Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Controller Replacement. Need some real advise.

Posted on 2008-09-30
9
Medium Priority
?
249 Views
Last Modified: 2012-05-05
All,

I come to the experts again for guidance. I would like to replace our current Domain controller. We are running at 2K3 Functional Level. We have about 40-ish users on at any given time. We now have 3 domain controllers. The third was today's addition. I am savvy enough to add a domain controller,  however,  I am not experienced enough nor am I confident in my predecessors builds that the domain won't take a hit in some way. Sooooo ...

This is what I would like to do ...

1.) Use DCPROMO on the #2 DC and remove it and its metadata from the domain. Rebuild it and rejoin it to the domain as the #2 once again. <=== I think I can do this, However guidance is appreciated. :)

2.) I want to seize the FSMO rolls on the #1 DC and move them to the newly built and added #3. Then I would like to remove it completely from the domain. This is where my problem begins. I would like to know where/what to keep my eyes on when doing this because as mentioned I am not confident in my experience or my predecessors builds that the domain wont take a hit somehow. Thoughts, Ideas ... help ... PLEASE?! :)

3.) Rebuild the #1 box and seize the FSMO roles back to it from the #3 box.

4.) Finally .... Retire the #3 box to its role as my 'TestServer'. <== I got this part I think.

... The reason for this is that I do not trust the builds in place now. Reason's like the %systemroot% on the #2 is on the 'E' drive ... yes ... the 'E' drive. Also, on the #1 box I have been getting gpt.ini errors. Chasing down issues that were here before me is not something I want to do if I can help it ... easy fix or not. If I built the box and loaded the OS ... then at least ... I know I did it and won't be that afraid of poking around when problems do arise.

In any case, any help is appreciated.

Naerwen
0
Comment
Question by:Naerwen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 18

Expert Comment

by:flyingsky
ID: 22607728
Your plan should work. Just Make sure you have GCs and transfer the 5 FSMO roles. and make sure you have DNS available. And WINS Server.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 2000 total points
ID: 22607737
The correct procedure for removing a DC is as follows
Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See http://www.petri.co.il/transferring_fsmo_roles.htm

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed


NOTE the FSMO roles should NOT be seized - a transfer is the clean and preferred method - seizing roles is a last resort.

0
 
LVL 1

Author Comment

by:Naerwen
ID: 22607815
KCTS,
I was afraid that I may have missed something. In your response your refer to running ADPREP. I have not done this and the scenario is that the newly built and already added DC is an R2 installation and the existing DC (GC, FSMO) is not.
Also, I believe that DNS is not AD integrated (not sure how to confirm). I have looked on the existing DC and found that it appears to have been added in the add/remove components. In any case, will installing DNS on the new box interfere with the DNS installation on the existing?
Please advise.
Naerwen
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 2000 total points
ID: 22608058
Open the DNS console and go to the zone properties - it will tell you if AD is integrated or not - Is there any reason it should not be? Its the sensible option for most scenarios.

Thi the existing DC is the same or a later version of windows you do not need adprep - only when the version of windows being added is a newer version.
0
 
LVL 1

Author Comment

by:Naerwen
ID: 22608149
KCTS,
I have just confirmed that we are, in fact, on AD-Integrated DNS. <== TYVM! for that one!
Also, regarding the ADPREP question. I am in the scenario that my replacement is R2 and my existing is not. The issue is that I have already added the replacement and executed DCPROMO to bring it on as a DC. Should I DCPROMO the replacement back to member and run the ADPREP utility prior to moving forward?
Naerwen
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 2000 total points
ID: 22608177
If the original DC was not R2 and the new one was then DCPROMO would not have executed - it would have produced errors when the new machine was DCPROMOed
0
 
LVL 1

Author Comment

by:Naerwen
ID: 22608219
KCTS,
Thank you for the information. I am proceeding as we chat. If I have further issues, I will post to this question.
Naerwen
0
 
LVL 1

Author Comment

by:Naerwen
ID: 22633052
KCTS,
I was not sure of how the whole thing would react. So, I threw together a develpment environment (3 old systems with 2k3 and updates loaded) and tested it there first. Everything went as expected and all is well now.
Thank you for your expertise with this move. It has been truly helpful.
Thank you,
Naerwen
0
 
LVL 1

Author Closing Comment

by:Naerwen
ID: 31501642
I would like to add that KCTS' direction was integral in me being able to replace our DCs. In addition, Experts Exchange has just paid for itself for the year 10x ... at least. This change would have costed this small business well over 1k to have an outside source execute the replament.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question