Solved

Upgrade secondary DC from 2003 to 2008

Posted on 2010-09-01
11
381 Views
Last Modified: 2013-11-05
Hi,
There are 2 domain controllers which I need to virtualize. One is 2003 and other is 2008, both servers will be migrated to 2008 virtual machines. I have one primary master DC (2008) which is hosted in a datacenter, both machines are in 2 remote offices and appear to be configured as a secondary local domain controllers. They also run DHCP and DNS servers.
I found some solutions/guides here for migrating DC from 03 to 08 but they are all for single or primary servers. Do I have to follow different approach in my case? Is there a way to transfer settings or image the existing 2008 server and move it to vm or I have to start fresh? So far, I have the new vms running 08 installed in each office ready to be set up as replacement DC but have not done anything yet.

0
Comment
Question by:angelo_r
  • 5
  • 3
  • 3
11 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 33579431
You can do a P2V migration on the existing servers using a variety of tools.  The only thing you need to do before you start is stop and disable any hardware-specific services.  Once migrated, remove any hardware specific drivers and software from the VM.Alternately, join the new VMs as DCs and replication should make them whole.  Simply install DNS and it should build via replication.  With DHCP, just backup the old DHCP database from within DHCP console and restore to new server.Treat the VMs as if they are real metal servers - there is almost no difference (except in the hardware layer).
0
 

Author Comment

by:angelo_r
ID: 33579490
Do I still need to follow the role transfer guides if I go with fresh installation for secondary (local) DCs?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 33579530
Yes, do everything you would normally do if you were adding a new hardware server to replace an old server.

Do the FSMO transfers.
Make it a Global Catalog.
Install the DNS service and allow replication to populate it.
Install the DHCP role.
Backup and restore DHCP to the new machine.
Turn OFF DHCP on the old servers.
Ensure your DHCP now gives out the new DNS entries.
Gradually - remove DNS from old servers to make sure the clients can still resolve from new servers.
DCPROMO old servers out of the domain properly.

Make sure the new DCs have completely replicated before removing the old ones!!
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 51

Expert Comment

by:Netman66
ID: 33579554
I hope I understood you correctly.

You ARE replacing the hardware servers with the VMs - correct?

If you are NOT, and you will leave the DC with the roles in place, then you don't need to move any roles to the new servers if you don't want to.  Making the new ones GCs is a good idea though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33579563
I'd personally go with the fresh install/promotion.  This may also give you the opportunity to go to 2008 R2.Are you talking about FSMO roles or other roles?You would have to follow the same guidelines to transfer the FSMO roles and the services that Paul mentioned.  Also make all your DCs GCs in this case ThanksMike
0
 

Author Comment

by:angelo_r
ID: 33579585
One more thing, I am afraid not to make one of the new machines as a master DC... Is there a way to make it read only as this will be just a local DC? When I try to transfer roles it always ask me to transfer from my primary.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33579623
In AD there is no real "master"  you might be thinking of the FSMO roles.

There is something known as read only domain controllers but those are mainly used if physical security is a concern  (look for RODC in google/bing for a lot more info)

If you want to wait to make sure everything is ok then transfer the FSMO roles...that works too.

Thanks
Mike
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33579799
As Mike has eluded to, you can use a new feature called Read Only Domain Controller, however I believe in your scenario it probably isn't what you require.

If you are replacing the original FSMO role holder, then you MUST transfer the roles to one of the new servers.

If you are simply adding additional DCs then there is no requirement to transfer roles.  AD will be "live" and writable on all DCs because they are now all peers - there is no such thing as PDC and BDC any longer.

0
 

Author Comment

by:angelo_r
ID: 33588543
I am almost there, the new 2008 is running along with the old 2003, I promoted it to DC and will transfer roles before I remove the old one. However, I noticed that when I go to NTDS Settings/Connection on the new machine it shows that it replicates from the old 03 DC and my main DC. Will that entry be remover automatically when I demote the old server so I replicate only from the primary DC? On the second field "Replicate To:"  I can see only my old 2003 DC - what will happen when I demote/remove that computer? Is there any way to edit these settings so I can properly set it to replicate from and to the primary DC only?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 33588578
You can set up your connection obejects manually but right now all that is being done automatically by the KCC...I'd let that continue as is in this case.  Yes it will be removed (you will have to delete the box from sites and services as that is not done automatically in the demotion)
Thanks
Mike
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33589073
Agreed. If the demotion of the old server is done cleanly, and without error then simply delete the old server object from within AD Sites and Services and the replication toplogy will be recalculated by KCC and you should be golden.

0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question