Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 197
  • Last Modified:

windows 2003 DC change

Folks I currently have a windows 2003 DC and an additonal 2003 domain controller.

My DC has been heavily infected with virus,AD accounts keep getting locked, I cant even do regedit .

I have a new server on which i want to install 2003 & make that the DC.

Because my additional DC hardware is old I dont want to move FSMO roles to that server thus i want the additional dc to run as it is now.

Pls advise how I can :
1)move the roles to the new server hardware
2)Get rid of the current infected dc from the network
3)keep the existing additonal dc as it is
4)keep the GPO's as i have citrix users authenticating to dc

Thanks
0
Musafeer79
Asked:
Musafeer79
  • 2
  • 2
1 Solution
 
Andres PeralesCommented:
Load up new server, as DC move all the roles to new DC.

Then, reload the old DC and use that as your Second DC.
0
 
Mike KlineCommented:
sounds like you got hit with conficker, I'm assuming you already tried to clean the infected DC
One thing you didn't cover is how you have DNS setup right now.  Are you using Active Directory Integrated DNS or another solution?  
The answer won't be complete until we find out how DNS is now setup but we can get you started,
On the new server install 2003 and have it point to a valid DNS server.  Now you have it as part of the domain
You will run dcpromo on that server to promote it and make it an additional DC in the domain.  Step 4 in the link below
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
 
Depending on how DNS is setup there may be a step here
Make the new DC a global catalog server
http://www.petri.co.il/configure_a_new_global_catalog.htm
So now you have AD on the new server and you will have 3 DCs for the time being
You can transfrer the FSMO roles to the new server  http://www.petri.co.il/transferring_fsmo_roles.htm
So now you have the new DC as a GC and it holds all the FSMO roles
As far as the old box if you can try to run dcpromo to demote it.   If you can't then you will have to wipe it and run metadata cleanup to get rid of it in AD http://support.microsoft.com/kb/216498
The existing DC is fine and GPOs won't be affected by adding a new DC
Let us know about DNS and I'll add on to this answer.
Thanks
Mike
 
 
 
0
 
Musafeer79Author Commented:
thanks mike,we have intergrated dns.This conficker virus is a headache.have u been able to get it off any DC.
0
 
Mike KlineCommented:
Luckily we haven't been hit with conficker....hopefully we won't.
So AD integrated DNS is good here.  On your new DC you just install DNS and after the DC promo sit back and wait and the DNS info will replicate to the new DC.
Also make sure your clients (all static IPs, DHCP,and applications) that point to the old server for DNS are changed to point to the new DNS server
On another note for anyone else that may find this thread in the future.  There are often questions on here for why it is critical to have at least two domain controllers (at a minimum)....this is a classic case.   If you would have had only 1 DC you would have been in  a much worse position right now.
Thanks
Mike
0
 
Musafeer79Author Commented:

I'm confused with the below part:

1.      Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

Which server name should i put here.The OLD DC or the new 1 I'm trying to transfer the roles to.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now