Pipster
asked on
Migrate Old Windows 2003 Server DC to New Virtual DC - Server was first DC installed.
Hello Everyone,
Sorry for the long post!
I am in the process of removing a Windows 2003 Server from our domain by migrating all the roles onto a newly setup DC within our virtual environment and I am looking for any advice that can help with the process. I have added servers but this will be my first time removing one.
I have read through various posts on the site, all have which have been very helpful in putting together my proposed process, but I can’t find a “step by step” - If there is one please point me in that direction!!
Information.
The Physical DC was the very first DC (forest root) and runs DHCP, WINS, DNS, GC, Time Server and 4 of the FSMO Roles.We currently have 1 virtual DC (p2v of server) and 2 physical ones ( 2nd physical server is running one of the FSMO roles and is a DNS server. )
The DNS is Active Directory integrated with no scavenging setup.
All 3 servers are CGs
Both physical servers are DNS servers
Proposed Plan:
Create new Vm server from Template
Setup as DC –
Join Server to domain.
Run DCpromo and run through process:
Dcpromo->add domain controller to existing domain->
Reboot
Make GC
Wait 15/45min to check objects are appearing in DC
Check Event Logs for replication information - Dcdiag
Install DNS Service:
Using Add/ Remove Programmes install DNS
Will all the setting automatically go across or is anything else required for DNS? Will I need to configure forwarding zones?
Install DHCP:
Export configuration from Existing server
Netsh dhcp server export c:\dhcp.txt all
Vm Machine – Add Remove->Network Services->DHCP
Import Configuration
Netsh dhcp server import c:\dhcp.txt all
Stop Services on existing physical DHCP Server
Authorise VM DHCP server
Configure DHCP setting for Clients to use new DNS Server address as primary
Transfer FSMO Roles:
Transfer roles via Pull method – transfer roles to current 2nd Physical Server
Wait for 15 mins between each roll move.
AD Sites and Services – operation Masters
AD Users and Computers – operation Masters
Register regsvr32 schmmgmt.dll -> add active Dir Schema -> change
Shut Down Existing DC:
Pull network cable out of 1st Physical server via switch not back of physical server
Wait for users / log in tests DHCP etc (any recommendations of time? Windows sp2 tombstone is 60days? )
Final Steps:
Plug Network cable back into Existing DC
Allow Synchronisation to occur with servers
Demote DC via DC Promo
Add/Remove DNS Application from Server
Move old Physical Server from domain via My computer and put in workgroup
Remove physical machine
Remove entry within DNS?
Does this seem like the correct method of removing a server? Are there any steps that I need to be aware of regarding this being the very first Domain controller I set up within the domain?
Any help and guidance would be really appreciated!!
Thanks!
Phil
this should be helpful:
https://www.experts-exchange.com/questions/26626651/Changing-my-domain-controllers.html
https://www.experts-exchange.com/questions/26626651/Changing-my-domain-controllers.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Gridlock,
Thanks for the quick reply!
The info is good and I will follow your recomendation regarding the old DC. We are at present only going to add a new 2003 server but will move to 2008 later.
Does it matter that the DC im going to remove was the first "forest root" server? Also the DNS side of things, will i need to configure anything on the new VM dns server like forward lookup zones?
Thanks again.
phil
Thanks for the quick reply!
The info is good and I will follow your recomendation regarding the old DC. We are at present only going to add a new 2003 server but will move to 2008 later.
Does it matter that the DC im going to remove was the first "forest root" server? Also the DNS side of things, will i need to configure anything on the new VM dns server like forward lookup zones?
Thanks again.
phil
being you're AD intergrated everything should replicate over to the new server, the infor provided should be the same steps for a 2003 server. in regards to the root server, was this or still is a 2000 OS?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi to you both,
In answer to your question Gridlock137 the server was only ever a 2003 server, not upgraded etc.
Thanks Ken, i have had a look at the links and will give them a read through before going on with the project ( im aiming to do this towards the end of the week )
Really do appeciate the help with this,
Phil
In answer to your question Gridlock137 the server was only ever a 2003 server, not upgraded etc.
Thanks Ken, i have had a look at the links and will give them a read through before going on with the project ( im aiming to do this towards the end of the week )
Really do appeciate the help with this,
Phil
you should be fine in regards to the forrest root role, in 2003 all DC are the same, there is no PDC or BDC roles any more. you should be good to go.
ASKER
Hi,
Thanks for clearing that up for me - there were some NT servers in the past but only joined via trusts in the old domain. The server was a installed clean as a 2003 server into a band new domain.
Thanks very much to you both! I will let you know how things develop!
Phil
Thanks for clearing that up for me - there were some NT servers in the past but only joined via trusts in the old domain. The server was a installed clean as a 2003 server into a band new domain.
Thanks very much to you both! I will let you know how things develop!
Phil
cool, let know if you run into any issues.
ASKER
Hi,
I just ran the replmon tool to check the status of our replication and found a couple of things that I was wondering about.
1. On the server i am going to replace there is a relication entry called:DC=TAPI3Directory which is not on the other servers - I have read this is used for IP and other telephony services:
https://www.experts-exchange.com/questions/24797750/Demoting-a-domain-controller-with-application-directory-partitions-DC-TAPI3Directory.html
is there any way to tell what is actually using this?
2. There is no entry for Dc=DomainDNS and DC=ForestDNS on the virtual server but that machine is not a dns server so am i right in thinking that is the reason why?
Thanks for the help!
Phil
I just ran the replmon tool to check the status of our replication and found a couple of things that I was wondering about.
1. On the server i am going to replace there is a relication entry called:DC=TAPI3Directory which is not on the other servers - I have read this is used for IP and other telephony services:
https://www.experts-exchange.com/questions/24797750/Demoting-a-domain-controller-with-application-directory-partitions-DC-TAPI3Directory.html
is there any way to tell what is actually using this?
2. There is no entry for Dc=DomainDNS and DC=ForestDNS on the virtual server but that machine is not a dns server so am i right in thinking that is the reason why?
Thanks for the help!
Phil
ASKER
Hi,
I have created the new DC and at the moment the replmon says that it is replicting between two out of the 3 current servers - the one that it is not replicating is the server I am intending to replace.
I have checked event logs and run dcdiag on the server that is not replicating but there are no errors that i can see?
Can anyone help with this? I has been 1 1/2 hours since i perfomed the dcpromo on the new server.
Thanks!
Phil
I have created the new DC and at the moment the replmon says that it is replicting between two out of the 3 current servers - the one that it is not replicating is the server I am intending to replace.
I have checked event logs and run dcdiag on the server that is not replicating but there are no errors that i can see?
Can anyone help with this? I has been 1 1/2 hours since i perfomed the dcpromo on the new server.
Thanks!
Phil
this could be helpful for the TAPI3Directory:
http://forums.techarena.in/active-directory/757216.htm
http://forums.techarena.in/active-directory/757216.htm
make sure your NTDS settings in active directory sites and services have an entry for the new DC, if it does not show up then demote the new server and promote to DC again. hopefully you have not transferred the FSMO roles, if you have do not perform that action and try and troubleshoot it via AD sites and Services.
ASKER
Hi Gridlock137,
I have looked at the site and services and under
ADSAS -> Sites -> Site.. -> servers -> it lists all 4 servers
Two are showing under NTDS settings all thee of their partners, the other two are showing two but not each other.
I have not at this point moved any roles etc.
I cant understand why its replicating to two servers and not the other!
phil
I have looked at the site and services and under
ADSAS -> Sites -> Site.. -> servers -> it lists all 4 servers
Two are showing under NTDS settings all thee of their partners, the other two are showing two but not each other.
I have not at this point moved any roles etc.
I cant understand why its replicating to two servers and not the other!
phil
ASKER
Hi Gridlock137,
I have opened this as another question about this if you want to continue on that one?
thanks
Phil
I have opened this as another question about this if you want to continue on that one?
thanks
Phil
under the NTDS settings for your new DC, is ht eGC option checked off?
ASKER
Hi,
there is no tick in the GC option box if that is where you are refering?
phil
there is no tick in the GC option box if that is where you are refering?
phil
try making that guy a GC, it will not hurt.
ASKER
Hi,
If this issue was left over night would it cause and issues? im trying to put support tools on at the moment.
Thanks again!
Phil
If this issue was left over night would it cause and issues? im trying to put support tools on at the moment.
Thanks again!
Phil
not at all, maybe replication time is being a bit latent, give it until tomorrow, you may want to run a dcdiag to make sure you pass all tests.
ASKER
Hi Gridlock137,
I made the server a GC and things started to happen!
I checked things late on last night and this morning and found that there was a message on one of the server event logs stating
"To improve the replication load of Active Directory, a replication connection from the following source domain controller to the local domain controller was deleted."
When i have mapped it out when checking with replmon it forms the perfect (square ) ring topology - A talks to B and D, B talks to A and C, C talks to B and D, D talks to A and C.
There are no connections direct from A and C which is producing a message relating to "The Windows NT 4.0 or earlier checkpoint with the PDC emulator was uncucessful" - looking into this it is due to not having a direct connection between C - the forest root running that FSMO role and A - the new Vm server - which i belive it harmless?
The domain has never had windows NT servers running directly in it but there were some joined via a a trust during the migration from the old NT domain onto the new 2003 AD domain.
I have posted this as another question as i was not sure about the asking a question within a question rules of EE - your help so far has really given me confidence about the process - i really appreciate it.
Phil
I made the server a GC and things started to happen!
I checked things late on last night and this morning and found that there was a message on one of the server event logs stating
"To improve the replication load of Active Directory, a replication connection from the following source domain controller to the local domain controller was deleted."
When i have mapped it out when checking with replmon it forms the perfect (square ) ring topology - A talks to B and D, B talks to A and C, C talks to B and D, D talks to A and C.
There are no connections direct from A and C which is producing a message relating to "The Windows NT 4.0 or earlier checkpoint with the PDC emulator was uncucessful" - looking into this it is due to not having a direct connection between C - the forest root running that FSMO role and A - the new Vm server - which i belive it harmless?
The domain has never had windows NT servers running directly in it but there were some joined via a a trust during the migration from the old NT domain onto the new 2003 AD domain.
I have posted this as another question as i was not sure about the asking a question within a question rules of EE - your help so far has really given me confidence about the process - i really appreciate it.
Phil
ASKER
Just an update - this is still ongoing and I will update as soon as possible!
phil
phil
ASKER
Hi - This project has been changed so please accept apologies for not updating earlier.
Thanks you for the outstanding help with this, I have learned some excellent information for the future.
Thanks again,
Phil
Thanks you for the outstanding help with this, I have learned some excellent information for the future.
Thanks again,
Phil
not a problem, glad to be of help.
ASKER
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_269-Replace-a-Windows-Server-2003-Domain-Controller.html
Very helpfull but i do still have some questions ive listed in the original post.
thanks for any help!
phil