Replacing server 2003 domain controllers and renaming them

Posted on 2011-04-20
Medium Priority
Last Modified: 2012-05-11
I need to replace two aging DCs in a subdomain of my AD forest with two new DCs using the same names and IP addresses of the originals.  All the DCs are running server 2003 and the domain functional level is windows server 2003.

I've read plenty on the process of renaming a DC, but is there anything to watch out for when renaming a DC using the name of a DC that was just demoted?

Here is the setup and plan so far....

The existing DCs are DC1 and DC2.  DC1 has the RID, PDC, and infrastructure ops FSMO roles as well as DNS, DHCP, and WINS.  DC2 has the global catalog, DNS, and WINS.  The new DCs are DC1new and DC2new which are already joined to the domain and have been promoted.  

To replace DC1 with DC1new

1.)      Export WINS database from DC1 as backup.  After the rename, if I add DC2 as a WINS replication partner it should replicate the DB so I don’t need to import it manually?
2.)      Export DHCP database from DC1 using “netsh dhcp server export c:\dhcp.txt all”
3.)      Move RID, PDC, and Infrastructure ops manager roles to DC1new using ADUC and the properties tab of the domain
4.)      Verify replication is working.  What is the best way to do this?  Repadmin? Dcdiag?
5.)      Disable DHCP on DC1
6.)      Demote DC1 to member server, remove it from domain and turn it off.  Do I also need to delete it from AD sites and services?  Any other tricks to demotion?
7.)      Change IP address on DC1new to the IP of the old DC1
8.)      Rename DC1new to DC1 using the netdom steps found here http://www.petri.co.il/windows_2003_domain_controller_rename.htm
9.)      Rename sysvol member object
10.)      Import the DHCP database on the new DC1.  Since the IP is staying the same is there anything else to this step?
11.)      Setup WINS replication with DC2 (see step 1)
12.)      Done?

For renaming DC2new to DC2 I was going to follow the same plan with the exception of the DHCP steps since it isn’t running on DC2 and since the only FMSO role is global catalog, just use AD sites and services to enable the global catalog.

A final question about AD sites and services.  At the moment, the NTDS settings for DC1 and DC2 are slightly different.  DC1 only shows an auto generated connection to DC1new and DC2new.  DC2 has an auto generated connection to DC1new, DC2new, ForestDC1, and then two manually created connections to the two DCs in another subdomain.  DC1new and DC2new show auto generated connections to DC1 and DC2.  What will I need to create manually and what will be auto generated once all this madness is done?  At which point during my 12 steps listed above do I need to mess with these settings?

Question by:tferro999
  • 2
LVL 16

Accepted Solution

Bruno PACI earned 2000 total points
ID: 35438942

First of all, give GC function to both new DC... GC is critical, you need it to log on so you should always have at least 2 GC in your domain. The problem between Infrastructure Master and Global Catalog can be ignore if all your DCs in your domain are also GC.

About 1) : Make new DCs replicated WINS partner of old DCs BEFORE renaming anything. Ensure the WINS replication is ok and all WINS servers have the same info. After that your can proceed renaming servers and at the end you'll remove retired WINS partners.

About 4) : REPADMIN and DCDIAG will give your warnings if replication does work, but a visual way to check replication is to create a new object on each DC (as an example a new OU on each DC with a different name on each DC) wait 5 minutes and then go to see if all objects exist on all DCs. Then you can remove these objects.

About 6) : yes after a demote you'll have to remove manually the object in "AD Sites and Services". Sometimes demoting do not the full job. You may have to use NTDSUTIL METADATA CLEANUP do definitly remove any traces of the old DC.

About 7) : after a DC rename, wait some times to be sure replication has been done before proceeding to next step. If your don't wait sufficient time and go on on renaming other servers you may reach a situation where replication don't work anymore. So give time to AD replication to broadcast changes to all DCs after each step.

About 9) : I don't understand what you're talking about saying "sysvol member object" !?

About 11) : again, make full WINS replication at the beginning of your process. don't wait to be at step 11 to make WINS servers to replicate each other. At the end, you'll only have to remove replication partners that don't exist anymore.

About NTDS Settings : in a normal situation a replication topology is automatically generated and you should only see auto generated connectors. Sometimes you may have to create manual connectors to match a special network physical topology.
If you don't know why there are manual connectors you should recreate these connectors identically o the new DCs.

Again, as there are many other DCs in the forest, after each renaming step, give time to replication to replicate each change to the whole forest ! Take a look at site links topology after each steps. Asks other domain admins to control replication problems.

Have a good day.

Author Comment

ID: 35440310
Regarding the Infrastructure master and GC FSMO roles, I heard that they cannot exist on the same DC unless every DC in the entire Forest has a GC present.  Is this true, or will it work as long as both DCs in this subdomain have a GC?

7.) I was planning on waiting at least a day in between renaming the two DCs.

9.) http://technet.microsoft.com/en-us/library/cc787188(WS.10).aspx

Thanks for your help with this.
LVL 16

Expert Comment

by:Bruno PACI
ID: 35441614

About GC and Infrastructure Master, if they are hosted on the same DC the Infrastructure Master will not work. BUT if all DCs in your domain are all GCs then you'll never need the Infrastructure Master of this domain so it doesn't matter if it doesn't work.

The infrastructure master problem is domain-level... So, whatever the situation in other domains of the forest, you just have to make a choice for your domain between 2 possibilities :

1) Make sure that you Infra Master is not hosted on a GC so that your Infra master is functionning
2) Or don't take care of the Infra Master and make all your domain's DCs to be GCs so that you won't need Infra Master

Personnally, I always make the second choice for my customers : Every DC is a GC and all is ok.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question