
The correct procedure for removing a DC is as follows
Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See http://www.petri.co.il/transferring_fsmo_roles.htm

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed


NOTE the FSMO roles should NOT be seized - a transfer is the clean and preferred method - seizing roles is a last resort.

0
 
LVL 1

Author Comment

by:Naerwen
ID: 22607815
KCTS,
I was afraid that I may have missed something. In your response your refer to running ADPREP. I have not done this and the scenario is that the newly built and already added DC is an R2 installation and the existing DC (GC, FSMO) is not.
Also, I believe that DNS is not AD integrated (not sure how to confirm). I have looked on the existing DC and found that it appears to have been added in the add/remove components. In any case, will installing DNS on the new box interfere with the DNS installation on the existing?
Please advise.
Naerwen
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 500 total points
ID: 22608058
Open the DNS console and go to the zone properties - it will tell you if AD is integrated or not - Is there any reason it should not be? Its the sensible option for most scenarios.

Thi the existing DC is the same or a later version of windows you do not need adprep - only when the version of windows being added is a newer version.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:Naerwen
ID: 22608149
KCTS,
I have just confirmed that we are, in fact, on AD-Integrated DNS. <== TYVM! for that one!
Also, regarding the ADPREP question. I am in the scenario that my replacement is R2 and my existing is not. The issue is that I have already added the replacement and executed DCPROMO to bring it on as a DC. Should I DCPROMO the replacement back to member and run the ADPREP utility prior to moving forward?
Naerwen
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 500 total points
ID: 22608177
If the original DC was not R2 and the new one was then DCPROMO would not have executed - it would have produced errors when the new machine was DCPROMOed
0
 
LVL 1

Author Comment

by:Naerwen
ID: 22608219
KCTS,
Thank you for the information. I am proceeding as we chat. If I have further issues, I will post to this question.
Naerwen
0
 
LVL 1

Author Comment

by:Naerwen
ID: 22633052
KCTS,
I was not sure of how the whole thing would react. So, I threw together a develpment environment (3 old systems with 2k3 and updates loaded) and tested it there first. Everything went as expected and all is well now.
Thank you for your expertise with this move. It has been truly helpful.
Thank you,
Naerwen
0
 
LVL 1

Author Closing Comment

by:Naerwen
ID: 31501642
I would like to add that KCTS' direction was integral in me being able to replace our DCs. In addition, Experts Exchange has just paid for itself for the year 10x ... at least. This change would have costed this small business well over 1k to have an outside source execute the replament.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now