Swapping IP addresses on 2 Domain Controllers (Windows Server 2003/2008)

Server A:  Windows Server 2003 sp2 domain controller - Primary DNS server in DHCP and statically assigned on member servers
Server B: Windows Server 2008 R2 domain controller -  DNS installed but not in use

Windows 2003 Native domain and forest

Healthcare environment (there are other DC/GCs in this domain)

Both IP addresses are on the same network

Many medical applications (no reliable list of applications exists) point to Server A as their sole LDAP source. Not sure if they point to the name or IP address.

I need to retire Server A as part of an upgrade to Windows Server 2008 R2. I would like to assign the IP address of Server A to Server B and also create a CNAME record that points queries for Server A to Server B. Once the IP addresses are swapped, I would then run

Ipconfig /registerdns and dcdiag /fix

to register the new name/ip and to refresh the DNS resource records respectively. I believe it would then be best to remove the domain controller role from Server A to force use of the alias.

I would like to do this in both the root domain and also one of the child domains. I am not sure how the computers/servers will respond to the change in domain controller availability. Will these steps be a transparent way to retire a server without changing DHCP settings and the static, primary DNS server IP on member servers?

bstillionAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dibiCommented:
Hello!

At first, run a sniffing tool like Wireshark and scan for LDAP requests. This should answer your question, how many LDAP-clients you have. I'd recommend to create a plan, first - just in case of unexpected behaviour later.

Second, I do not recommend doing your "migration" without testing it in a productive environment! Really.

Third: Theoretically, your "migration" should work.

Best regards!

PS: Test it before doing it :)
bstillionAuthor Commented:
Thanks dibi!

It's hard to create a test environment that is in any way close
to our complex production environment so I'm not sure how
vaulable the test would be.

a test environment is always valuable in helping establish the
step-by-step procedure that works best which in turn reduces
downtime. It's just difficult to really know what implications my
actions will have on production systems.

There are hundreds of applicaitons running software versions that
are often out of support, Macintosh PCs and devices, Groupwise email,
and forest and external trusts with multiple sites. It would take months
to test all of the major parts with any confidence.

Any suggestion on what would be the critical elements to test?

kevinhsiehCommented:
This is certainly a challenge. Swapping IP addresses of the domain controllers is easy to do, and easy to reverse. Anything that uses DNS could be a bigger challenge. I would change the IP address of the old server and then add the original IP to the new server. Do the ipconfig /registerdns and see how things go, probably for a few days. If you have network monitoring that can record the number of ldap connections per day/hour before and after that would be great, because then you can see how many connections use the IP address, and how many use DNS name. Then, after things have settled down I would power off or disconnect the original server from the network and delete its current DNS entries and put in the cname. See how that goes. You might need to go through DNS and remove all references to it in the special _ zones used by AD. If all goes well after a week or so, you can then either delete the cname and bring the DC back online to do a clean removal from AD using dcpromo, or you can leave it off and forcibly remove it from AD and do a metadata cleanup.    

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.