Replace DC & Preffered DNS with another using same IP

Hey,

I'm in the process of replacing some servers here, 2 of which are domain controllers and also preferred and alternate DNS servers for the domain.  I replaced the alternate DNS server and DC2 server a while ago by demoting the old DC, removing from domain, then re-iping the new DC2 server to the old address and then ipconfig /registerdns and dcdiag /fix and all seemed to work fine.

Now I need to do the same for my original DC1 server which is also the preferred DNS server for all my servers and desktops.  So, what would be the steps for this?  2003 Native Domain.

1.  Change IP address of OLDDC1 to something else and run ipconfig /registerdns and dcdiag /fix to update DNS.  How would this would work if the preferred DNS is no longer available as this was it?
2.  Change IP address of NEWDC1 to the original OLDDC1 IP address and run ipconfig /registerdns and dcdiag /fix to update DNS which is should find OK?

Is that right?  I'm not sure how its going to function when I pull the preferred DNS server out of the equation that's all.

Also, as an aside, I have been planning to upgrade my DCs to 2008, but as I currently have 2003 Enterprise and would only need 2008 Standard I need to reinstall.  Would it be best if I do this on the NEWDC1 before I do the replace with the old one, and if so are there any implications for a combined 2003/2008 AD/DNS infrastructure?

Thanks!

Andy
manic_andyAsked:
Who is Participating?
 
kevinhsiehCommented:
When switching servers that are also configured for DNS, I just take the original server and change the IP address to something else, and then I take the replacement server (already configured with DNS etc.) and give it the IP address of the original server. Works great, and you don't have to worry about reconfiguring all of the endpoints on your network to use different DNS servers.  
0
 
ITguy565Commented:
Andy,

First I would determine where my FSMO Roles are located. If they are on the original DC then I would transfer them to another server.

Then determine what services and Roles you have on the DC. Move those roles to another server.


Assuming you moved DNS to another server you can now change the primary DNS address distributed in DHCP and change the manual mapping for your primary DNS on any statically assigned workstations.

After this has been done I would suggest you power down that server and then run a DCDIAG on your network. This will determine if you network is functioning properly without that DC. If everything looks fine then DCPROMO that DC and remove it from the domain.
0
 
PACSAdminCommented:
There are no implications for a combined 2003 /2008 AD as long as you keep the domain functional level at 2003. Do not raise it.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
manic_andyAuthor Commented:
Thanks both.  Had a feeling it wouldn't be as simple as what I had to do it with the alternate DNS/DC server.

All my FSMO roles are on the NEWDC2 which is also the alternate DNS.  DHCP is also on the NEWDC1 already so I'd have to take that into account as well with the move.

I'm guessing then I'll have to get all my workstations like you say, moved to the alternate DNS server as the primary (easy enough as all DHCP), but I have about 60 servers/VMS which I manage and all are staticlly assigned so I'd need to go through all of them and change them I guess.  Urgh!  Anyway I can get around not having to change every devices preferred DNS to the alternate one?

PACSAdmin - Thanks for the headsup.  yep I'd be leaving it as functional 2003.
0
 
PACSAdminCommented:
you can export your dhcp settings from the old server and import them to the new one to save time. Process is simple from 2003 to 2003. It can still be done to 2008 byt there are a few more steps involved.
0
 
manic_andyAuthor Commented:
Yeah totally happy doing DHCP moves.  As I'd like to keep it on the newdc1, i guess I could just increase the lease time for before I do the servers instead of going through the process of moving it to another server, only to move it back again once the IP has changed?
0
 
PACSAdminCommented:
One thing not mentioned when you have removed the old DC. Double check DNS for any stale unwanted NS records that might have been left behind. check your new servers are in _MSDCS and the old ones are gone.
0
 
ITguy565Commented:
There is actually a script that I use changing DNS on my statically assigned devices.

Since I can't seem to locate the script I wrote I will post the article I used as a basis for the script:

http://www.petri.co.il/configure_tcp_ip_from_cmd.htm
0
 
ITguy565Commented:
There are two commands for DNS since administrators typically configure a primary and secondary DNS server.

For the primary DNS run:

netsh interface ip set dns name="Local Area Connection" static 208.67.222.222

For the secondary run:

netsh interface ip add dns name="Local Area Connection" 208.67.220.220 index=2
0
 
ITguy565Commented:
Andy,

What I would suggest is creating a batch script that is designed just to change the primary and secondary DNS and then deploying it to a GPO only to the servers in question. This would make it where you don't have to go to each server and change the DNS information.
0
 
kevinhsiehCommented:
I recommend against changing the IP addresses of the DNS servers unless it really is necessary - and doing an OS upgrade is not one of those reasons IMHO. There might be printers, embedded linux devices, routers, switches, wireless access points, workstations with static DNS settings, Unix servers, etc that are statically configured. Not changing the IP addresses of the DNS servers is so easy, why would you go through all of the work of changing them?
0
 
manic_andyAuthor Commented:
Thanks guys.

Reason i need to change the IP address is that the server which also happens to be the preffered DNS for every desktop/server/printer etc in my network is old and is being retired.  I want to replace it with another I already have built and so to save having to change every device I'd rather just re-IP the new server to take over the old IP.  I did this fine when I replaced the alternate DNS server but wasn't sure if it was OK to do for the preferred as well?

Can't use GPO for this as probably 70% of my servers are linux VMs.
0
 
kevinhsiehCommented:
The same proceedure works for replacing the preferred DNS server as well, which you especially want to do since so many of your servers have static DNS servers assigned.
0
 
manic_andyAuthor Commented:
Thanks.  OK, I'll go ahead and do it the same as when I did the alternate DNS in the past.  Change the original servers IP to something else, and register it with DNS.  Then change the new server to the old IP address and register that

Thanks!
0
 
kevinhsiehCommented:
Good luck, though it should be easy.
0
 
manic_andyAuthor Commented:
Thanks.  Yeah, I've done it before like I say, but always ended up just being the alternate and never had a problem, but thanks for helping me bounce ideas round to put my mind at rest around the preferred change too.
0
 
manic_andyAuthor Commented:
OK, tried this last night but got into a world of hurt.

I changed my OLDDC1, NEWDC1 and NEWDC2 servers DNS order to point to NEWDC2 then OLDDC1 in that order.

Once this was done I went onto OLDDC1, changed its IP address to something else and then ran ipconfig /registerdns and dcdiag /fix.  All seemed to go OK as when I checked on the NEWDC2 DNS server I could see the entries for OLDDC1 had updated with the new address.

BUT, on OLDDC1 my event log started suddenly got 30 entries with 5775 and 5774.  I went to the other DC server as my exchange server and did ipconfig /flushdns and then they could resolve OK, but I didn't like the look of these errors.

So, I reversed the steps and put OLDDC1 back to its original IP address.  All seemed OK after that, didn't get the 5775 or 5774 errors.

Any ideas what i should do now?  Do I need to reboot all my DC / Exchange servers so they pickup the new DNS server order from the top, before I make the changes so at least they will always have access to there preferred DNS server first while all these changes take place?
0
 
manic_andyAuthor Commented:
OK, need some help now guys.

I went through the process again today.

Changed OLDDC1's IP address to a new one.  Did ipconfig /registerdns then dcdiag /fix and waited for it to replicate.  OK.  Then repeated on NEWDC1 but giving it OLDDC1 original address.  All seemed OK.

Checking my server logs after that all seemed OK for a few minutes, then Exchange 2003 gave me event id 9176 about NSPI Proxy.  I followed what it said and rebotoed NEWDC1 and this hasn't re-occured.  I tried a few Outlook clients after this and all seem OK.  I did try doing an All User and despite it giving me an error when looking up a distro list, it worked the 2nd time round and has since?

Anyway, after that eveyrthing seemed OK for about an hour and I was about to go home when I noticed DC2 complaining it couldn't find a time server which was my OLDDC1.  Noticed it was still looking for the old IP address even after a flushdns so I then rebooted OLDDC1.  It came up OK, but then I got a dreaded DUPLICATE MACHINE NAME error!!!!  WHAT!!  There isn't a duplicate machine, but now I have some NETBT errors in my System Log for this.

The name "DC1            :20" could not be registered on the Interface with IP address 172.25.1.39. The machine with the IP address 172.25.1.36 did not allow the name to be claimed by this machine.

From that 172.25.1.39 is the new address for OLDDC1 and 172.25.1.36 is the DC2 address which is also its primary DNS and WINS.

I think its WINS now which is causing the problem as looking in WINS there are duplicate entries for OLDDC1 and NEWDC1 on both the addresses!

HELP!!!!
0
 
manic_andyAuthor Commented:
Also, after rebooting OLDDC1 the time server on DC2 has come back to life and is referencing OLDDC1 again so thats OK for now I guess.  Just need help with all the other errors which it think is WINS related.
0
 
manic_andyAuthor Commented:
Correction, DC2 is now saying its getting the wrong time from NEWDC1 on its old IP address!!!  :(
0
 
PACSAdminCommented:
With your time issues is the DC that holds the PDC Emulator role is the DC that controls time for the domain. This DC should be configured to reference a time source either an external one or better still a physical machine on your network running some sort of NTP service.

Is WINS necessary in your network?
0
 
PACSAdminCommented:
reading your earlier posts as part of ip swap did you stop and start the netlogon service

The procedure i used when i did a similar change was on each domain controller after changing the IP i ran

a.      ipconfig /registerdns
b.      dcdiag /fix
c.      Net stop netlogon and net start netlogon
0
 
manic_andyAuthor Commented:
Thanks PACSAdmin.

The Time Service was actually on the OLDDC1 server and that synced to an external ntp server.  My DC2 server holds all the FSMO roles including the PDC role.

No I didn;t stop the netlogon, as when I did the same for the DC2 swap last year I didn't have to.  I did reboot NEWDC1 after the change because of the issue with Exchange and the GC and that seemed OK.  I then only rebooted OLDDC1 when I got the time errors and thats when I got the duplicate name / NETBT event ID errors and the reference for the old time server on DC2.

I set DC2 to reference OLDDC1 for the time service again, restarted w32time and that seems OK, but still have the old WINS entries which I'm concerned about, especially due to the NetBt errors on bootup of old DC1.

Yes I think I need WINS as we have a lot of Linux VMs in the company, plus we use Exchange 2003 which relies on WINS doesn;t it?

Surprised I didnt get any of these problems last year when I did the same for DC2 swapover.
0
 
kevinhsiehCommented:
Exchange doesn't use WINS, and Linux shouldn't either. It is strictly for Microsoft clients, and generally should only be required for NT/Win9x clients...hopefully you don't have any of those.

What are your plans for WINS? You would need to take care of it at the same time as when you move DNS servers, which would probably mean copying it over to the new server, swapping IP addresses, and then forcing the servers to regegister with WINS (nbtstat -RR)
0
 
PACSAdminCommented:
I stopped using WINS with NT a looong time ago.

Ran Exchange 2003 perfectly fine on a network without WINS thought i wont go as far as to say you dont need it.

can you modify\correct the WINS records and reload the cache nbtstat -R i think from memory.

I would really look at changing your time settings so that DC2 with the PDC role gets its time from the external Time Server. All your domain members look to this Server for Time.
and change OLDDC1 back to syncing its time from the domain as per the links i posted previously
0
 
manic_andyAuthor Commented:
Attached is a grab of my WINS entries at the moment.

WEXNZ-DC1 is NEWDC1.  Address was 172.25.1.38 and is now 172.25.1.35
DC1 is OLDDC1.  Address was 172.25.1.35 and is now 172.25.1.39
WEXNZ-DC2 is DC2.  Address is 172.25.1.36

Before all this moves 172.25.1.35 was the preferred DNS and WINS for everything and 172.25.1.36 was the alternate.  Earlier in the week I changed my DCs and Exchange to point to preferred 172.25.1.36 and alternate 172.25.1.35 so they would have something solid to talk to as preferred.

You can see in the screenshot that DC1 and WEXNZ-DC1 have both old and new entries in WINS now which I guess is whats caused the NetBT errors and the duplicate name problem at the start.

What can I do to resolve this?  Is it as simple as deleting the wrong entries?  Dont want to screw up Exchange with this.
Wins.PNG
0
 
manic_andyAuthor Commented:
Thanks guys.

Sorry I thought Exchange 2003 used WINS which is why I never removed it in the past.  I inherited this network and before had never used WINS.

No all my clients are XP/Win7, some Linux desktops and all my servers are 2003 or above, apart from one legacy 2000 server I cant get rid off :(

So as long as it doesn't break anything at the moment that'll allow me to breath easier for a bit.

Would I need to run nbtstat -RR on just OLDDC1 and NEWDC1 then or is it best to do it on DC2 as well?

Once all this has settled down I'll set DC2 (PDC) to get its time external.  Always thought that you didn't want the PDC syncing external but guess I'd got confused along the line with that.  Thanks for the continued help with this guys!!

0
 
PACSAdminCommented:
Best practice for setup of time in a 2008 AD Domain is for the DC that runs the PDC role to get its Time from an Authoritive Time Server that is local to the network. This ensures that if you loose connectivity to the Internet all your clients are still getting valid time. You would still configure the PDC to get its time externally as a second entry just in case the local time server is not contactable.

Howver cinfiguring the PDC to go direct to external sources is perfectly acceptable

In my network i have the PDC going to a physical machine running NTP Server software in the first instance and to the Internet in the second instance.


Sorry but my knowledge on WINS is scratchy and i do not want to give you false info so i will leave the answer to the other part to kevinhseih
0
 
PACSAdminCommented:
PS

having another DC run the time server is not advisable
0
 
manic_andyAuthor Commented:
Thanks PACSAdmin.  I'm a 2003 domain, but I can understand what you mean, so once all this is sorted out and and I don't get these NetBT errors then I'll sort out my time server sync settings.  Will probably for now just have the PDC (DC2) syncing its time externally.

Will wait for some help on the WINS side with the duplicate addresses etc as I'm hoping this is the last piece in the puzzle for me on this.  Don't want to run nbtstat -r and have it purge WINS or something drastic as WINS isn't something I've messed with in the past.
0
 
kevinhsiehCommented:
Yes, you can just delete the wrong WINS entries. running nbtstat -RR on the servers whose entries you delete will cause them to register the correct information with WINS.
0
 
manic_andyAuthor Commented:
What would I delete in WINS?  Would it just be the wrong OTHER and MESSENGER entries for the OLD and NEW DC1's?

I take it I'd leave my [1ch] Domain Controller entry as that doesn't indicate what server its for, even though its on one of the correct IP addresses?  My domain is called FAL

Or would it be best to delete all entries in WINS for the DC1 and WEXNZ-DC1 hosts and there respective new and old IP addresses, and then run nbtstat -RR on both?  Would that re-populate everything thats needed?

Thanks!!!! wins showing all DCs and old/new entries
0
 
kevinhsiehCommented:
I would just delete all entries associated with the servers, and then nbtstat -RR.
0
 
manic_andyAuthor Commented:
Would doing all this as well, resolve those NetBT errors when starting the OLDDC1 where it says,

The name "DC1            :0" could not be registered on the Interface with IP address 172.25.1.39. The machine with the IP address 172.25.1.36 did not allow the name to be claimed by this machine.


and

The server could not bind to the transport \Device\NetBT_Tcpip_{CFEFE8BF-138E-425F-8557-3CEB23DED09A} because another computer on the network has the same name.  The server could not start.
0
 
kevinhsiehCommented:
Possibly.
0
 
manic_andyAuthor Commented:
LOL, thanks :)

I'll give it a try then.  Thanks.  Will report back how it goes.
0
 
manic_andyAuthor Commented:
OK, I deleted the WINS entries for all the entries of the OLDDC1 and NEWDC1, only leaving the 1 entry for [1ch] Domain Controller as that made me uneasy as it was already on the correct IP.

Anyway, deleted all the entires, forced them to propagate, then ran nbtstat -RR on both OLDDC1 and NEWDC1.  Everything looked OK so I ran netdiag on everything and all showed OK except on OLDDC1 where I had an error relating to NetBT and Browsers for the interface.  So I rebooted OLDDC1 and it came up OK, and no more NetBT errors in the event log and no duplicate name errors!

So far then, all looks good touch wood.  Exchange is seeing all the servers again and WINS looks OK.

I'll keep the thread open for a few days as I'll check in over the weekend to make sure all OK and as long as all good I'll award points on Monday.

Thanks for your help guys!  SOOOO appreciated!
0
 
kevinhsiehCommented:
That's fantastic. Now we can all go to bed.
0
 
manic_andyAuthor Commented:
OK, forgot to update - my bad :)

All working fine now.  The steps above worked, and the problems I had with WINS were resolved with the last steps above.  Thanks so much for your help guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.