Solved

Migrate Old Windows 2003 Server DC to New Virtual DC - Server was first DC installed.

Posted on 2010-11-22
25
604 Views
Last Modified: 2012-05-10

Hello Everyone,

Sorry for the long post!

I am in the process of removing a Windows 2003 Server from our domain by migrating all the roles onto a newly setup DC within our virtual environment and I am looking for any advice that can help with the process. I have added servers but this will be my first time removing one.

I have read through various posts on the site, all have which have been very helpful in putting together my proposed process, but I can’t find a “step by step” - If there is one please point me in that direction!!

Information.

The Physical DC was the very first DC (forest root) and runs DHCP, WINS, DNS, GC, Time Server and 4 of the FSMO Roles.We currently have 1 virtual DC (p2v of server) and 2 physical ones ( 2nd physical server is running one of the FSMO roles and is a DNS server. )

The DNS is Active Directory integrated with no scavenging setup.

All 3 servers are CGs

Both physical servers are DNS servers

Proposed Plan:

Create new Vm server from Template

Setup as DC –
Join Server to domain.
Run DCpromo and run through process:
Dcpromo->add domain controller to existing domain->
Reboot
Make GC
Wait 15/45min to check objects are appearing in DC
Check Event Logs for replication information - Dcdiag

Install DNS Service:
Using Add/ Remove Programmes install DNS
Will all the setting automatically go across or is anything else required for DNS? Will I need to configure forwarding zones?
            
Install DHCP:
Export configuration from Existing server
Netsh dhcp server export c:\dhcp.txt all
Vm Machine – Add Remove->Network Services->DHCP
Import Configuration
Netsh dhcp server import c:\dhcp.txt all
Stop Services on existing physical DHCP Server
Authorise VM DHCP server
Configure DHCP setting for Clients to use new DNS Server address as primary

Transfer FSMO Roles:
Transfer roles via Pull method – transfer roles to current 2nd Physical Server
Wait for 15 mins between each roll move.
AD Sites and Services – operation Masters
AD Users and Computers – operation Masters
Register regsvr32 schmmgmt.dll -> add active Dir Schema -> change

Shut Down Existing DC:
Pull network cable out of 1st Physical server via switch not back of physical server
Wait for users / log in tests DHCP etc (any recommendations of time? Windows sp2 tombstone is 60days? )

Final Steps:
Plug Network cable back into Existing DC
Allow Synchronisation to occur with servers
Demote DC via DC Promo
Add/Remove DNS Application from Server
Move old Physical Server from domain via My computer and put in workgroup
Remove physical machine
Remove entry within DNS?

Does this seem like the correct method of removing a server? Are there any steps that I need to be aware of regarding this being the very first Domain controller I set up within the domain?

Any help and guidance would be really appreciated!!

Thanks!

Phil
0
Comment
Question by:Pipster
  • 13
  • 11
25 Comments
 

Author Comment

by:Pipster
Comment Utility
actually I just found this which is great

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_269-Replace-a-Windows-Server-2003-Domain-Controller.html

Very helpfull but i do still have some questions ive listed in the original post.

thanks for any help!
phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
0
 
LVL 7

Accepted Solution

by:
GridLock137 earned 400 total points
Comment Utility
it's a pretty straight foward process, there is not step by step for the entire process being you are dealing with different protocols (dns, dhcp etc...)

all your steps look good, the only thing i would do is allow the physical server to be up a week or so more to make sure everything is working fine and that your users are authenticating to the correct server then after that you can demote that server to a member server and then decommission it. i would not give your new VM server the same IP as the old DC, that can cause issues.
0
 

Author Comment

by:Pipster
Comment Utility
Hi Gridlock,

Thanks for the quick reply!

The info is good and I will follow your recomendation regarding the old DC. We are at present only going to add a new 2003 server but will move to 2008 later.

Does it matter that the DC im going to remove was the first "forest root" server?  Also the DNS side of things, will i need to configure anything on the new VM dns server like forward lookup zones?

Thanks again.
phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
being you're AD intergrated everything should replicate over to the new server, the infor provided should be the same steps for a 2003 server. in regards to the root server, was this or still is a 2000 OS?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 100 total points
Comment Utility
Just to add to gridlock137 comments. here are some good links to look over. I would use repadmin to verify repliation on your domian controllers before shutting the first one down. And also some thing to be aware of when running your DC in a VM. I also noticed that you took a snapshot of one of your DCs. I would recommned not to take snapshots and just use system state backups.

http://technet.microsoft.com/en-us/library/cc780676(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc773062(WS.10).aspx
http://blogs.technet.com/b/rhalbheer/archive/2009/03/16/time-sync-on-virtual-dcs.aspx
http://support.microsoft.com/kb/888794
0
 

Author Comment

by:Pipster
Comment Utility
Hi to you both,

In answer to your question Gridlock137 the server was only ever a 2003 server, not upgraded etc.

Thanks Ken, i have had a look at the links and will give them a read through before going on with the project  ( im aiming to do this towards the end of the week )

Really do appeciate the help with this,

Phil
 
 
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
you should be fine in regards to the forrest root role, in 2003 all DC are the same, there is no PDC or BDC roles any more. you should be good to go.
0
 

Author Comment

by:Pipster
Comment Utility
Hi,

Thanks for clearing that up for me - there were some NT servers in the past but only joined via trusts in the old domain. The server was a installed clean as a 2003 server into a band new domain.

Thanks very much to you both! I will let you know how things develop!

Phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
cool, let know if you run into any issues.
0
 

Author Comment

by:Pipster
Comment Utility
Hi,
I just ran the replmon tool to check the status of our replication and found a couple of things that I was wondering about.

1. On the server i am going to replace there is a relication entry called:DC=TAPI3Directory which is not on the other servers - I have read this is used for IP and other telephony services:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24797750.html
is there any way to tell what is actually using this?

2. There is no entry for Dc=DomainDNS and DC=ForestDNS on the virtual server but that machine is not a dns server so am i right in thinking that is the reason why?

Thanks for the help!
Phil
0
 

Author Comment

by:Pipster
Comment Utility
Hi,

I have created the new DC and at the moment the replmon says that it is replicting between two out of the 3 current servers - the one that it is not replicating is the server I am intending to replace.

I have checked event logs and run dcdiag on the server that is not replicating but there are no errors that i can see?

Can anyone help with this? I has been 1 1/2 hours since i perfomed the dcpromo on the new server.

Thanks!
Phil
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
this could be helpful for the TAPI3Directory:

http://forums.techarena.in/active-directory/757216.htm

0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
make sure your NTDS settings in active directory sites and services have an entry for the new DC, if it does not show up then demote the new server and promote to DC again. hopefully you have not transferred the FSMO roles, if you have do not perform that action and try and troubleshoot it via AD sites and Services.
0
 

Author Comment

by:Pipster
Comment Utility
Hi Gridlock137,

I have looked at the site and services and under
ADSAS -> Sites -> Site.. -> servers -> it lists all 4 servers

Two are showing under NTDS settings all thee of their partners, the other two are showing two but not each other.

I have not at this point moved any roles etc.

I cant understand why its replicating to two servers and not the other!

phil
0
 

Author Comment

by:Pipster
Comment Utility
Hi Gridlock137,

I have opened this as another question about this if you want to continue on that one?

thanks
Phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
under the NTDS settings for your new DC, is ht eGC option checked off?
0
 

Author Comment

by:Pipster
Comment Utility
Hi,

there is no tick in the GC option box if that is where you are refering?

phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
try making that guy a GC, it will not hurt.
0
 

Author Comment

by:Pipster
Comment Utility
Hi,

If this issue was left over night would it cause and issues? im trying to put support tools on at the moment.

Thanks again!
Phil
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
not at all, maybe replication time is being a bit latent, give it until tomorrow, you may want to run a dcdiag to make sure you pass all tests.
0
 

Author Comment

by:Pipster
Comment Utility
Hi Gridlock137,

I made the server a GC and things started to happen!

I checked things late on last night and this morning and found that there was a message on one of the server event logs stating
"To improve the replication load of Active Directory, a replication connection from the following source domain controller to the local domain controller was deleted."
When i have mapped it out when checking with replmon it forms the perfect (square ) ring topology - A talks to B and D, B talks to A and C, C talks to B and D, D talks to A and C.

There are no connections direct from A and C which is producing a message relating to  "The Windows NT 4.0 or earlier checkpoint with the PDC emulator was uncucessful" - looking into this it is due to not having a direct connection between C - the forest root running that FSMO role and A - the new Vm server - which i belive it harmless?

The domain has never had windows NT servers running directly in it but there were some joined via a a trust during the migration from the old NT domain onto the new 2003 AD domain.

I have posted this as another question as i was not sure about the asking a question within a question rules of EE - your help so far has really given me confidence about the process - i really appreciate it.

Phil
0
 

Author Comment

by:Pipster
Comment Utility
Just an update - this is still ongoing and I will update as soon as possible!
phil
0
 

Author Comment

by:Pipster
Comment Utility
Hi - This project has been changed so please accept apologies for not updating earlier.

Thanks you for the outstanding help with this, I have learned some excellent information for the future.

Thanks again,

Phil


0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
not a problem, glad to be of help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now