Failing Domain controller, what to do


At my site I have the following setup:

2 Domain controllers
-DC1 has all 5 FSMO roles, is a DNS server, and a global catalog
-DC2 is DNS server and Global Catalog

I noticed yesterday that DC1, which has a software RAID 1 config, lost one of its disks.  I'm trying to be proactive and figure out what I need to do.

What I was thinking is that I do the following:

1.  Transfer all FSMO roles over to DC2.  Once that has occurred I will then reboot it.
2.  On my client computers and servers, I will then change the primary DNS to DC2, and secondary to DC1 and then reboot them
3.  I'd also make sure to do this in the DHCP scope.

Will my solution work, or am I on the wrong path?

The reason I'm not looking to replace the disk is because it is a very old Dell 2650 and I have replacment DC's coming from Dell; however they are going to be 2008R2, which I already have a migration path for.  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes, transfer the roles and continue down the path you have outlined. If there is a chance of not being able to restore the hardware on this DC, You may even want to demote it so then you will not have to do Metadata cleanup later. If you are comfortable doing that, transferring the roles is the most important.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It will work, but you shouldn't have to reboot them.
Mike KlineCommented:
Your plan is sound, make sure you have good backups of DC2 now after the transfer.

Once the new DC is up you can gracefully demote DC1 (hoping it stays up a few days for you)


Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

lbtoadminAuthor Commented:

I've never done a metadata cleanup, what does that entail?  Do you mean going through ntdsutil and removing the old domain controller?  

If I simply demote it, will it tranfser the roles to the other domain controller automatically?
going through ADSI edit and removing a failed DC if it is not demoted. Demoting it should automatically transfer the roles. I recommend doing it manually though, just to be certain
Mike KlineCommented:
Yes it means going through ntdsutil but in 2008 it is even easier (can do most of it through the GUI)

Hopefully you won't need to go through metadata cleanup

If you demote it it will trasnfer them but I'd just manually transfer them now (less than 5 minutes)


Correction not ADSI edit - sorry it is ntdsutil
lbtoadminAuthor Commented:
So it sound like I could transfer the roles, repoint my clients, and then when everything is good, I could demote it if I wanted?  That should clear out the entries in AD.
Your plan is sound.
I would keep DC1 in place and running until you get your new DC's running in added to your AD structure.

It is better to have both DC's running now, so you still have redundancy.  Demoting DC1 now removes your failover if something happens to DC2.

If DC1 dies on it's own before your new DC's are in place, it is easy enough to clean up with the previous instructions.
1. Seize the FSMO's
2. Transfer GC
3. Transfer Schema Master

ADC would be required
lbtoadminAuthor Commented:
What would happen if I transferred roles, but did not change the DNS entries on my client machines?  Would the logins be slower?  I'm guessing they would be.
No need to seize if the DC is still up. You only need to seize if it fails.
It should not be slower if both servers are in the DCHP settings. Just change the DHCP scopes to reflect the change in DNS, they will get the new settings.
You're on the right track. you don't need to worry about any cleanup or seizing of roles right now. Once you get done with your plan and the new DC is in place, demote the old one and you'll be just fine.
Leon FesterSenior Solutions ArchitectCommented:
The only thing missing from this discussion is...
make a backup of DC1 before you do anything.

Worst case scenario
What happens if DC1 falls over completely before you've move anything onto DC2?
At least then you'll be able to restore the system again.

Might want to add this link to your knowledge base:

But yeah, the rest of the information required is covered above.
Replacement servers are already on the way.  The risk of both DCs failing at this point is fairly low.  

As long as the new DCs will be in place (even with 2003 domain functionality) shortly, like within a month, you should be fine without going nuts and taking a ton of effort to fix something that is going to be replaced in short order.

Of course you must have good backups, and if one DC fails before the new ones are functional, you should make all efforts to get a second one in place.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.