Solved

Retiring/replacing a Domain Controller

Posted on 2008-09-30
15
289 Views
Last Modified: 2012-05-05
I have an older Windows 2003 box that serves as my Domain Controller - Active Directory, Group Policy, DNS and I believe DHCP as well. What steps do I need to do to replace that Domain Controller with another Brand New 2003 server box giving it the same IP address and name as the old box. I know I will need to transfer everything including the roles to the new box but what/how should the steps look like?

Thanks for the help!
0
Comment
Question by:agentkolb
  • 7
  • 7
15 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 22611125
Why does it have to be the same name?  You can make it DC2 and then with DNS later point DC to DC2..

Set up the new server.. join it to the domain as a member server.. install DNS, DHCP, WINS and don't configure them yet. On the current DHCP server set the TTL to 1 day.. Once it is all up to date on all updates DCPROMO it and make it a domain controller and make sure the active directory DNS is configured (which DC promo should do).. once it is a domain controller make it a global catalog server as well.. let things settle for a day then you can configure the DHCP and then at the end of the day authorize it to do DHCP and deauthorize the old one.  Let that settle.. a day or two later change the master rolls from the old server to the new one.. let that settle and within a day or two you can DCpromo the old server and then finally decommission it.

0
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 22611337
It is NOT necessary to have the same name and IP - bit you can if you want.

The process is as follows

Install Windows 2003 on the new machine. For the moment it MUST have a different name.

Assign the new computer an IP address and subnet mask on the existing network. For the moment the IP address must be different.

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See http://www.petri.co.il/transferring_fsmo_roles.htm

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed

Once the OLD CD is gone you can chnage the IP of the new machine to that of the old one and you can rename the domain controller - see http://www.petri.co.il/windows_2003_domain_controller_rename.htm

0
 

Author Comment

by:agentkolb
ID: 22617895
If I am not using AD-Integrated DNS, should DNS replicate over?
0
 

Author Comment

by:agentkolb
ID: 22619303
Or maybe i should be asking if there is a way to actually replicate my DNS settings over. I am totally new to DNS configuration as well...
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22619422
Is there any reason that you are not using AD integrated DNS - its the most sensible option in all but a very few "specialist" cases.

Check by right clicking on the zone and selecting properties (you can also make it AD integrated here if needs be)
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22619442
>> If I am not using AD-Integrated DNS, should DNS replicate over <<
No it will not - you will need to set up a secondary DNS server, do a zone transfer from the primary DNS server and then make the secondary  the primary - a lot of faffing about - Use AD Integrated DNS.
0
 

Author Comment

by:agentkolb
ID: 22619453
Are you talking about the Load Zone Data on Startup dropdown? If so, Active Directory & Registry are chosen. I see no other area where AD is mentioned. However, the DNS was showing as not configured until I went in and told it to copy as a secondary zone and it copied everything... Is that what I wanted to do?
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 70

Expert Comment

by:KCTS
ID: 22619510
DO NOT CREATE A SECONDARY ZONE. SECONDARY ZONES ARE READ ONLY COPIES.

Go to the current (old) DNS server, Open the DNS console. Right click on the Zone and select Properties and make sure it says AD Integrated - that is the defaiult - and its the default for a very good reason, its the most efficient, most secure and simplest to manage.
0
 

Author Comment

by:agentkolb
ID: 22619537
I just saw what you were talking about and it IS NOT checkmarked. This is how the domain was set up before I got here. If I check that box what will happen? I am just afraid of everything going down on me...
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22619555
Is there any good reason why it is not ticked - for example are you using UNIX BIND DNS servers? If not make it AD Integrated.
0
 

Author Comment

by:agentkolb
ID: 22619572
To my knowledge I have no unix box's here... I have Linux based servers but none of which are handeling DNS to my knowledge. So if I tick that box, what happens next? Sorry for being so "worried"
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22619577
See http://support.microsoft.com/kb/198437
It makes more sense to have all DNS servers AD integrated as effectivly all DNS servers are writeable primary DNS servers and its all so much more efficient.
0
 

Author Comment

by:agentkolb
ID: 22619667
Ok I went a head and did it. I also manually told it to replicate to the other servers, I am guessing it may take a little bit of time... I will keep you posted, Thanks again KCTS for putting up with me, I will make sure i keep you updated and award points, etc.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22620346
ID AD is integrated, all you should need to do now if you install another DC is to point it at an existing DNS server to begin with, DCPROMO it, then add DNS - DNS will then replicate automatically along with AD.

All that then remains id to point the new DC/DNS server to itself as preferred DNS server (and possibly to another DNS server as the alternate DNS)
0
 

Author Closing Comment

by:agentkolb
ID: 31501825
It was as easy as pie! Thanks again for helping me and putting up with my n00b ways.

It is much appreciated!
Thanks!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration, of the HP EVA 4400 SAN Storage. The name , IP and the WWN ID’s used here are not the real ones. ABOUT THE STORAGE For most of you reading this, you …
More or less everybody in the IT market understands the basics of Networking, however when we start talking about Storage Networks, things get a bit dizzier, and this is where I would like to help.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now