Solved

Upgrade secondary DC from 2003 to 2008

Posted on 2010-09-01
11
385 Views
Last Modified: 2013-11-05
Hi,
There are 2 domain controllers which I need to virtualize. One is 2003 and other is 2008, both servers will be migrated to 2008 virtual machines. I have one primary master DC (2008) which is hosted in a datacenter, both machines are in 2 remote offices and appear to be configured as a secondary local domain controllers. They also run DHCP and DNS servers.
I found some solutions/guides here for migrating DC from 03 to 08 but they are all for single or primary servers. Do I have to follow different approach in my case? Is there a way to transfer settings or image the existing 2008 server and move it to vm or I have to start fresh? So far, I have the new vms running 08 installed in each office ready to be set up as replacement DC but have not done anything yet.

0
Comment
Question by:angelo_r
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 33579431
You can do a P2V migration on the existing servers using a variety of tools.  The only thing you need to do before you start is stop and disable any hardware-specific services.  Once migrated, remove any hardware specific drivers and software from the VM.Alternately, join the new VMs as DCs and replication should make them whole.  Simply install DNS and it should build via replication.  With DHCP, just backup the old DHCP database from within DHCP console and restore to new server.Treat the VMs as if they are real metal servers - there is almost no difference (except in the hardware layer).
0
 

Author Comment

by:angelo_r
ID: 33579490
Do I still need to follow the role transfer guides if I go with fresh installation for secondary (local) DCs?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 33579530
Yes, do everything you would normally do if you were adding a new hardware server to replace an old server.

Do the FSMO transfers.
Make it a Global Catalog.
Install the DNS service and allow replication to populate it.
Install the DHCP role.
Backup and restore DHCP to the new machine.
Turn OFF DHCP on the old servers.
Ensure your DHCP now gives out the new DNS entries.
Gradually - remove DNS from old servers to make sure the clients can still resolve from new servers.
DCPROMO old servers out of the domain properly.

Make sure the new DCs have completely replicated before removing the old ones!!
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 51

Expert Comment

by:Netman66
ID: 33579554
I hope I understood you correctly.

You ARE replacing the hardware servers with the VMs - correct?

If you are NOT, and you will leave the DC with the roles in place, then you don't need to move any roles to the new servers if you don't want to.  Making the new ones GCs is a good idea though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33579563
I'd personally go with the fresh install/promotion.  This may also give you the opportunity to go to 2008 R2.Are you talking about FSMO roles or other roles?You would have to follow the same guidelines to transfer the FSMO roles and the services that Paul mentioned.  Also make all your DCs GCs in this case ThanksMike
0
 

Author Comment

by:angelo_r
ID: 33579585
One more thing, I am afraid not to make one of the new machines as a master DC... Is there a way to make it read only as this will be just a local DC? When I try to transfer roles it always ask me to transfer from my primary.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33579623
In AD there is no real "master"  you might be thinking of the FSMO roles.

There is something known as read only domain controllers but those are mainly used if physical security is a concern  (look for RODC in google/bing for a lot more info)

If you want to wait to make sure everything is ok then transfer the FSMO roles...that works too.

Thanks
Mike
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33579799
As Mike has eluded to, you can use a new feature called Read Only Domain Controller, however I believe in your scenario it probably isn't what you require.

If you are replacing the original FSMO role holder, then you MUST transfer the roles to one of the new servers.

If you are simply adding additional DCs then there is no requirement to transfer roles.  AD will be "live" and writable on all DCs because they are now all peers - there is no such thing as PDC and BDC any longer.

0
 

Author Comment

by:angelo_r
ID: 33588543
I am almost there, the new 2008 is running along with the old 2003, I promoted it to DC and will transfer roles before I remove the old one. However, I noticed that when I go to NTDS Settings/Connection on the new machine it shows that it replicates from the old 03 DC and my main DC. Will that entry be remover automatically when I demote the old server so I replicate only from the primary DC? On the second field "Replicate To:"  I can see only my old 2003 DC - what will happen when I demote/remove that computer? Is there any way to edit these settings so I can properly set it to replicate from and to the primary DC only?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 33588578
You can set up your connection obejects manually but right now all that is being done automatically by the KCC...I'd let that continue as is in this case.  Yes it will be removed (you will have to delete the box from sites and services as that is not done automatically in the demotion)
Thanks
Mike
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33589073
Agreed. If the demotion of the old server is done cleanly, and without error then simply delete the old server object from within AD Sites and Services and the replication toplogy will be recalculated by KCC and you should be golden.

0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question