Solved

Failing Domain controller, what to do

Posted on 2012-03-29
16
256 Views
Last Modified: 2016-11-23
Hello,

At my site I have the following setup:

2 Domain controllers
-DC1 has all 5 FSMO roles, is a DNS server, and a global catalog
-DC2 is DNS server and Global Catalog

I noticed yesterday that DC1, which has a software RAID 1 config, lost one of its disks.  I'm trying to be proactive and figure out what I need to do.

What I was thinking is that I do the following:

1.  Transfer all FSMO roles over to DC2.  Once that has occurred I will then reboot it.
2.  On my client computers and servers, I will then change the primary DNS to DC2, and secondary to DC1 and then reboot them
3.  I'd also make sure to do this in the DHCP scope.

Will my solution work, or am I on the wrong path?

The reason I'm not looking to replace the disk is because it is a very old Dell 2650 and I have replacment DC's coming from Dell; however they are going to be 2008R2, which I already have a migration path for.  

Thanks,
0
Comment
Question by:lbtoadmin
  • 5
  • 3
  • 2
  • +4
16 Comments
 
LVL 9

Accepted Solution

by:
Geodash earned 334 total points
ID: 37782531
Yes, transfer the roles and continue down the path you have outlined. If there is a chance of not being able to restore the hardware on this DC, You may even want to demote it so then you will not have to do Metadata cleanup later. If you are comfortable doing that, transferring the roles is the most important.
0
 
LVL 4

Expert Comment

by:Red_Tech
ID: 37782532
It will work, but you shouldn't have to reboot them.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37782552
Your plan is sound, make sure you have good backups of DC2 now after the transfer.

Once the new DC is up you can gracefully demote DC1 (hoping it stays up a few days for you)

Thanks

Mike
0
 

Author Comment

by:lbtoadmin
ID: 37782564
Hello,

I've never done a metadata cleanup, what does that entail?  Do you mean going through ntdsutil and removing the old domain controller?  

If I simply demote it, will it tranfser the roles to the other domain controller automatically?
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37782581
going through ADSI edit and removing a failed DC if it is not demoted. Demoting it should automatically transfer the roles. I recommend doing it manually though, just to be certain
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37782582
Yes it means going through ntdsutil but in 2008 it is even easier (can do most of it through the GUI)

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

Hopefully you won't need to go through metadata cleanup

If you demote it it will trasnfer them but I'd just manually transfer them now (less than 5 minutes)

Thanks

Mike
0
 
LVL 9

Assisted Solution

by:Geodash
Geodash earned 334 total points
ID: 37782593
Correction not ADSI edit - sorry it is ntdsutil
0
 

Author Comment

by:lbtoadmin
ID: 37782629
So it sound like I could transfer the roles, repoint my clients, and then when everything is good, I could demote it if I wanted?  That should clear out the entries in AD.
0
 
LVL 6

Assisted Solution

by:awaggoner
awaggoner earned 166 total points
ID: 37782632
Your plan is sound.
I would keep DC1 in place and running until you get your new DC's running in added to your AD structure.

It is better to have both DC's running now, so you still have redundancy.  Demoting DC1 now removes your failover if something happens to DC2.

If DC1 dies on it's own before your new DC's are in place, it is easy enough to clean up with the previous instructions.
0
 
LVL 13

Expert Comment

by:Sandy
ID: 37782633
1. Seize the FSMO's
2. Transfer GC
3. Transfer Schema Master

ADC would be required
0
 

Author Comment

by:lbtoadmin
ID: 37782637
What would happen if I transferred roles, but did not change the DNS entries on my client machines?  Would the logins be slower?  I'm guessing they would be.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37782639
No need to seize if the DC is still up. You only need to seize if it fails.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37782644
It should not be slower if both servers are in the DCHP settings. Just change the DHCP scopes to reflect the change in DNS, they will get the new settings.
0
 
LVL 4

Expert Comment

by:Red_Tech
ID: 37782705
You're on the right track. you don't need to worry about any cleanup or seizing of roles right now. Once you get done with your plan and the new DC is in place, demote the old one and you'll be just fine.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37792040
The only thing missing from this discussion is...
make a backup of DC1 before you do anything.

Worst case scenario
What happens if DC1 falls over completely before you've move anything onto DC2?
At least then you'll be able to restore the system again.

Might want to add this link to your knowledge base:
http://support.microsoft.com/kb/249694

But yeah, the rest of the information required is covered above.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37792098
Replacement servers are already on the way.  The risk of both DCs failing at this point is fairly low.  

As long as the new DCs will be in place (even with 2003 domain functionality) shortly, like within a month, you should be fine without going nuts and taking a ton of effort to fix something that is going to be replaced in short order.

Of course you must have good backups, and if one DC fails before the new ones are functional, you should make all efforts to get a second one in place.
0

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now