New Domain and New Server Planning...


This question is more of a pre-emptive one, as I would like some input before going ahead with a few changes.

Current Situation:
- We have a DC with active directory services that has been migrated from an older dc (that no longer provides ADS).  The migration wasn't done correctly, and at this point I can't mess around with it too much as I can't cause downtime for the business.  I fixed a few issues (although naming standards are all over the place), and the domain authority seems to still be the old dc.  So when you ping domain.local it points to a different IP than pinging the DC .  Meaning, the old DC was not demoted or something happened when they attempted to migrate over (this is very old, dying hardware, so they shouldn't be relying on it for anything).  Strangely, if I bring the old DC (domain.local) offline, people can still login to the domain because the DNS points to the current DC (and is providing the ADS).  Previously, when both machines were online, I faced an issue where no one could log in.  The DNS entries were pointing to the current DC, but the current DC referenced the old DC as the Domain, but the old DC didn't recognize the current DC as what was providing ADS.  Changing DNS entries to point to either or both didn't help, but changing the start of authority on the current DC to point to itself, as well as a few other items in the DNSmanager helped resolve that issue.
- The current active DC is also providing DHCP, and WINS.
- Current Servers are running WIN2K3.

- We've purchased a new server to replace our obsolete hardware.  Which makes me want to redo things from scratch with correct standards, and proper services delegated to correct servers (will be running XenServer on BareMetal).  Will be running instances of WIN2K8 R2 64BIT.
- To transition smoothly, I was thinking of removing the DHCP service from the current active DC, and having one of our edge devices provide it.  The same gateway, and DNS settings would be applied through this device.  So everyone should still be able to log onto the current DC.
- A new DC within a new will be created (using .ads instead of .local), the current one is called Domain.local.
- Once the new Domain is setup, I would try to get everyone to logon to the DC on rather than the old DC on Domain.local by manually changing the terminals' dns settings to point to the NEW DC or new (which would the same in this case).
- I would switch each user, one by one, making sure everything is applied correctly to their computer.  At this point, the two domains would both be online so that users who need to do work won't have to face any downtime while they're still on the old Domain.
- Once everyone is on the new DC/, I would reconfigure the edge device to hand out the DNS of the new DC.
- I can then go to each terminal and place everyone back on to automatically retrieve DNS settings.

- Switch everyone to a new domain within the same DHCP scope provided by a different device than the windows servers.  The two domains would exist this way for a little while, one would point to (as an example) and the other to  The old domain would then be removed completely after the transition.
- It's a total of approximately 50 computers to switch, but I don't trust the previous setup and content of the DC.  I think I'm forced to switch it over this way...

Just curious to know if this is a fairly safe bet, or if I'm missing something, or should be considering other things as well?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You would need to make sure that the old DC's DNS has information on the new DC's Domain since the system converted to the newly added domain will still have to query the old DC. As well as possibly setup a TRUST relationship between the old and the new domain.

To forcibly take controls of the various rols, you have to use the ntdsutils.
The removal of the old DC for extended period of time led to the DC being tombstoned.

You are living dangerously if you have aging HW and only one DC.
I would've added a second DC and then gone through the process of forcibly transferring roles to the new DC that were left on the old/removed DC.
metazendAuthor Commented:
Well that's just it, I'm making a clean break from the old setup.  I thought of adding a second DC, but then I would be working with the same junk.  I wouldn't even be surprised if there are backdoors in place right now, for one reason or another.  I've found a lot of other suspicious crap, and I just don't trust it on top of a lot of hardware problems.  Initially coming into the environment, one of the servers had a raid 5 array with a dead disk.  Not only was the risk of data loss neglected for a long time, but because of the extra parity calculations the server's speed slowed down a lot.  It was just left that way, but luckily saw that on my first day.  Thank God, because I would have had some other major issue on my hands right now.

Essentially, the new hardware will be used to setup a new domain, and a new dc.  All I need to ensure is that both of these domains can co-exist (temporarily) as I switch people over from one to the other.  I would have to recreate accounts, GPOs, etc...

Should it now simply be a matter of doing the following to get someone on the new domain:
- Move DHCP to other device, independent of the domain.  Keep DNS pointing to current domain.
- Log in as a Domain Admin on windows terminals , and Remove them from the current domain.
- Log on as a local admin on windows terminals, change DNS to manually point to the new domain.
- Join the new domain.
- Once all systems are on new domain, change DHCP config to have DNS automatically point to new domain.
- Remove the manual DNS entries from the windows terminals, since at this point the DHCP will automatically be giving that out.
You would need to have a trust relationship or at least have a forwarder for the new DC defined on the OLD DC.  This way when the new systems will ask the the old DNS server for information on the new domain, your old dns has the configuration to forward the request to the new DC and work.  Otherwise, you would have to configure the new workstations/systems to use a static DNS reference to the new DC.

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

metazendAuthor Commented:
That's a smart way of doing it.  I'll try it using a forwarder on the current DC pointing to the new (en route) DC/Domain.  I'll post results, and method used.
Jim P.Commented:
The other worry is any SQL Server based apps such as Sharepoint, WSUS, Backup Sw, etc.
for 50 computers doing it manually will take a while.  Regarding DHCP I would exclude a block of addresses in the current scope, then use those addresses for the DHCP service on the new domain - because you need to authorize a dhcp server to serve a specific domain and I'm not sure it can be authorized for two domains (forests actually).  have dns conditional fowarders point old and new domains to the other dns servers.  setup a trust relationship.  use admt to do migration.
metazendAuthor Commented:
I've had to do this manually.  Had the user base been larger, I would have attempted to do what Arnold suggested, but the system crashes with the slightest changes, so I needed to be careful.

Essentially, the new domain was setup, although DHCP was still being provided by the old domain, I had to manually enter the DNS and domain in the network config for the clients, and brought everyone to the new server.  I changed what was providing the DHCP afterwards, and killed the old domain (after backing up the user data).  Then I just set everyone back up to obtain dhcp automatically.

Tedious I know, but that server was really FUBARed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.