Solved

DCPROMO Order

Posted on 2010-11-11
9
788 Views
Last Modified: 2012-05-10
I am adding a new DC to an existing 2003 forest.  Existing has 1 GC and 5 DC's at branch offices connected over MPLS WAN.  We use Sites and services to replicate changes.  Do I join domain at main site, run dcpromo and let AD replicate, then change IP subnet and setup sites for AD replication...or I have the option of hanging new server off a local firewall and running dcpromo from the new subnet.  I thought this might try to pull AD from a BO..   Hope question and explanation is sufficient..Thanks in advance  
0
Comment
Question by:MRamdor
9 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34116476
How large is your AD. There are several option

I would probably just run DCPromo at the branch with only that many DCs.

You could also take a systemstate backup of one DC restore to a seperate directory on the new DC and run dcpromo /adv and point to the file while the DC is in the branch.
0
 
LVL 4

Expert Comment

by:sire_harvey
ID: 34116494
Personally i would build the server at the main site, and set up the IP address on the remote subnet. The run DCPROMO from the remote site.
0
 

Author Comment

by:MRamdor
ID: 34116500
AD is not that large.  If I'm going to run it from the branch should I join the domain first dcpromo will take care of that and will it install DNS?  Thanks.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Expert Comment

by:KenMcF
ID: 34116521
What I usually do is image the DC at the main site join to the domain and ship to the branch. Then run DCPromo from the branch site. If you are worried about the bandwidth of the promo you could put a copy of the system state from another DC on the server and run dcpromo /adv
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34118336
Its not good practices to join system into domain & then promote as DC, dcpromo should be directly run on server & you should not change IP because mostly DC's are heart of domain & they should not be going through changes or testing.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34119325
Awinish, Do you have any documentation that says it is not good practice to run DCPromo on domain joined servers?

There is nothing wrong with changing the IP of a Domain Controller. You need to make sure you follow the proper procedures.

http://technet.microsoft.com/en-us/library/cc758579(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794931(WS.10).aspx
0
 
LVL 24

Accepted Solution

by:
Awinish earned 250 total points
ID: 34119440
KenMcF, i don't have reference of any such document but i haven't seen for configuring server as an domain controller, server has to joined to domain first then dcpromo it.


When you do dcpromo, it automatically join the server & while joining the object will be placed in computer ou & then after registering its services as DC,it will be moved to DC OU.

I read somewhere can't recall it,but if you want to configure a server as an DC, directly dcpromo it

In the below articles, can you see anywhere listed, that a server is required  to joined into domain & dcpromo it as its directly going to be DC so why promote it as member server & promote it.

Yes, there is nothing wrong, but when its a domain controller & you don't want to do IP changes,reregister the netlogon services,allow time for replication,until you are changing ISP.

Its better to plan because if you change IP,it has to be updated into client dns setting or other servers, so plan it properly & until its urgent i would not recommend to do it even though it can done.

http://www.windowsreference.com/windows-server-2003/how-to-create-an-additional-domain-controller-in-win-server-2003/
http://www.petri.co.il/how_to_install_active_directory_replica_on_windows_2003.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 250 total points
ID: 34119481
Thanks Awinish, I just wanted to make sure this was not a MS recomendation. there are several reasons we do this.

I agree it is better to plan instead of changing the IP of DCs multiple times. Thats why in one of my previos posts I recomended to run DCPromo once the server was in the branch office. But some times you can not avoid changing the IP. There have been several times where either the remote site has closed or moved and subnets changed, or a network reconfiguration and are forced to change the IP.
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34119532
Yes, i do believe certain circumstances require us to do changes changes,but making changes on dc esp when users, application & servers depends heavily on it, personally i don't feel comfortable.
So better planning is the key to road ahead, even though its small environment, still we should not make practice, that's what i wanted to guide the author.

0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Add LDAP custom Attribute to Exchange GAL 2010 2 40
LDAP search through mutiple lower OU's 3 27
exchange powershell question 5 34
Active Directory Photo Tab 4 25
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question